xen/21492-x86-pirq-unbind.patch

# HG changeset patch
# User Keir Fraser <keir.fraser@citrix.com>
# Date 1275040447 -3600
# Node ID 96917cf25bf3ad42c6b6cddb7ff4f03857ae9619
# Parent  95acf74586d782d8d4d39016b3426a1eae127e97
x86: Fix guest-pointer-array memmove in __pirq_guest_unbind().

Thanks to Alex Zefefrt for finding this.

Signed-off-by: Keir Fraser <keir.fraser@citrix.com>

--- a/xen/arch/x86/irq.c
+++ b/xen/arch/x86/irq.c
@@ -1242,7 +1242,8 @@ static irq_guest_action_t *__pirq_guest_
     for ( i = 0; (i < action->nr_guests) && (action->guest[i] != d); i++ )
         continue;
     BUG_ON(i == action->nr_guests);
-    memmove(&action->guest[i], &action->guest[i+1], IRQ_MAX_GUESTS-i-1);
+    memmove(&action->guest[i], &action->guest[i+1],
+            (action->nr_guests-i-1) * sizeof(action->guest[0]));
     action->nr_guests--;
 
     switch ( action->ack_type )