Reported-by: Laurent Pinchart <[email protected]>
Signed-off-by: Gerd Hoffmann <[email protected]>
---
drivers/dma-buf/udmabuf.c | 25 ++++++++++++-------------
1 file changed, 12 insertions(+), 13 deletions(-)
diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
index cb99a7886a..ec46513a47 100644
--- a/drivers/dma-buf/udmabuf.c
+++ b/drivers/dma-buf/udmabuf.c
@@ -126,7 +126,7 @@ static long udmabuf_create(struct const udmabuf_create_list *head,
struct file *memfd = NULL;
struct udmabuf *ubuf;
struct dma_buf *buf;
- pgoff_t pgoff, pgcnt, pgidx, pgbuf, pglimit;
+ pgoff_t pgoff, pgcnt, pgidx, pgbuf = 0, pglimit;
struct page *page;
int seals, ret = -EINVAL;
u32 i, flags;
@@ -138,32 +138,32 @@ static long udmabuf_create(struct const udmabuf_create_list *head,
pglimit = (size_limit_mb * 1024 * 1024) >> PAGE_SHIFT;
for (i = 0; i < head->count; i++) {
if (!IS_ALIGNED(list[i].offset, PAGE_SIZE))
- goto err_free_ubuf;
+ goto err;
if (!IS_ALIGNED(list[i].size, PAGE_SIZE))
- goto err_free_ubuf;
+ goto err;
ubuf->pagecount += list[i].size >> PAGE_SHIFT;
if (ubuf->pagecount > pglimit)
- goto err_free_ubuf;
+ goto err;
}
ubuf->pages = kmalloc_array(ubuf->pagecount, sizeof(struct page *),
GFP_KERNEL);
if (!ubuf->pages) {
ret = -ENOMEM;
- goto err_free_ubuf;
+ goto err;
}
pgbuf = 0;
for (i = 0; i < head->count; i++) {
memfd = fget(list[i].memfd);
if (!memfd)
- goto err_put_pages;
+ goto err;
if (!shmem_mapping(file_inode(memfd)->i_mapping))
- goto err_put_pages;
+ goto err;
seals = memfd_fcntl(memfd, F_GET_SEALS, 0);
if (seals == -EINVAL ||
(seals & SEALS_WANTED) != SEALS_WANTED ||
(seals & SEALS_DENIED) != 0)
- goto err_put_pages;
+ goto err;
pgoff = list[i].offset >> PAGE_SHIFT;
pgcnt = list[i].size >> PAGE_SHIFT;
for (pgidx = 0; pgidx < pgcnt; pgidx++) {
@@ -171,13 +171,13 @@ static long udmabuf_create(struct const udmabuf_create_list *head,
file_inode(memfd)->i_mapping, pgoff + pgidx);
if (IS_ERR(page)) {
ret = PTR_ERR(page);
- goto err_put_pages;
+ goto err;
}
ubuf->pages[pgbuf++] = page;
}
fput(memfd);
+ memfd = NULL;
}
- memfd = NULL;
exp_info.ops = &udmabuf_ops;
exp_info.size = ubuf->pagecount << PAGE_SHIFT;
@@ -186,7 +186,7 @@ static long udmabuf_create(struct const udmabuf_create_list *head,
buf = dma_buf_export(&exp_info);
if (IS_ERR(buf)) {
ret = PTR_ERR(buf);
- goto err_put_pages;
+ goto err;
}
flags = 0;
@@ -194,10 +194,9 @@ static long udmabuf_create(struct const udmabuf_create_list *head,
flags |= O_CLOEXEC;
return dma_buf_fd(buf, flags);
-err_put_pages:
+err:
while (pgbuf > 0)
put_page(ubuf->pages[--pgbuf]);
-err_free_ubuf:
if (memfd)
fput(memfd);
kfree(ubuf->pages);
--
2.9.3
Hi Gerd,
Thank you for the patch.
