On Mi, 2018-02-28 at 09:19 +0000, Roger Pau Monne wrote: > Current cleanup in the error path of xen_bind_pirq_msi_to_irq is > wrong. First of all there's an off-by-one in the cleanup loop, which > can lead to unbinding wrong IRQs. > > Secondly IRQs not bound won't be freed, thus leaking IRQ numbers. > > Note that there's no need to differentiate between bound and unbound > IRQs when freeing them, __unbind_from_irq will deal with both of them > correctly. > > Fixes: 4892c9b4ada9f9 ("xen: add support for MSI message groups") > Reported-by: Hooman Mirhadi <mirhadih@xxxxxxxxxx> > Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> > --- > Cc: Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx> > Cc: Juergen Gross <jgross@xxxxxxxx> > Cc: Amit Shah <aams@xxxxxxxxxx> > CC: stable@xxxxxxxxxxxxxxx > Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx > --- > drivers/xen/events/events_base.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/xen/events/events_base.c > b/drivers/xen/events/events_base.c > index b241bfa529ce..159faf1269fb 100644 > --- a/drivers/xen/events/events_base.c > +++ b/drivers/xen/events/events_base.c > @@ -763,8 +763,8 @@ int xen_bind_pirq_msi_to_irq(struct pci_dev *dev, > struct msi_desc *msidesc, > mutex_unlock(&irq_mapping_update_lock); > return irq; > error_irq: > - for (; i >= 0; i--) > - __unbind_from_irq(irq + i); > + while (nvec--) > + __unbind_from_irq(irq + nvec); > mutex_unlock(&irq_mapping_update_lock); > return ret; > } Reviewed-by: Amit Shah <aams@xxxxxxxxxx> Amit Amazon Development Center Germany GmbH Berlin - Dresden - Aachen main office: Krausenstr. 38, 10117 Berlin Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger Ust-ID: DE289237879 Eingetragen am Amtsgericht Charlottenburg HRB 149173 B