From 7478b7e01f42ff452926ce915c895f515390a45d Mon Sep 17 00:00:00 2001
From: Justin M. Forbes <jforbes@redhat.com>
Date: Mar 23 2017 18:04:21 +0000
Subject: Fix virtio devices (rhbz 1430297)


---

diff --git a/kernel.spec b/kernel.spec
index 468dc05..89b1a6c 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -608,6 +608,9 @@ Patch667: v3-Revert-tty-serial-pl011-add-ttyAMA-for-matching-pl011-console.patch
 # Fix crda rhbz 1422247
 Patch668: genetlink-fix-counting-regression-on-ctrl_dumpfamily.patch
 
+# Fix virtio devices rhbz 1430297
+Patch669: virtio_pci-fix-out-of-bound-access-for-msix_names.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2172,6 +2175,9 @@ fi
 #
 #
 %changelog
+* Thu Mar 23 2017 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix virtio devices (rhbz 1430297)
+
 * Wed Mar 22 2017 Justin M. Forbes <jforbes@fedoraproject.org>
 - Fix crda (rhbz 1422247)
 
diff --git a/virtio_pci-fix-out-of-bound-access-for-msix_names.patch b/virtio_pci-fix-out-of-bound-access-for-msix_names.patch
new file mode 100644
index 0000000..d876766
--- /dev/null
+++ b/virtio_pci-fix-out-of-bound-access-for-msix_names.patch
@@ -0,0 +1,56 @@
+From: Jason Wang <jasowang@redhat.com>
+Date: Thu, 23 Mar 2017 13:07:16 +0800
+Subject: [PATCH] virtio_pci: fix out of bound access for msix_names
+
+---
+ drivers/virtio/virtio_pci_common.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/virtio/virtio_pci_common.c b/drivers/virtio/virtio_pci_common.c
+index df548a6..5905349 100644
+--- a/drivers/virtio/virtio_pci_common.c
++++ b/drivers/virtio/virtio_pci_common.c
+@@ -147,7 +147,7 @@ static int vp_find_vqs_msix(struct virtio_device *vdev, unsigned nvqs,
+ {
+ 	struct virtio_pci_device *vp_dev = to_vp_device(vdev);
+ 	const char *name = dev_name(&vp_dev->vdev.dev);
+-	int i, err = -ENOMEM, allocated_vectors, nvectors;
++	int i, j, err = -ENOMEM, allocated_vectors, nvectors;
+ 	unsigned flags = PCI_IRQ_MSIX;
+ 	bool shared = false;
+ 	u16 msix_vec;
+@@ -212,7 +212,7 @@ static int vp_find_vqs_msix(struct virtio_device *vdev, unsigned nvqs,
+ 	if (!vp_dev->msix_vector_map)
+ 		goto out_disable_config_irq;
+ 
+-	allocated_vectors = 1; /* vector 0 is the config interrupt */
++	allocated_vectors = j = 1; /* vector 0 is the config interrupt */
+ 	for (i = 0; i < nvqs; ++i) {
+ 		if (!names[i]) {
+ 			vqs[i] = NULL;
+@@ -236,18 +236,19 @@ static int vp_find_vqs_msix(struct virtio_device *vdev, unsigned nvqs,
+ 			continue;
+ 		}
+ 
+-		snprintf(vp_dev->msix_names[i + 1],
++		snprintf(vp_dev->msix_names[j],
+ 			 sizeof(*vp_dev->msix_names), "%s-%s",
+ 			 dev_name(&vp_dev->vdev.dev), names[i]);
+ 		err = request_irq(pci_irq_vector(vp_dev->pci_dev, msix_vec),
+ 				  vring_interrupt, IRQF_SHARED,
+-				  vp_dev->msix_names[i + 1], vqs[i]);
++				  vp_dev->msix_names[j], vqs[i]);
+ 		if (err) {
+ 			/* don't free this irq on error */
+ 			vp_dev->msix_vector_map[i] = VIRTIO_MSI_NO_VECTOR;
+ 			goto out_remove_vqs;
+ 		}
+ 		vp_dev->msix_vector_map[i] = msix_vec;
++		j++;
+ 
+ 		/*
+ 		 * Use a different vector for each queue if they are available,
+-- 
+2.7.4
+
+