On Tuesday, 11 September 2018 09:59:19 EEST Gerd Hoffmann wrote:
> Reported-by: Laurent Pinchart <[email protected]>
> Signed-off-by: Gerd Hoffmann <[email protected]>
Reviewed-by: Laurent Pinchart <[email protected]>
> ---
> drivers/dma-buf/udmabuf.c | 25 ++++++++++++-------------
> 1 file changed, 12 insertions(+), 13 deletions(-)
>
> diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
> index cb99a7886a..ec46513a47 100644
> --- a/drivers/dma-buf/udmabuf.c
> +++ b/drivers/dma-buf/udmabuf.c
> @@ -126,7 +126,7 @@ static long udmabuf_create(struct const
> udmabuf_create_list *head, struct file *memfd = NULL;
> struct udmabuf *ubuf;
> struct dma_buf *buf;
> - pgoff_t pgoff, pgcnt, pgidx, pgbuf, pglimit;
> + pgoff_t pgoff, pgcnt, pgidx, pgbuf = 0, pglimit;
> struct page *page;
> int seals, ret = -EINVAL;
> u32 i, flags;
> @@ -138,32 +138,32 @@ static long udmabuf_create(struct const
> udmabuf_create_list *head, pglimit = (size_limit_mb * 1024 * 1024) >>
> PAGE_SHIFT;
> for (i = 0; i < head->count; i++) {
> if (!IS_ALIGNED(list[i].offset, PAGE_SIZE))
> - goto err_free_ubuf;
> + goto err;
> if (!IS_ALIGNED(list[i].size, PAGE_SIZE))
> - goto err_free_ubuf;
> + goto err;
> ubuf->pagecount += list[i].size >> PAGE_SHIFT;
> if (ubuf->pagecount > pglimit)
> - goto err_free_ubuf;
> + goto err;
> }
> ubuf->pages = kmalloc_array(ubuf->pagecount, sizeof(struct page *),
> GFP_KERNEL);
> if (!ubuf->pages) {
> ret = -ENOMEM;
> - goto err_free_ubuf;
> + goto err;
> }
>
> pgbuf = 0;
> for (i = 0; i < head->count; i++) {
> memfd = fget(list[i].memfd);
> if (!memfd)
> - goto err_put_pages;
> + goto err;
> if (!shmem_mapping(file_inode(memfd)->i_mapping))
> - goto err_put_pages;
> + goto err;
> seals = memfd_fcntl(memfd, F_GET_SEALS, 0);
> if (seals == -EINVAL ||
> (seals & SEALS_WANTED) != SEALS_WANTED ||
> (seals & SEALS_DENIED) != 0)
> - goto err_put_pages;
> + goto err;
> pgoff = list[i].offset >> PAGE_SHIFT;
> pgcnt = list[i].size >> PAGE_SHIFT;
> for (pgidx = 0; pgidx < pgcnt; pgidx++) {
> @@ -171,13 +171,13 @@ static long udmabuf_create(struct const
> udmabuf_create_list *head, file_inode(memfd)->i_mapping, pgoff + pgidx);
> if (IS_ERR(page)) {
> ret = PTR_ERR(page);
> - goto err_put_pages;
> + goto err;
> }
> ubuf->pages[pgbuf++] = page;
> }
> fput(memfd);
> + memfd = NULL;
> }
> - memfd = NULL;
>
> exp_info.ops = &udmabuf_ops;
> exp_info.size = ubuf->pagecount << PAGE_SHIFT;
> @@ -186,7 +186,7 @@ static long udmabuf_create(struct const
> udmabuf_create_list *head, buf = dma_buf_export(&exp_info);
> if (IS_ERR(buf)) {
> ret = PTR_ERR(buf);
> - goto err_put_pages;
> + goto err;
> }
>
> flags = 0;
> @@ -194,10 +194,9 @@ static long udmabuf_create(struct const
> udmabuf_create_list *head, flags |= O_CLOEXEC;
> return dma_buf_fd(buf, flags);
>
> -err_put_pages:
> +err:
> while (pgbuf > 0)
> put_page(ubuf->pages[--pgbuf]);
> -err_free_ubuf:
> if (memfd)
> fput(memfd);
> kfree(ubuf->pages);
--
Regards,
Laurent Pinchart