[PATCH] powerpc/book3s64: Fix error handling in mm_iommu_do_alloc()
Jan Kara
jack at suse.cz
Fri Dec 20 20:57:00 AEDT 2019
On Fri 20-12-19 16:06:05, Alexey Kardashevskiy wrote:
>
>
> On 11/12/2019 21:42, Jan Kara wrote:
> > The last jump to free_exit in mm_iommu_do_alloc() happens after page
> > pointers in struct mm_iommu_table_group_mem_t were already converted to
> > physical addresses. Thus calling put_page() on these physical addresses
> > will likely crash. Convert physical addresses back to page pointers
> > during the error cleanup.
> >
> > Signed-off-by: Jan Kara <jack at suse.cz>
> > ---
> > arch/powerpc/mm/book3s64/iommu_api.c | 5 ++++-
> > 1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > Beware, this is completely untested, spotted just by code audit.
> >
> > diff --git a/arch/powerpc/mm/book3s64/iommu_api.c b/arch/powerpc/mm/book3s64/iommu_api.c
> > index 56cc84520577..06c403381c9c 100644
> > --- a/arch/powerpc/mm/book3s64/iommu_api.c
> > +++ b/arch/powerpc/mm/book3s64/iommu_api.c
> > @@ -154,7 +154,7 @@ static long mm_iommu_do_alloc(struct mm_struct *mm, unsigned long ua,
> > (mem2->entries << PAGE_SHIFT)))) {
> > ret = -EINVAL;
> > mutex_unlock(&mem_list_mutex);
> > - goto free_exit;
> > + goto convert_exit;
> > }
> > }
> >
> > @@ -166,6 +166,9 @@ static long mm_iommu_do_alloc(struct mm_struct *mm, unsigned long ua,
> >
> > return 0;
> >
> > +convert_exit:
> > + for (i = 0; i < pinned; i++)
> > + mem->hpages[i] = pfn_to_page(mem->hpas[i] >> PAGE_SHIFT);
>
>
> Good find. Although doing it where you added "goto convert_exit" seems
> cleaner imho. Thanks,
I don't really care :). V2 attached.
Honza
--
Jan Kara <jack at suse.com>
SUSE Labs, CR
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-powerpc-book3s64-Fix-error-handling-in-mm_iommu_do_a.patch
Type: text/x-patch
Size: 1252 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/linuxppc-dev/attachments/20191220/fed61e73/attachment.bin>
More information about the Linuxppc-dev
mailing list