Current cleanup in the error path of xen_bind_pirq_msi_to_irq is wrong. First of all there's an off-by-one in the cleanup loop, which can lead to unbinding wrong IRQs.
Secondly IRQs not bound won't be freed, thus leaking IRQ numbers.
Note that there's no need to differentiate between bound and unbound IRQs when freeing them, __unbind_from_irq will deal with both of them correctly.
Fixes: 4892c9b4ada9f9 ("xen: add support for MSI message groups") Reported-by: Hooman Mirhadi mirhadih@amazon.com Signed-off-by: Roger Pau Monné roger.pau@citrix.com --- Cc: Boris Ostrovsky boris.ostrovsky@oracle.com Cc: Juergen Gross jgross@suse.com Cc: Amit Shah aams@amazon.com CC: stable@vger.kernel.org Cc: xen-devel@lists.xenproject.org --- drivers/xen/events/events_base.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c index b241bfa529ce..159faf1269fb 100644 --- a/drivers/xen/events/events_base.c +++ b/drivers/xen/events/events_base.c @@ -763,8 +763,8 @@ int xen_bind_pirq_msi_to_irq(struct pci_dev *dev, struct msi_desc *msidesc, mutex_unlock(&irq_mapping_update_lock); return irq; error_irq: - for (; i >= 0; i--) - __unbind_from_irq(irq + i); + while (nvec--) + __unbind_from_irq(irq + nvec); mutex_unlock(&irq_mapping_update_lock); return ret; }
On Mi, 2018-02-28 at 09:19 +0000, Roger Pau Monne wrote:
Current cleanup in the error path of xen_bind_pirq_msi_to_irq is wrong. First of all there's an off-by-one in the cleanup loop, which can lead to unbinding wrong IRQs.
Secondly IRQs not bound won't be freed, thus leaking IRQ numbers.
Note that there's no need to differentiate between bound and unbound IRQs when freeing them, __unbind_from_irq will deal with both of them correctly.
Fixes: 4892c9b4ada9f9 ("xen: add support for MSI message groups") Reported-by: Hooman Mirhadi mirhadih@amazon.com Signed-off-by: Roger Pau Monné roger.pau@citrix.com
Cc: Boris Ostrovsky boris.ostrovsky@oracle.com Cc: Juergen Gross jgross@suse.com Cc: Amit Shah aams@amazon.com CC: stable@vger.kernel.org Cc: xen-devel@lists.xenproject.org
drivers/xen/events/events_base.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c index b241bfa529ce..159faf1269fb 100644 --- a/drivers/xen/events/events_base.c +++ b/drivers/xen/events/events_base.c @@ -763,8 +763,8 @@ int xen_bind_pirq_msi_to_irq(struct pci_dev *dev, struct msi_desc *msidesc, mutex_unlock(&irq_mapping_update_lock); return irq; error_irq:
- for (; i >= 0; i--)
__unbind_from_irq(irq + i);
- while (nvec--)
__unbind_from_irq(irq + nvec);mutex_unlock(&irq_mapping_update_lock); return ret; }
Reviewed-by: Amit Shah aams@amazon.com
Amit
Amazon Development Center Germany GmbH Berlin - Dresden - Aachen main office: Krausenstr. 38, 10117 Berlin Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger Ust-ID: DE289237879 Eingetragen am Amtsgericht Charlottenburg HRB 149173 B
On 02/28/2018 04:22 AM, Shah, Amit wrote:
On Mi, 2018-02-28 at 09:19 +0000, Roger Pau Monne wrote:
Current cleanup in the error path of xen_bind_pirq_msi_to_irq is wrong. First of all there's an off-by-one in the cleanup loop, which can lead to unbinding wrong IRQs.
Secondly IRQs not bound won't be freed, thus leaking IRQ numbers.
Note that there's no need to differentiate between bound and unbound IRQs when freeing them, __unbind_from_irq will deal with both of them correctly.
Fixes: 4892c9b4ada9f9 ("xen: add support for MSI message groups") Reported-by: Hooman Mirhadi mirhadih@amazon.com Signed-off-by: Roger Pau Monné roger.pau@citrix.com
Cc: Boris Ostrovsky boris.ostrovsky@oracle.com Cc: Juergen Gross jgross@suse.com Cc: Amit Shah aams@amazon.com CC: stable@vger.kernel.org Cc: xen-devel@lists.xenproject.org
drivers/xen/events/events_base.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c index b241bfa529ce..159faf1269fb 100644 --- a/drivers/xen/events/events_base.c +++ b/drivers/xen/events/events_base.c @@ -763,8 +763,8 @@ int xen_bind_pirq_msi_to_irq(struct pci_dev *dev, struct msi_desc *msidesc, mutex_unlock(&irq_mapping_update_lock); return irq; error_irq:
- for (; i >= 0; i--)
__unbind_from_irq(irq + i);
- while (nvec--)
__unbind_from_irq(irq + nvec);mutex_unlock(&irq_mapping_update_lock); return ret; }
Reviewed-by: Amit Shah aams@amazon.com
Reviewed-by: Boris Ostrovsky boris.ostrovsky@oracle.com
On 28/02/18 10:19, Roger Pau Monne wrote:
Current cleanup in the error path of xen_bind_pirq_msi_to_irq is wrong. First of all there's an off-by-one in the cleanup loop, which can lead to unbinding wrong IRQs.
Secondly IRQs not bound won't be freed, thus leaking IRQ numbers.
Note that there's no need to differentiate between bound and unbound IRQs when freeing them, __unbind_from_irq will deal with both of them correctly.
Fixes: 4892c9b4ada9f9 ("xen: add support for MSI message groups") Reported-by: Hooman Mirhadi mirhadih@amazon.com Signed-off-by: Roger Pau Monné roger.pau@citrix.com
Committed to xen/tip for-linus-4.16a
Juergen
On Mi, 2018-02-28 at 09:19 +0000, Roger Pau Monne wrote:
Current cleanup in the error path of xen_bind_pirq_msi_to_irq is wrong. First of all there's an off-by-one in the cleanup loop, which can lead to unbinding wrong IRQs.
Secondly IRQs not bound won't be freed, thus leaking IRQ numbers.
Note that there's no need to differentiate between bound and unbound IRQs when freeing them, __unbind_from_irq will deal with both of them correctly.
Fixes: 4892c9b4ada9f9 ("xen: add support for MSI message groups") Reported-by: Hooman Mirhadi mirhadih@amazon.com Signed-off-by: Roger Pau Monné roger.pau@citrix.com
Cc: Boris Ostrovsky boris.ostrovsky@oracle.com Cc: Juergen Gross jgross@suse.com Cc: Amit Shah aams@amazon.com CC: stable@vger.kernel.org Cc: xen-devel@lists.xenproject.org
The CC to stable got lost on commit, so this didn't actually make it to the stable queue. Can you please get it queued?
Thanks, Amazon Development Center Germany GmbH Berlin - Dresden - Aachen main office: Krausenstr. 38, 10117 Berlin Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger Ust-ID: DE289237879 Eingetragen am Amtsgericht Charlottenburg HRB 149173 B
linux-stable-mirror@lists.linaro.org
-
Boris Ostrovsky -
Juergen Gross -
Roger Pau Monne -
Shah, Amit