Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2977540imu; Sun, 9 Dec 2018 14:08:10 -0800 (PST) X-Google-Smtp-Source: AFSGD/VNTnhC/DiFGwxrKo87QH2h+XbMmIzOiQowW8JnuJv061Kz/GTkCuhmkahydGjnsDT1+w/s X-Received: by 2002:a62:ae12:: with SMTP id q18mr10116293pff.126.1544393290494; Sun, 09 Dec 2018 14:08:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544393290; cv=none; d=google.com; s=arc-20160816; b=R7E+NoTXYULZaE/x0Y0033Va0UqnwyVlyXEkhLaYQ0CIHJHHEiyuIAYkXcw71cysgD FOSBtN56gCQc4bphIdAv5IUQeb+zZaWgy1c01lL1ZfvIC8RTQ9vXJD5hmKDMQEKty9aU weQffCY3K+O1VAAbSZjf2+QMVUeqH//Sd+vBNisZZ7ztk0DWofj8z73Q97A11E09C7qR 1V55+aIfgMSFqxqdYijXKTIV/Hl2YKfzdYW42RFZ44tB9bCmBCIPeWaifklsL1mB7azi jo8QE/MUrYf1umjUag9Rq4e67A1V6kFWoQ0DtIpOa0nV7Bt05GACC8RBRkyADbD6oSNU 5n7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=9hPREEEO+859RBX2lygb42JDS6F70IzZWcwozL8gzAk=; b=hjJJYq16MRkea6shENF+khgN+TtUl2+imKRo/CpKcdrg23qcS75LVy3QyrOhwtgudi 4Z/vUfOXSZS54ZGClR4wFoP9+x/9oRegdyfjvCE67Rv2YZjotjb1Eltrtkj65bEytsZA jiwgbziXPD9UGQj7/jJjXv1tBVUvUa5dIyu/f8RNLFnGjDzspPVmLVMrDymWO5/i+blM jfRnwsCRY/2orflrYRUu8DwFIQCBmACA/KOjkEwvD+wnWjzB07hGqAN/KCvB3YKJF7dr pJWuKJuSgUorOGHJ1w9lV22h23mAOaJQXNJSlD05vj7qLIjC6EPiEXXbmZdrZO4agCAM giig== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 39si9008662plc.153.2018.12.09.14.07.47; Sun, 09 Dec 2018 14:08:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727730AbeLIWGO (ORCPT + 99 others); Sun, 9 Dec 2018 17:06:14 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:37054 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726962AbeLIWGL (ORCPT ); Sun, 9 Dec 2018 17:06:11 -0500 Received: from pub.yeoldevic.com ([81.174.156.145] helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gW73C-0002iZ-7v; Sun, 09 Dec 2018 21:55:46 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gW72d-0003Ot-Ni; Sun, 09 Dec 2018 21:55:11 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Heiko Carstens" , "Sebastian Ott" Date: Sun, 09 Dec 2018 21:50:33 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 143/328] s390/pci: fix out of bounds access during irq setup In-Reply-To: X-SA-Exim-Connect-IP: 81.174.156.145 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.62-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Sebastian Ott commit 866f3576a72b2233a76dffb80290f8086dc49e17 upstream. During interrupt setup we allocate interrupt vectors, walk the list of msi descriptors, and fill in the message data. Requesting more interrupts than supported on s390 can lead to an out of bounds access. When we restrict the number of interrupts we should also stop walking the msi list after all supported interrupts are handled. Signed-off-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Ben Hutchings --- arch/s390/pci/pci.c | 2 ++ 1 file changed, 2 insertions(+) --- a/arch/s390/pci/pci.c +++ b/arch/s390/pci/pci.c @@ -397,6 +397,8 @@ int arch_setup_msi_irqs(struct pci_dev * hwirq = 0; list_for_each_entry(msi, &pdev->msi_list, list) { rc = -EIO; + if (hwirq >= msi_vecs) + break; irq = irq_alloc_desc(0); /* Alloc irq on node 0 */ if (irq < 0) goto out_msi;