min(pmpt->perf.state_count, op->u.getpx.total) == op->u.getpx.total can
be expressed differently as pmpt->perf.state_count >= op->u.getpx.total.
Copying when the two are equal is fine; (partial) copying when the state
count is larger than the number of array elements that a buffer was
allocated to hold is what - as per the comment - we mean to avoid. Drop
the use of min() again, but retain its effect for the subsequent copying
from pxpt->u.pt.
Fixes: aa70996a6896 ("x86/pmstat: Check size of PMSTAT_get_pxstat buffers")
Reported-by: Andrew Cooper <andrew.coop...@citrix.com>
Signed-off-by: Jan Beulich <jbeul...@suse.com>
--- a/xen/drivers/acpi/pmstat.c
+++ b/xen/drivers/acpi/pmstat.c
@@ -272,11 +272,14 @@ int do_get_pm_info(struct xen_sysctl_get
cpufreq_residency_update(op->cpuid, pxpt->u.cur);
- ct = min(pmpt->perf.state_count, op->u.getpx.total + 0U);
-
- /* Avoid partial copying of 2-D array */
- if ( ct == op->u.getpx.total &&
- copy_to_guest(op->u.getpx.trans_pt, pxpt->u.trans_pt, ct * ct) )
+ /*
+ * Avoid partial copying of 2-D array, whereas partial copying of a
+ * simple vector (further down) is deemed okay.
+ */
+ ct = pmpt->perf.state_count;
+ if ( ct > op->u.getpx.total )
+ ct = op->u.getpx.total;
+ else if ( copy_to_guest(op->u.getpx.trans_pt, pxpt->u.trans_pt, ct *
ct) )
{
spin_unlock(cpufreq_statistic_lock);
ret = -EFAULT;
