In grow_gnttab_list(), 'i' is 'unsigned int', and 'nr_glist_frames' may be 0 because 'nr_grant_frames' may be 0. So 'i' may never be less than 'nr_glist_frames' in failure processing, which cause infinite looping.
Signed-off-by: Chen Gang <[email protected]> --- drivers/xen/grant-table.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c index c254ae0..be07645 100644 --- a/drivers/xen/grant-table.c +++ b/drivers/xen/grant-table.c @@ -592,8 +592,8 @@ static int grow_gnttab_list(unsigned int more_frames) return 0; grow_nomem: - for ( ; i >= nr_glist_frames; i--) - free_page((unsigned long) gnttab_list[i]); + while (i > nr_glist_frames) + free_page((unsigned long) gnttab_list[--i]); return -ENOMEM; } -- 1.9.3 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
