Re: [PATCH v3 8/15] iommufd: Algorithms for PFN storage

Jason Gunthorpe <jgg@xxxxxxxxxx> · Fri, 4 Nov 2022 13:26:23 -0300

On Thu, Nov 03, 2022 at 05:08:08PM -0300, Jason Gunthorpe wrote:
> +static void pfn_reader_release_pins(struct pfn_reader *pfns)
>  {
>  	struct iopt_pages *pages = pfns->pages;
>  
> @@ -1005,12 +1013,20 @@ static void pfn_reader_destroy(struct pfn_reader *pfns)
>  		unpin_user_pages(pfns->user.upages + (pfns->batch_end_index -
>  						      pfns->user.upages_start),
>  				 npages);
> +		iopt_pages_sub_npinned(pages, npages);
> +		pfns->user.upages_end = pfns->batch_end_index;
>  	}

Syzkaller says the hidden if above is no good on error paths where the
pfn_reader has already advanced - it makes npages go negative:

-       if (pfns->user.upages) {
+       if (pfns->user.upages_end > pfns->batch_end_index) {

Jason