From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S934285AbcIPLYZ (ORCPT <rfc822;w@1wt.eu>);
        Fri, 16 Sep 2016 07:24:25 -0400
Received: from youngberry.canonical.com ([91.189.89.112]:58122 "EHLO
        youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S934367AbcIPLYF (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 16 Sep 2016 07:24:05 -0400
From: Colin King <colin.king@canonical.com>
To: Borislav Petkov <bp@suse.de>,
        Aravind Gopalakrishnan <Aravind.Gopalakrishnan@amd.com>,
        Yazen Ghannam <Yazen.Ghannam@amd.com>,
        Peter Zijlstra <peterz@infradead.org>
Cc: linux-kernel@vger.kernel.org
Subject: [PATCH][V2][Fix commit message] x86/RAS/mce_amd_inj: fix signed wrap around when decrementing index i
Date: Fri, 16 Sep 2016 12:22:23 +0100
Message-Id: <20160916112223.32398-1-colin.king@canonical.com>
X-Mailer: git-send-email 2.9.3
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Colin Ian King <colin.king@canonical.com>

Integer index i needs to be a signed int rather than unsigned to avoid
a wrap-around when decrementing in the while loop.  For example, if the
debugfs_create_file fails when i is zero, the current situation will
predecrement i in the while loop, wrapping i to the maximum signed
integer and cause multiple out of bounds reads on dfs_fls[i].d as
the loop interates to zero.

Also add (int) cast to fix warning that the original fix attempted
to fix.

Fixes: 7cc4ef8ed132 ("x86/RAS/mce_amd_inj: Fix some W= warnings")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 arch/x86/ras/mce_amd_inj.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/ras/mce_amd_inj.c b/arch/x86/ras/mce_amd_inj.c
index cd318d9..cb9779a 100644
--- a/arch/x86/ras/mce_amd_inj.c
+++ b/arch/x86/ras/mce_amd_inj.c
@@ -440,7 +440,7 @@ static struct dfs_node {
 
 static int __init init_mce_inject(void)
 {
-	unsigned int i;
+	int i;
 	u64 cap;
 
 	rdmsrl(MSR_IA32_MCG_CAP, cap);
@@ -450,7 +450,7 @@ static int __init init_mce_inject(void)
 	if (!dfs_inj)
 		return -EINVAL;
 
-	for (i = 0; i < ARRAY_SIZE(dfs_fls); i++) {
+	for (i = 0; i < (int)ARRAY_SIZE(dfs_fls); i++) {
 		dfs_fls[i].d = debugfs_create_file(dfs_fls[i].name,
 						    dfs_fls[i].perm,
 						    dfs_inj,
-- 
2.9.3