On 02/28/2018 04:22 AM, Shah, Amit wrote: > On Mi, 2018-02-28 at 09:19 +0000, Roger Pau Monne wrote: >> Current cleanup in the error path of xen_bind_pirq_msi_to_irq is >> wrong. First of all there's an off-by-one in the cleanup loop, which >> can lead to unbinding wrong IRQs. >> >> Secondly IRQs not bound won't be freed, thus leaking IRQ numbers. >> >> Note that there's no need to differentiate between bound and unbound >> IRQs when freeing them, __unbind_from_irq will deal with both of them >> correctly. >> >> Fixes: 4892c9b4ada9f9 ("xen: add support for MSI message groups") >> Reported-by: Hooman Mirhadi <mirhadih@xxxxxxxxxx> >> Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> >> --- >> Cc: Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx> >> Cc: Juergen Gross <jgross@xxxxxxxx> >> Cc: Amit Shah <aams@xxxxxxxxxx> >> CC: stable@xxxxxxxxxxxxxxx >> Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx >> --- >> drivers/xen/events/events_base.c | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/drivers/xen/events/events_base.c >> b/drivers/xen/events/events_base.c >> index b241bfa529ce..159faf1269fb 100644 >> --- a/drivers/xen/events/events_base.c >> +++ b/drivers/xen/events/events_base.c >> @@ -763,8 +763,8 @@ int xen_bind_pirq_msi_to_irq(struct pci_dev *dev, >> struct msi_desc *msidesc, >> mutex_unlock(&irq_mapping_update_lock); >> return irq; >> error_irq: >> - for (; i >= 0; i--) >> - __unbind_from_irq(irq + i); >> + while (nvec--) >> + __unbind_from_irq(irq + nvec); >> mutex_unlock(&irq_mapping_update_lock); >> return ret; >> } > Reviewed-by: Amit Shah <aams@xxxxxxxxxx> Reviewed-by: Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>