Hello,
On Friday, March 30, 2012 4:24 AM Krishna Reddy wrote:
> Hi,
> I have found a bug in arm_iommu_map_sg().
>
> > +int arm_iommu_map_sg(struct device *dev, struct scatterlist *sg, int nents,
> > + enum dma_data_direction dir, struct dma_attrs *attrs) {
> > + struct scatterlist *s = sg, *dma = sg, *start = sg;
> > + int i, count = 0;
> > + unsigned int offset = s->offset;
> > + unsigned int size = s->offset + s->length;
> > + unsigned int max = dma_get_max_seg_size(dev);
> > +
> > + for (i = 1; i < nents; i++) {
> > + s->dma_address = ARM_DMA_ERROR;
> > + s->dma_length = 0;
> > +
> > + s = sg_next(s);
>
> With above code, the last sg element's dma_length is not getting set to zero.
> This causing additional incorrect unmapping during arm_iommu_unmap_sg call and
> leading to random crashes.
> The order of above three lines should be as follows.
> s = sg_next(s);
>
> s->dma_address = ARM_DMA_ERROR;
> s->dma_length = 0;
>
You are right, the order of those lines must be reversed. In all my test codes the
scatter list was initially cleared, so I missed this typical off-by-one error.
Thanks for spotting it!
Best regards
--
Marek Szyprowski
Samsung Poland R&D Center
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>