From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
James Bottomley <JBottomley@Parallels.com>,
Subhash Jadavani <subhashj@codeaurora.org>,
Russell King <rmk+kernel@arm.linux.org.uk>
Subject: [ 05/15] ARM: DMA: Fix struct page iterator in dma_cache_maint() to work with sparsemem
Date: Fri, 1 Feb 2013 11:48:38 +0100 [thread overview]
Message-ID: <20130201104756.848500935@linuxfoundation.org> (raw)
In-Reply-To: <20130201104756.470588207@linuxfoundation.org>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Russell King <rmk+kernel@arm.linux.org.uk>
commit 15653371c67c3fbe359ae37b720639dd4c7b42c5 upstream.
Subhash Jadavani reported this partial backtrace:
Now consider this call stack from MMC block driver (this is on the ARMv7
based board):
[<c001b50c>] (v7_dma_inv_range+0x30/0x48) from [<c0017b8c>] (dma_cache_maint_page+0x1c4/0x24c)
[<c0017b8c>] (dma_cache_maint_page+0x1c4/0x24c) from [<c0017c28>] (___dma_page_cpu_to_dev+0x14/0x1c)
[<c0017c28>] (___dma_page_cpu_to_dev+0x14/0x1c) from [<c0017ff8>] (dma_map_sg+0x3c/0x114)
This is caused by incrementing the struct page pointer, and running off
the end of the sparsemem page array. Fix this by incrementing by pfn
instead, and convert the pfn to a struct page.
Suggested-by: James Bottomley <JBottomley@Parallels.com>
Tested-by: Subhash Jadavani <subhashj@codeaurora.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/mm/dma-mapping.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
--- a/arch/arm/mm/dma-mapping.c
+++ b/arch/arm/mm/dma-mapping.c
@@ -467,25 +467,27 @@ static void dma_cache_maint_page(struct
size_t size, enum dma_data_direction dir,
void (*op)(const void *, size_t, int))
{
+ unsigned long pfn;
+ size_t left = size;
+
+ pfn = page_to_pfn(page) + offset / PAGE_SIZE;
+ offset %= PAGE_SIZE;
+
/*
* A single sg entry may refer to multiple physically contiguous
* pages. But we still need to process highmem pages individually.
* If highmem is not configured then the bulk of this loop gets
* optimized out.
*/
- size_t left = size;
do {
size_t len = left;
void *vaddr;
+ page = pfn_to_page(pfn);
+
if (PageHighMem(page)) {
- if (len + offset > PAGE_SIZE) {
- if (offset >= PAGE_SIZE) {
- page += offset / PAGE_SIZE;
- offset %= PAGE_SIZE;
- }
+ if (len + offset > PAGE_SIZE)
len = PAGE_SIZE - offset;
- }
vaddr = kmap_high_get(page);
if (vaddr) {
vaddr += offset;
@@ -502,7 +504,7 @@ static void dma_cache_maint_page(struct
op(vaddr, len, dir);
}
offset = 0;
- page++;
+ pfn++;
left -= len;
} while (left);
}
next prev parent reply other threads:[~2013-02-01 10:48 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20130201104756.470588207@linuxfoundation.org>
2013-02-01 10:48 ` [ 01/15] can: c_can: fix invalid error codes Greg Kroah-Hartman
2013-02-01 10:48 ` [ 02/15] can: ti_hecc: " Greg Kroah-Hartman
2013-02-01 10:48 ` [ 03/15] can: pch_can: " Greg Kroah-Hartman
2013-02-01 10:48 ` [ 04/15] fs/cifs/cifs_dfs_ref.c: fix potential memory leakage Greg Kroah-Hartman
2013-02-01 10:48 ` Greg Kroah-Hartman [this message]
2013-02-01 10:48 ` [ 06/15] Bluetooth: Fix sending HCI commands after reset Greg Kroah-Hartman
2013-02-01 10:48 ` [ 07/15] ath9k_htc: Fix memory leak Greg Kroah-Hartman
2013-02-01 10:48 ` [ 08/15] ath9k: fix double-free bug on beacon generate failure Greg Kroah-Hartman
2013-02-01 10:48 ` [ 09/15] ALSA: usb-audio: fix invalid length check for RME and other UAC 2 devices Greg Kroah-Hartman
2013-02-01 10:48 ` [ 10/15] EDAC: Test correct variable in ->store function Greg Kroah-Hartman
2013-02-01 10:48 ` [ 11/15] Bluetooth: Fix incorrect strncpy() in hidp_setup_hid() Greg Kroah-Hartman
2013-02-01 10:48 ` [ 12/15] smp: Fix SMP function call empty cpu mask race Greg Kroah-Hartman
2013-02-01 10:48 ` [ 13/15] x86/msr: Add capabilities check Greg Kroah-Hartman
2013-02-01 10:48 ` [ 14/15] efi, x86: Pass a proper identity mapping in efi_call_phys_prelog Greg Kroah-Hartman
2013-02-01 10:48 ` [ 15/15] x86/Sandy Bridge: Sandy Bridge workaround depends on CONFIG_PCI Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130201104756.848500935@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=JBottomley@Parallels.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rmk+kernel@arm.linux.org.uk \
--cc=stable@vger.kernel.org \
--cc=subhashj@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).