[PATCH v2 1/2] xen: fix out-of-bounds irq unbind for MSI message groups

From: Amit Shah
Date: Tue Feb 27 2018 - 10:56:30 EST


When an MSI descriptor was not available, the error path would try to
unbind an irq that was never acquired - potentially unbinding an
unrelated irq.

Fixes: 4892c9b4ada9f9 ("xen: add support for MSI message groups")
Reported-by: Hooman Mirhadi <mirhadih@xxxxxxxxxx>
CC: <stable@xxxxxxxxxxxxxxx>
CC: Roger Pau Monnà <roger.pau@xxxxxxxxxx>
CC: Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>
CC: Eduardo Valentin <eduval@xxxxxxxxxx>
CC: Juergen Gross <jgross@xxxxxxxx>
CC: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
CC: "K. Y. Srinivasan" <kys@xxxxxxxxxxxxx>
CC: Liu Shuo <shuo.a.liu@xxxxxxxxx>
CC: Anoob Soman <anoob.soman@xxxxxxxxxx>
Signed-off-by: Amit Shah <aams@xxxxxxxxxx>
---
drivers/xen/events/events_base.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c
index 1ab4bd1..c86d10e 100644
--- a/drivers/xen/events/events_base.c
+++ b/drivers/xen/events/events_base.c
@@ -755,8 +755,10 @@ int xen_bind_pirq_msi_to_irq(struct pci_dev *dev, struct msi_desc *msidesc,
mutex_unlock(&irq_mapping_update_lock);
return irq;
error_irq:
- for (; i >= 0; i--)
+ while (i > 0) {
+ i--;
__unbind_from_irq(irq + i);
+ }
mutex_unlock(&irq_mapping_update_lock);
return ret;
}
--
2.7.3.AMZN

Amazon Development Center Germany GmbH
Berlin - Dresden - Aachen
main office: Krausenstr. 38, 10117 Berlin
Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger
Ust-ID: DE289237879
Eingetragen am Amtsgericht Charlottenburg HRB 149173 B