[Xen-devel] [PATCH v2 1/2] xen: fix out-of-bounds irq unbind for MSI message groups

When an MSI descriptor was not available, the error path would try to
unbind an irq that was never acquired - potentially unbinding an
unrelated irq.

Fixes: 4892c9b4ada9f9 ("xen: add support for MSI message groups")
Reported-by: Hooman Mirhadi <mirhadih@xxxxxxxxxx>
CC: <stable@xxxxxxxxxxxxxxx>
CC: Roger Pau Monné <roger.pau@xxxxxxxxxx>
CC: Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>
CC: Eduardo Valentin <eduval@xxxxxxxxxx>
CC: Juergen Gross <jgross@xxxxxxxx>
CC: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
CC: "K. Y. Srinivasan" <kys@xxxxxxxxxxxxx>
CC: Liu Shuo <shuo.a.liu@xxxxxxxxx>
CC: Anoob Soman <anoob.soman@xxxxxxxxxx>
Signed-off-by: Amit Shah <aams@xxxxxxxxxx>
 drivers/xen/events/events_base.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c
index 1ab4bd1..c86d10e 100644
--- a/drivers/xen/events/events_base.c
+++ b/drivers/xen/events/events_base.c
@@ -755,8 +755,10 @@ int xen_bind_pirq_msi_to_irq(struct pci_dev *dev, struct 
msi_desc *msidesc,
        return irq;
-       for (; i >= 0; i--)
+       while (i > 0) {
+               i--;
                __unbind_from_irq(irq + i);
+       }
        return ret;

