[PATCH] dma: fix error handling on out of memory

[PATCH] dma: fix error handling on out of memory

[Michael S. Tsirkin]

get_user_pages might return less pages than requested. If this happens
for the first iovec in dma_pin_iovec_pages, then nr_iovecs is 0 and so
dma_unpin_iovec_pages will not unpin any pages, leaking pinned memory.
A similar off by one would trigger for any of the following entries.

Fix by updating nr_iovecs and nr_pages in this case.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---

Error handling in dma_pin_iovec_pages still looks wrong to me.  Am I
missing something?  The following patch against 2.6.36-rc7 was under
some very light testing by me.

Thanks,

 drivers/dma/iovlock.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/drivers/dma/iovlock.c b/drivers/dma/iovlock.c
index bb48a57..21ed8f3 100644
--- a/drivers/dma/iovlock.c
+++ b/drivers/dma/iovlock.c
@@ -107,10 +107,16 @@ struct dma_pinned_list *dma_pin_iovec_pages(struct iovec *iov, size_t len)
 			NULL);
 		up_read(&current->mm->mmap_sem);
 
-		if (ret != page_list->nr_pages)
+		if (unlikely(ret < 0))
 			goto unpin;
 
 		local_list->nr_iovecs = i + 1;
+
+		if (unlikely(ret != page_list->nr_pages)) {
+			page_list->nr_pages = ret;
+			goto unpin;
+		}
+
 	}
 
 	return local_list;
-- 
MST

Re: [PATCH] dma: fix error handling on out of memory

[Dan Williams]

On Mon, Oct 11, 2010 at 2:44 AM, Michael S. Tsirkin <mst@redhat.com> wrote:
> get_user_pages might return less pages than requested. If this happens
> for the first iovec in dma_pin_iovec_pages, then nr_iovecs is 0 and so
> dma_unpin_iovec_pages will not unpin any pages, leaking pinned memory.
> A similar off by one would trigger for any of the following entries.
>
> Fix by updating nr_iovecs and nr_pages in this case.
>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> ---
>
> Error handling in dma_pin_iovec_pages still looks wrong to me.  Am I
> missing something?

Still looks wrong it what way?  You make sure that nr_iovecs is
incremented so that the partial page list is freed, and we only walk
the initialized entries in pinned_list.

--
Dan

Re: [PATCH] dma: fix error handling on out of memory

[Michael S. Tsirkin]

On Wed, Oct 13, 2010 at 05:10:25PM -0700, Dan Williams wrote:
> On Mon, Oct 11, 2010 at 2:44 AM, Michael S. Tsirkin <mst@redhat.com> wrote:
> > get_user_pages might return less pages than requested. If this happens
> > for the first iovec in dma_pin_iovec_pages, then nr_iovecs is 0 and so
> > dma_unpin_iovec_pages will not unpin any pages, leaking pinned memory.
> > A similar off by one would trigger for any of the following entries.
> >
> > Fix by updating nr_iovecs and nr_pages in this case.
> >
> > Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> > ---
> >
> > Error handling in dma_pin_iovec_pages still looks wrong to me.  Am I
> > missing something?
> 
> Still looks wrong it what way?  You make sure that nr_iovecs is
> incremented so that the partial page list is freed, and we only walk
> the initialized entries in pinned_list.

In that before the patch, if get_user_pages returns less pages than
requested, we would leak pinned memory. Right?

> --
> Dan