From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932140AbcA2OnV (ORCPT ); Fri, 29 Jan 2016 09:43:21 -0500 Received: from mail-wm0-f43.google.com ([74.125.82.43]:33596 "EHLO mail-wm0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752841AbcA2OnT (ORCPT ); Fri, 29 Jan 2016 09:43:19 -0500 From: Eric Auger To: eric.auger@st.com, eric.auger@linaro.org, alex.williamson@redhat.com, linux-arm-kernel@lists.infradead.org, christoffer.dall@linaro.org Cc: patches@linaro.org, linux-kernel@vger.kernel.org Subject: [PATCH] vfio: pci: fix oops in case of vfio_msi_set_vector_signal failure Date: Fri, 29 Jan 2016 14:43:06 +0000 Message-Id: <1454078586-5431-1-git-send-email-eric.auger@linaro.org> X-Mailer: git-send-email 1.9.1 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In case vfio_msi_set_vector_signal fails we tear down everything. In the tear down loop we compare int j against unsigned start. Given the arithmetic conversion I think it is converted into an unsigned and becomes 0xffffffff, leading to the loop being entered again and things turn bad when accessing vdev->msix[vector].vector. So let's use int parameters instead. Signed-off-by: Eric Auger --- drivers/vfio/pci/vfio_pci_intrs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c index 3b3ba15..510c48d 100644 --- a/drivers/vfio/pci/vfio_pci_intrs.c +++ b/drivers/vfio/pci/vfio_pci_intrs.c @@ -374,8 +374,8 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev, return 0; } -static int vfio_msi_set_block(struct vfio_pci_device *vdev, unsigned start, - unsigned count, int32_t *fds, bool msix) +static int vfio_msi_set_block(struct vfio_pci_device *vdev, int start, + int count, int32_t *fds, bool msix) { int i, j, ret = 0; -- 1.9.1