Inside __scif_pin_pages(), when map_flags != SCIF_MAP_KERNEL it
will call pin_user_pages_fast() to map nr_pages. However,
pin_user_pages_fast() might fail with a return value -ERRNO.
The return value is stored in pinned_pages->nr_pages. which in
turn is passed to unpin_user_pages(), which expects
pinned_pages->nr_pages >=0, else disaster.
Fix this by assigning pinned_pages->nr_pages to 0 if
pin_user_pages_fast() returns -ERRNO.
Fixes: ba612aa8b487 ("misc: mic: SCIF memory registration and
unregistration")
Signed-off-by: Souptick Joarder <[email protected]>
Cc: John Hubbard <[email protected]>
Cc: Ira Weiny <[email protected]>
Cc: Dan Carpenter <[email protected]>
---
drivers/misc/mic/scif/scif_rma.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/misc/mic/scif/scif_rma.c b/drivers/misc/mic/scif/scif_rma.c
index 2da3b47..18fb9d8 100644
--- a/drivers/misc/mic/scif/scif_rma.c
+++ b/drivers/misc/mic/scif/scif_rma.c
@@ -1392,6 +1392,8 @@ int __scif_pin_pages(void *addr, size_t len, int *out_prot,
(prot & SCIF_PROT_WRITE) ? FOLL_WRITE : 0,
pinned_pages->pages);
if (nr_pages != pinned_pages->nr_pages) {
+ if (pinned_pages->nr_pages < 0)
+ pinned_pages->nr_pages = 0;
if (try_upgrade) {
if (ulimit)
__scif_dec_pinned_vm_lock(mm, nr_pages);
@@ -1408,7 +1410,6 @@ int __scif_pin_pages(void *addr, size_t len, int *out_prot,
if (pinned_pages->nr_pages < nr_pages) {
err = -EFAULT;
- pinned_pages->nr_pages = nr_pages;
goto dec_pinned;
}
@@ -1421,7 +1422,6 @@ int __scif_pin_pages(void *addr, size_t len, int *out_prot,
__scif_dec_pinned_vm_lock(mm, nr_pages);
/* Something went wrong! Rollback */
error_unmap:
- pinned_pages->nr_pages = nr_pages;
scif_destroy_pinned_pages(pinned_pages);
*pages = NULL;
dev_dbg(scif_info.mdev.this_device,
--
1.9.1
On 9/19/20 7:51 PM, Souptick Joarder wrote:
> Inside __scif_pin_pages(), when map_flags != SCIF_MAP_KERNEL it
> will call pin_user_pages_fast() to map nr_pages. However,
> pin_user_pages_fast() might fail with a return value -ERRNO.
>
> The return value is stored in pinned_pages->nr_pages. which in
> turn is passed to unpin_user_pages(), which expects
> pinned_pages->nr_pages >=0, else disaster.
>
> Fix this by assigning pinned_pages->nr_pages to 0 if
> pin_user_pages_fast() returns -ERRNO.
>
> Fixes: ba612aa8b487 ("misc: mic: SCIF memory registration and
> unregistration")
> Signed-off-by: Souptick Joarder <[email protected]>
> Cc: John Hubbard <[email protected]>
> Cc: Ira Weiny <[email protected]>
> Cc: Dan Carpenter <[email protected]>
> ---
Reviewed-by: John Hubbard <[email protected]>
thanks,
--
John Hubbard
NVIDIA
> drivers/misc/mic/scif/scif_rma.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/misc/mic/scif/scif_rma.c b/drivers/misc/mic/scif/scif_rma.c
> index 2da3b47..18fb9d8 100644
> --- a/drivers/misc/mic/scif/scif_rma.c
> +++ b/drivers/misc/mic/scif/scif_rma.c
> @@ -1392,6 +1392,8 @@ int __scif_pin_pages(void *addr, size_t len, int *out_prot,
> (prot & SCIF_PROT_WRITE) ? FOLL_WRITE : 0,
> pinned_pages->pages);
> if (nr_pages != pinned_pages->nr_pages) {
> + if (pinned_pages->nr_pages < 0)
> + pinned_pages->nr_pages = 0;
> if (try_upgrade) {
> if (ulimit)
> __scif_dec_pinned_vm_lock(mm, nr_pages);
> @@ -1408,7 +1410,6 @@ int __scif_pin_pages(void *addr, size_t len, int *out_prot,
>
> if (pinned_pages->nr_pages < nr_pages) {
> err = -EFAULT;
> - pinned_pages->nr_pages = nr_pages;
> goto dec_pinned;
> }
>
> @@ -1421,7 +1422,6 @@ int __scif_pin_pages(void *addr, size_t len, int *out_prot,
> __scif_dec_pinned_vm_lock(mm, nr_pages);
> /* Something went wrong! Rollback */
> error_unmap:
> - pinned_pages->nr_pages = nr_pages;
> scif_destroy_pinned_pages(pinned_pages);
> *pages = NULL;
> dev_dbg(scif_info.mdev.this_device,
>