Date:   Mon, 7 Aug 2023 23:14:13 +0100
From:   Matthew Wilcox <willy@...radead.org>
To:     Marek Szyprowski <m.szyprowski@...sung.com>
Cc:     linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
        Russell King <linux@...linux.org.uk>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Mike Rapoport <rppt@...nel.org>
Subject: Re: [PATCH] arm: dma-mapping: fix potential endless loop in
 __dma_page_dev_to_cpu()

On Mon, Aug 07, 2023 at 05:26:57PM +0200, Marek Szyprowski wrote:
> diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
> index 70cb7e63a9a5..02250106e5ed 100644
> --- a/arch/arm/mm/dma-mapping.c
> +++ b/arch/arm/mm/dma-mapping.c
> @@ -718,7 +718,7 @@ static void __dma_page_dev_to_cpu(struct page *page, unsigned long off,
>  			folio = folio_next(folio);
>  		}
>  
> -		while (left >= (ssize_t)folio_size(folio)) {
> +		while (left && left >= (ssize_t)folio_size(folio)) {
>  			set_bit(PG_dcache_clean, &folio->flags);
>  			left -= folio_size(folio);
>  			folio = folio_next(folio);

I've been thinking about this and I think this is the right fix for the
wrong reason.  I don't understand how it can produce the failure you
saw, but we shouldn't be calling folio_next() if left is zero, let alone
calling folio_size() on it.  So I'd rather see this fix:

		while (left >= (ssize_t)folio_size(folio)) {
			set_bit(PG_dcache_clean, &folio->flags);
			left -= folio_size(folio);
+			if (!left)
+				break;
			folio = folio_next(folio);
		}

Powered by blists - more mailing lists