2020-05-18 00:01:25

by John Hubbard

[permalink] [raw]
Subject: [PATCH 0/2] rapidio: convert to pin_user_pages(), plus a small fix

While converting rapidio from get_user_pages() to pin_user_pages(),
I noticed a small problem in the error handling, so that is fixed
first. As such, the fix has -stable on CC, and can be separately
applied.

Note that I have only compile-tested these patches, although that does
also include cross-compiling for half a dozen arches.

John Hubbard (2):
rapidio: fix an error in get_user_pages_fast() error handling
rapidio: convert get_user_pages() --> pin_user_pages()

drivers/rapidio/devices/rio_mport_cdev.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)

Cc: Matt Porter <[email protected]>
Cc: Alexandre Bounine <[email protected]>
Cc: Sumit Semwal <[email protected]>
Cc: Dan Carpenter <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: [email protected]

John Hubbard (2):
rapidio: fix an error in get_user_pages_fast() error handling
rapidio: convert get_user_pages() --> pin_user_pages()

drivers/rapidio/devices/rio_mport_cdev.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)


base-commit: 5a9ffb954a3933d7867f4341684a23e008d6839b
--
2.26.2


2020-05-18 00:01:25

by John Hubbard

[permalink] [raw]
Subject: [PATCH 1/2] rapidio: fix an error in get_user_pages_fast() error handling

In the case of get_user_pages_fast() returning fewer pages than
requested, rio_dma_transfer() does not quite do the right thing.
It attempts to release all the pages that were requested, rather
than just the pages that were pinned.

Fix the error handling so that only the pages that were successfully
pinned are released.

Fixes: e8de370188d0 ("rapidio: add mport char device driver")
Cc: Matt Porter <[email protected]>
Cc: Alexandre Bounine <[email protected]>
Cc: Sumit Semwal <[email protected]>
Cc: Dan Carpenter <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: [email protected]
Cc: [email protected]
Signed-off-by: John Hubbard <[email protected]>
---
drivers/rapidio/devices/rio_mport_cdev.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
index 8155f59ece38..10af330153b5 100644
--- a/drivers/rapidio/devices/rio_mport_cdev.c
+++ b/drivers/rapidio/devices/rio_mport_cdev.c
@@ -877,6 +877,11 @@ rio_dma_transfer(struct file *filp, u32 transfer_mode,
rmcd_error("pinned %ld out of %ld pages",
pinned, nr_pages);
ret = -EFAULT;
+ /*
+ * Set nr_pages up to mean "how many pages to unpin, in
+ * the error handler:
+ */
+ nr_pages = pinned;
goto err_pg;
}

--
2.26.2

2020-05-18 21:41:16

by Andrew Morton

[permalink] [raw]
Subject: Re: [PATCH 1/2] rapidio: fix an error in get_user_pages_fast() error handling

On Sun, 17 May 2020 16:56:19 -0700 John Hubbard <[email protected]> wrote:

> In the case of get_user_pages_fast() returning fewer pages than
> requested, rio_dma_transfer() does not quite do the right thing.
> It attempts to release all the pages that were requested, rather
> than just the pages that were pinned.
>
> Fix the error handling so that only the pages that were successfully
> pinned are released.
>
> ...
>
> --- a/drivers/rapidio/devices/rio_mport_cdev.c
> +++ b/drivers/rapidio/devices/rio_mport_cdev.c
> @@ -877,6 +877,11 @@ rio_dma_transfer(struct file *filp, u32 transfer_mode,
> rmcd_error("pinned %ld out of %ld pages",
> pinned, nr_pages);
> ret = -EFAULT;
> + /*
> + * Set nr_pages up to mean "how many pages to unpin, in
> + * the error handler:
> + */
> + nr_pages = pinned;
> goto err_pg;
> }

The code is a bit odd. If (xfer->loc_addr == 0) then we do the `else'
stuff then fall through to

err_pg:
if (!req->page_list) {
for (i = 0; i < nr_pages; i++)
put_page(page_list[i]);
kfree(page_list);
}

all of which is a big no-op because nr_pages==0 and page_list==NULL,
but it could all be easily avoided.

Oh well. Reviewed-by:me.