From: Colin Ian King <colin.k...@canonical.com> Integer index i needs to be a signed int rather than unsigned to avoid a wrap-around when decrementing in the while loop. For example, if the debugfs_create_file fails when i is zero, the current situation will predecrement i in the while loop, wrapping i to the maximum signed integer and cause multiple out of bounds reads on dfs_fls[i].d as the loop interates to zero.
Also add (int) cast to fix warning that the original fix attempted to fix. Fixes: 7cc4ef8ed132 ("x86/RAS/mce_amd_inj: Fix some W= warnings") Signed-off-by: Colin Ian King <colin.k...@canonical.com> --- arch/x86/ras/mce_amd_inj.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/ras/mce_amd_inj.c b/arch/x86/ras/mce_amd_inj.c index cd318d9..cb9779a 100644 --- a/arch/x86/ras/mce_amd_inj.c +++ b/arch/x86/ras/mce_amd_inj.c @@ -440,7 +440,7 @@ static struct dfs_node { static int __init init_mce_inject(void) { - unsigned int i; + int i; u64 cap; rdmsrl(MSR_IA32_MCG_CAP, cap); @@ -450,7 +450,7 @@ static int __init init_mce_inject(void) if (!dfs_inj) return -EINVAL; - for (i = 0; i < ARRAY_SIZE(dfs_fls); i++) { + for (i = 0; i < (int)ARRAY_SIZE(dfs_fls); i++) { dfs_fls[i].d = debugfs_create_file(dfs_fls[i].name, dfs_fls[i].perm, dfs_inj, -- 2.9.3