On 02/28/2018 04:22 AM, Shah, Amit wrote:
On Mi, 2018-02-28 at 09:19 +0000, Roger Pau Monne wrote:
Current cleanup in the error path of xen_bind_pirq_msi_to_irq is wrong. First of all there's an off-by-one in the cleanup loop, which can lead to unbinding wrong IRQs.
Secondly IRQs not bound won't be freed, thus leaking IRQ numbers.
Note that there's no need to differentiate between bound and unbound IRQs when freeing them, __unbind_from_irq will deal with both of them correctly.
Fixes: 4892c9b4ada9f9 ("xen: add support for MSI message groups") Reported-by: Hooman Mirhadi mirhadih@amazon.com Signed-off-by: Roger Pau Monné roger.pau@citrix.com
Cc: Boris Ostrovsky boris.ostrovsky@oracle.com Cc: Juergen Gross jgross@suse.com Cc: Amit Shah aams@amazon.com CC: stable@vger.kernel.org Cc: xen-devel@lists.xenproject.org
drivers/xen/events/events_base.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c index b241bfa529ce..159faf1269fb 100644 --- a/drivers/xen/events/events_base.c +++ b/drivers/xen/events/events_base.c @@ -763,8 +763,8 @@ int xen_bind_pirq_msi_to_irq(struct pci_dev *dev, struct msi_desc *msidesc, mutex_unlock(&irq_mapping_update_lock); return irq; error_irq:
- for (; i >= 0; i--)
__unbind_from_irq(irq + i);
- while (nvec--)
__unbind_from_irq(irq + nvec);mutex_unlock(&irq_mapping_update_lock); return ret; }
Reviewed-by: Amit Shah aams@amazon.com
Reviewed-by: Boris Ostrovsky boris.ostrovsky@oracle.com