Am Donnerstag, 27. Januar 2022, 07:58:19 CET schrieb Helge Deller:
> On 1/27/22 07:22, Rolf Eike Beer wrote:
> > Am Mittwoch, 26. Januar 2022, 21:39:05 CET schrieb John David Anglin:
> >> The bug is caused by overrunning the sglist and incorrectly testing
> >> sg_dma_len(sglist) before nents. Normally this doesn't cause a crash,
> >> but in this case sglist crossed a page boundary. This occurs in the
> >>
> >> following code:
> >> while (sg_dma_len(sglist) && nents--) {
> >>
> >> The fix is simply to test nents first and move the decrement of nents
> >> into the loop.
> >>
> >> Reported-by: Rolf Eike Beer <eike-kernel@xxxxxxxxx>
> >> Signed-off-by: John David Anglin <dave.anglin@xxxxxxxx>
> >> ---
> >>
> >> diff --git a/drivers/parisc/sba_iommu.c b/drivers/parisc/sba_iommu.c
> >> index e60690d38d67..374b9199878d 100644
> >> --- a/drivers/parisc/sba_iommu.c
> >> +++ b/drivers/parisc/sba_iommu.c
> >> @@ -1047,7 +1047,7 @@ sba_unmap_sg(struct device *dev, struct scatterlist
> >> *sglist, int nents, spin_unlock_irqrestore(&ioc->res_lock, flags);
> >>
> >> #endif
> >>
> >> - while (sg_dma_len(sglist) && nents--) {
> >> + while (nents && sg_dma_len(sglist)) {
> >
> > What about:
> > for (; nents && sg_dma_len(sglist); nents--) {
>
> The way how Dave wrote it is more clean, IMHO.
YMMV :P
> By the way, since you ran into this issue, did you tested it,
> if it really solves the problem you see?
> If so, do you want to add a Tested-by: tag ?
No, I'm glad the machine is up and only crashing userspace processes atm. I
can't remember seeing this before, so I guess it was pure luck.
EikeAttachment:
signature.asc
Description: This is a digitally signed message part.
