From f15e006b831384aaec4b4f13265c0dff88ef09dd Mon Sep 17 00:00:00 2001
From: Dominique Martinet <asmadeus@codewreck.org>
Date: Tue, 22 Nov 2022 09:06:56 +0900
Subject: 9p/xen: do not memcpy header into req->rc

while 'h' is packed and can be assumed to match the request payload,
req->rc is a struct p9_fcall which is not packed and that memcpy
could be wrong.

Fix this by copying each fields individually instead.

Reported-by: Christian Schoenebeck <linux_oss@crudebyte.com>
Reviewed-by: Christian Schoenebeck <linux_oss@crudebyte.com>
Suggested-by: Stefano Stabellini <sstabellini@kernel.org>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Link: https://lkml.kernel.org/r/alpine.DEB.2.22.394.2211211454540.1049131@ubuntu-linux-20-04-desktop
Link: https://lkml.kernel.org/r/20221122001025.119121-1-asmadeus@codewreck.org
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
---
 net/9p/trans_xen.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'net/9p')

diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
index aaa5fd364691..de2d2ca8819a 100644
--- a/net/9p/trans_xen.c
+++ b/net/9p/trans_xen.c
@@ -216,7 +216,9 @@ static void p9_xen_response(struct work_struct *work)
 			goto recv_error;
 		}
 
-		memcpy(&req->rc, &h, sizeof(h));
+		req->rc.size = h.size;
+		req->rc.id = h.id;
+		req->rc.tag = h.tag;
 		req->rc.offset = 0;
 
 		masked_cons = xen_9pfs_mask(cons, XEN_9PFS_RING_SIZE(ring));
-- 
cgit v1.2.3