From patchwork Fri Jan 29 14:43:06 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Auger Eric X-Patchwork-Id: 60795 Delivered-To: patches@linaro.org Received: by 10.112.130.2 with SMTP id oa2csp1159215lbb; Fri, 29 Jan 2016 06:43:18 -0800 (PST) X-Received: by 10.28.50.137 with SMTP id y131mr2728524wmy.102.1454078598046; Fri, 29 Jan 2016 06:43:18 -0800 (PST) Return-Path: Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com. [2a00:1450:400c:c09::234]) by mx.google.com with ESMTPS id y8si11396004wmc.96.2016.01.29.06.43.17 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 29 Jan 2016 06:43:17 -0800 (PST) Received-SPF: pass (google.com: domain of eric.auger@linaro.org designates 2a00:1450:400c:c09::234 as permitted sender) client-ip=2a00:1450:400c:c09::234; Authentication-Results: mx.google.com; spf=pass (google.com: domain of eric.auger@linaro.org designates 2a00:1450:400c:c09::234 as permitted sender) smtp.mailfrom=eric.auger@linaro.org; dkim=pass header.i=@linaro.org Received: by mail-wm0-x234.google.com with SMTP id r129so71508509wmr.0 for ; Fri, 29 Jan 2016 06:43:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=ob+jrNycMVEDd3LzzOaV0xJyeHg/ctn18pQ8ayR/b/k=; b=eH8me5sLQEsgjYyAWHMnY/ZYmDt4D2Wb7IWaqRgfhp6Ch9I0A17wDzz0PXNZmAEVEr TZXkyuTiWl/1nIQGmvyyvLaypBj4ZOzZaLCYI1IXn6nVJyQiyElubI+eFS6W91cN6itL V4DZOon/V9Rb2HM7gLj97/KkY55I+QEVPDLak= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=ob+jrNycMVEDd3LzzOaV0xJyeHg/ctn18pQ8ayR/b/k=; b=c7+gJE1BUqP33+VJFrrCHrpdyfCPXgscu1IXJ+1USagyGYmOXp2HjjunnuTx8fWX+N 76nI6iOTkfdPqQVKJ/P37zWW7RwiQAAyv9dkiJSemYmAZMPEZMDQVx6+uJwZNjNXEtot TaTeuh28nXYLaujUEKjpJC3ODPEYx9/ylgnX27AlIRc5GHsO3QrexgocKFN6QcHi0Eal UZfhWIf6mb4M/YYxjJEFWUu7ZH5SilBMPYSvTtr34sdCv7gu9OcpozkX7B5LUMKx4OpP tXRJN21Utta4gDf3FeTE0XpQeq2AdyJAC6gs+Do1QTrkQXGo31sgOCAKTWA9JLwRLB+a 7z+w== X-Gm-Message-State: AG10YOQG9GLbsspnxYwVdhc0j7ytO5KWeolqT9K8/eFVLgD0lQ5ngstOty4Cy3r1cDWWm64V3bY= X-Received: by 10.28.186.87 with SMTP id k84mr9258815wmf.13.1454078597348; Fri, 29 Jan 2016 06:43:17 -0800 (PST) Return-Path: Received: from localhost.localdomain (LMontsouris-657-1-37-90.w80-11.abo.wanadoo.fr. [80.11.198.90]) by smtp.gmail.com with ESMTPSA id x2sm15956383wjf.13.2016.01.29.06.43.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 29 Jan 2016 06:43:16 -0800 (PST) From: Eric Auger To: eric.auger@st.com, eric.auger@linaro.org, alex.williamson@redhat.com, linux-arm-kernel@lists.infradead.org, christoffer.dall@linaro.org Cc: patches@linaro.org, linux-kernel@vger.kernel.org Subject: [PATCH] vfio: pci: fix oops in case of vfio_msi_set_vector_signal failure Date: Fri, 29 Jan 2016 14:43:06 +0000 Message-Id: <1454078586-5431-1-git-send-email-eric.auger@linaro.org> X-Mailer: git-send-email 1.9.1 In case vfio_msi_set_vector_signal fails we tear down everything. In the tear down loop we compare int j against unsigned start. Given the arithmetic conversion I think it is converted into an unsigned and becomes 0xffffffff, leading to the loop being entered again and things turn bad when accessing vdev->msix[vector].vector. So let's use int parameters instead. Signed-off-by: Eric Auger --- drivers/vfio/pci/vfio_pci_intrs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 1.9.1 diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c index 3b3ba15..510c48d 100644 --- a/drivers/vfio/pci/vfio_pci_intrs.c +++ b/drivers/vfio/pci/vfio_pci_intrs.c @@ -374,8 +374,8 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev, return 0; } -static int vfio_msi_set_block(struct vfio_pci_device *vdev, unsigned start, - unsigned count, int32_t *fds, bool msix) +static int vfio_msi_set_block(struct vfio_pci_device *vdev, int start, + int count, int32_t *fds, bool msix) { int i, j, ret = 0;