4 Nov
2022
4 Nov
'22
4:26 p.m.
On Thu, Nov 03, 2022 at 05:08:08PM -0300, Jason Gunthorpe wrote:
+static void pfn_reader_release_pins(struct pfn_reader *pfns) { struct iopt_pages *pages = pfns->pages; @@ -1005,12 +1013,20 @@ static void pfn_reader_destroy(struct pfn_reader *pfns) unpin_user_pages(pfns->user.upages + (pfns->batch_end_index - pfns->user.upages_start), npages);
iopt_pages_sub_npinned(pages, npages);pfns->user.upages_end = pfns->batch_end_index;
Syzkaller says the hidden if above is no good on error paths where the pfn_reader has already advanced - it makes npages go negative:
- if (pfns->user.upages) { + if (pfns->user.upages_end > pfns->batch_end_index) {
Jason