On 9/15/20 8:42 PM, Souptick Joarder wrote:
There is an error when pin_user_pages_fast() returns -ERRNO and
inside error handling path driver end up calling unpin_user_pages()
with -ERRNO which is not correct.
> This patch will fix the problem.
How about:
rio_dma_transfer() attempts to clamp the return value of
pin_user_pages_fast() to be >= 0. However, the attempt fails because
nr_pages is overridden a few lines later, and restored to the
undesirable -ERRNO value.
The return value is ultimately stored in nr_pages, which in turn is
passed to unpin_user_pages(), which expects nr_pages >= 0, else,
disaster.
Fix this by fixing the nesting of the assignment to nr_pages: nr_pages
should be clamped to zero if pin_user_pages_fast() returns -ERRNO, or
set to the return value of pin_user_pages_fast(), otherwise.
Fixes: e8de370188d09 ("rapidio: add mport char device driver")
Signed-off-by: Souptick Joarder <jrdr.li...@gmail.com>
Cc: Ira Weiny <ira.we...@intel.com>
Cc: John Hubbard <jhubb...@nvidia.com>
Cc: Matthew Wilcox <wi...@infradead.org>
---
drivers/rapidio/devices/rio_mport_cdev.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/rapidio/devices/rio_mport_cdev.c
b/drivers/rapidio/devices/rio_mport_cdev.c
index a303429..163b6c72 100644
--- a/drivers/rapidio/devices/rio_mport_cdev.c
+++ b/drivers/rapidio/devices/rio_mport_cdev.c
@@ -871,15 +871,16 @@ static int do_dma_request(struct mport_dma_req *req,
rmcd_error("pin_user_pages_fast err=%ld",
pinned);
nr_pages = 0;
- } else
+ } else {
rmcd_error("pinned %ld out of %ld pages",
pinned, nr_pages);
+ /*
+ * Set nr_pages up to mean "how many pages to
unpin, in
+ * the error handler:
+ */
+ nr_pages = pinned;
+ }
ret = -EFAULT;
- /*
- * Set nr_pages up to mean "how many pages to unpin, in
- * the error handler:
- */
- nr_pages = pinned;
goto err_pg;
}
Reviewed-by: John Hubbard <jhubb...@nvidia.com>
thanks,
--
John Hubbard
NVIDIA
