From 300b71c3cf9fab49ea52c9695bcf29271b34b26e Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 10 Apr 2013 15:27:07 -0700
Subject: [PATCH] 3.8-stable patches

added patches:
	vfio-pci-fix-possible-integer-overflow.patch
---
 queue-3.8/series                              |  1 +
 ...io-pci-fix-possible-integer-overflow.patch | 42 +++++++++++++++++++
 2 files changed, 43 insertions(+)
 create mode 100644 queue-3.8/vfio-pci-fix-possible-integer-overflow.patch

diff --git a/queue-3.8/series b/queue-3.8/series
index 5541e0b2861..619eb4f721e 100644
--- a/queue-3.8/series
+++ b/queue-3.8/series
@@ -57,3 +57,4 @@ drm-i915-add-quirk-to-invert-brightness-on-emachines-g725.patch
 drm-i915-add-quirk-to-invert-brightness-on-emachines-e725.patch
 drm-i915-add-quirk-to-invert-brightness-on-packard-bell-ncl20.patch
 r8169-fix-auto-speed-down-issue.patch
+vfio-pci-fix-possible-integer-overflow.patch
diff --git a/queue-3.8/vfio-pci-fix-possible-integer-overflow.patch b/queue-3.8/vfio-pci-fix-possible-integer-overflow.patch
new file mode 100644
index 00000000000..dcc2177cbf7
--- /dev/null
+++ b/queue-3.8/vfio-pci-fix-possible-integer-overflow.patch
@@ -0,0 +1,42 @@
+From 904c680c7bf016a8619a045850937427f8d7368c Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Tue, 26 Mar 2013 11:33:16 -0600
+Subject: vfio-pci: Fix possible integer overflow
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit 904c680c7bf016a8619a045850937427f8d7368c upstream.
+
+The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both
+of which are unsigned.  We attempt to bounds check these, but fail to
+account for the case where start is a very large number, allowing
+start + count to wrap back into the valid range.  Bounds check both
+start and start + count.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vfio/pci/vfio_pci.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/vfio/pci/vfio_pci.c
++++ b/drivers/vfio/pci/vfio_pci.c
+@@ -331,6 +331,7 @@ static long vfio_pci_ioctl(void *device_
+ 
+ 		if (!(hdr.flags & VFIO_IRQ_SET_DATA_NONE)) {
+ 			size_t size;
++			int max = vfio_pci_get_irq_count(vdev, hdr.index);
+ 
+ 			if (hdr.flags & VFIO_IRQ_SET_DATA_BOOL)
+ 				size = sizeof(uint8_t);
+@@ -340,7 +341,7 @@ static long vfio_pci_ioctl(void *device_
+ 				return -EINVAL;
+ 
+ 			if (hdr.argsz - minsz < hdr.count * size ||
+-			    hdr.count > vfio_pci_get_irq_count(vdev, hdr.index))
++			    hdr.start >= max || hdr.start + hdr.count > max)
+ 				return -EINVAL;
+ 
+ 			data = memdup_user((void __user *)(arg + minsz),
-- 
2.47.3