Re: [PATCH] drm/imagination: fix off by one in pvr_vm_mips_init() error handling
From: Frank Binns
Date: Thu Nov 30 2023 - 04:13:26 EST
On Thu, 2023-11-30 at 10:27 +0300, Dan Carpenter wrote:
> If the call to vmap() fails the "page_nr" is one element beyond the end
> of the mips_data->pt_dma_addr[] and mips_data->pt_pages[] arrays.
>
> The way that this is traditionally written is that we clean up the
> partial loop iteration before the goto and then we can say
> while (--i >= 0). At that point we know that all the elements thus
> far are initialized so we don't need to have NULL checks.
>
> Fixes: 927f3e0253c1 ("drm/imagination: Implement MIPS firmware processor and MMU support")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Reviewed-by: Frank Binns <frank.binns@xxxxxxxxxx>
> ---
> drivers/gpu/drm/imagination/pvr_vm_mips.c | 11 +++++------
> 1 file changed, 5 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/gpu/drm/imagination/pvr_vm_mips.c b/drivers/gpu/drm/imagination/pvr_vm_mips.c
> index 7268cf6e630b..2bc7181a4c3e 100644
> --- a/drivers/gpu/drm/imagination/pvr_vm_mips.c
> +++ b/drivers/gpu/drm/imagination/pvr_vm_mips.c
> @@ -57,6 +57,7 @@ pvr_vm_mips_init(struct pvr_device *pvr_dev)
> PAGE_SIZE, DMA_TO_DEVICE);
> if (dma_mapping_error(dev, mips_data->pt_dma_addr[page_nr])) {
> err = -ENOMEM;
> + __free_page(mips_data->pt_pages[page_nr]);
> goto err_free_pages;
> }
> }
> @@ -79,13 +80,11 @@ pvr_vm_mips_init(struct pvr_device *pvr_dev)
> return 0;
>
> err_free_pages:
> - for (; page_nr >= 0; page_nr--) {
> - if (mips_data->pt_dma_addr[page_nr])
> - dma_unmap_page(from_pvr_device(pvr_dev)->dev,
> - mips_data->pt_dma_addr[page_nr], PAGE_SIZE, DMA_TO_DEVICE);
> + while (--page_nr >= 0) {
> + dma_unmap_page(from_pvr_device(pvr_dev)->dev,
> + mips_data->pt_dma_addr[page_nr], PAGE_SIZE, DMA_TO_DEVICE);
>
> - if (mips_data->pt_pages[page_nr])
> - __free_page(mips_data->pt_pages[page_nr]);
> + __free_page(mips_data->pt_pages[page_nr]);
> }
>
> return err;