On Wed, Sep 16, 2020 at 01:02:32PM +0300, Dan Carpenter wrote: > On Wed, Sep 16, 2020 at 09:12:17AM +0530, Souptick Joarder wrote: > > There is an error when pin_user_pages_fast() returns -ERRNO and > > inside error handling path driver end up calling unpin_user_pages() > > with -ERRNO which is not correct. > > > > This patch will fix the problem. > > There are a few ways we could prevent bug in the future. > > 1) This could have been caught with existing static analysis tools > which warn about when a value is set but not used. > > 2) I've created a Smatch check which warngs about: > > drivers/rapidio/devices/rio_mport_cdev.c:955 rio_dma_transfer() warn: > unpinning negative pages 'nr_pages' > > I'll test it out tonight and see how well it works. I don't > immediately see any other bugs allthough Smatch doesn't like the code > in siw_umem_release(). It uses "min_t(int" which suggests that > negative pages are okay. > > int to_free = min_t(int, PAGES_PER_CHUNK, num_pages); > > 3) We could add a check in unpin_user_pages(). > > if (WARN_ON(IS_ERR_VALUE(npages))) > return;
Does IS_ERR_VALUE() work on an unsigned variable? The issue with adding a check in unpin_user_pages() is that npages is unsigned long. Ira > > It's not possible to pin more than "ULONG_MAX - 4095" because otherwise > returning error pointers wouldn't work. So this check can't break > anything and it could prevent a crash. > > regards, > dan carpenter >
