nvdimm: fix header pointer in nvdimm_build_nfit()

In the current nvdimm_build_nfit(), the pointer 'header' initially equals
to table_data->data + table_data->len. However, the following
g_array_append_vals(table_data, structures->data, structures->len)
may resize and relocate table_data->data[]. Therefore, the usage of 'header'
afterwards may be illegal.

This patch fixes this issue by storing an offset within table_data->data[]
(rather than an address) in 'header'.

Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Reviewed-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

1 files changed, 5 insertions, 3 deletions

diff --git a/hw/acpi/nvdimm.c b/hw/acpi/nvdimm.c
index 9534418824..df1b176b8f 100644
--- a/hw/acpi/nvdimm.c
+++ b/hw/acpi/nvdimm.c
@@ -353,16 +353,18 @@ static void nvdimm_build_nfit(GSList *device_list, GArray *table_offsets,
                               GArray *table_data, GArray *linker)
 {
     GArray *structures = nvdimm_build_device_structure(device_list);
-    void *header;
+    unsigned int header;
 
     acpi_add_table(table_offsets, table_data);
 
     /* NFIT header. */
-    header = acpi_data_push(table_data, sizeof(NvdimmNfitHeader));
+    header = table_data->len;
+    acpi_data_push(table_data, sizeof(NvdimmNfitHeader));
     /* NVDIMM device structures. */
     g_array_append_vals(table_data, structures->data, structures->len);
 
-    build_header(linker, table_data, header, "NFIT",
+    build_header(linker, table_data,
+                 (void *)(table_data->data + header), "NFIT",
                  sizeof(NvdimmNfitHeader) + structures->len, 1, NULL);
     g_array_free(structures, true);
 }