From: Colin Ian King Date: Mon, 26 Sep 2016 08:31:51 +0000 (+0200) Subject: x86/RAS/mce_amd_inj: Fix signed wrap around when decrementing index 'i' X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=8b44f00f8c952ab6eb658090383571b2ec7d253f;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git x86/RAS/mce_amd_inj: Fix signed wrap around when decrementing index 'i' Change predecrement compare to post decrement compare to avoid an unsigned integer wrap-around comparisomn when decrementing in the while loop. For example, if the debugfs_create_file() fails when 'i' is zero, the current situation will predecrement 'i' in the while loop, wrapping 'i' to the maximum signed integer and cause multiple out of bounds reads on dfs_fls[i].d as the loop interates to zero. Also, as Borislav Petkov suggested, return -ENODEV rather than -ENOMEM on the error condition. Signed-off-by: Colin Ian King Signed-off-by: Borislav Petkov Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Yazen Ghannam Link: http://lkml.kernel.org/r/20160926083152.30848-2-bp@alien8.de Signed-off-by: Ingo Molnar --- diff --git a/arch/x86/ras/mce_amd_inj.c b/arch/x86/ras/mce_amd_inj.c index cd318d93099e..20b227f63407 100644 --- a/arch/x86/ras/mce_amd_inj.c +++ b/arch/x86/ras/mce_amd_inj.c @@ -464,13 +464,13 @@ static int __init init_mce_inject(void) return 0; err_dfs_add: - while (--i >= 0) + while (i-- > 0) debugfs_remove(dfs_fls[i].d); debugfs_remove(dfs_inj); dfs_inj = NULL; - return -ENOMEM; + return -ENODEV; } static void __exit exit_mce_inject(void)