From patchwork Thu Aug  2 20:00:37 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tony Battersby <tonyb@cybernetics.com>
X-Patchwork-Id: 10554121
Return-Path: <linux-scsi-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 31EA514E2
	for <patchwork-linux-scsi@patchwork.kernel.org>;
 Thu,  2 Aug 2018 20:00:41 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2997A2C306
	for <patchwork-linux-scsi@patchwork.kernel.org>;
 Thu,  2 Aug 2018 20:00:41 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 1DA022C332; Thu,  2 Aug 2018 20:00:41 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B286D2C33E
	for <patchwork-linux-scsi@patchwork.kernel.org>;
 Thu,  2 Aug 2018 20:00:40 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731865AbeHBVxS (ORCPT
        <rfc822;patchwork-linux-scsi@patchwork.kernel.org>);
        Thu, 2 Aug 2018 17:53:18 -0400
Received: from mail.cybernetics.com ([173.71.130.66]:39936 "EHLO
        mail.cybernetics.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726828AbeHBVxS (ORCPT
        <rfc822;linux-scsi@vger.kernel.org>); Thu, 2 Aug 2018 17:53:18 -0400
X-ASG-Debug-ID: 1533240037-0fb3b01fb33f5a20001-ziuLRu
Received: from cybernetics.com ([10.157.1.126]) by mail.cybernetics.com with
 ESMTP id AwJ773DfukFnPLt9 (version=SSLv3 cipher=DES-CBC3-SHA bits=112
 verify=NO); Thu, 02 Aug 2018 16:00:37 -0400 (EDT)
X-Barracuda-Envelope-From: tonyb@cybernetics.com
X-ASG-Whitelist: Client
Received: from [10.157.2.224] (account tonyb HELO [192.168.200.1])
  by cybernetics.com (CommuniGate Pro SMTP 5.1.14)
  with ESMTPSA id 8317844; Thu, 02 Aug 2018 16:00:37 -0400
From: Tony Battersby <tonyb@cybernetics.com>
Subject: [PATCH v2 7/9] dmapool: debug: prevent endless loop in case of
 corruption
To: Matthew Wilcox <willy@infradead.org>,
        Christoph Hellwig <hch@lst.de>,
        Marek Szyprowski <m.szyprowski@samsung.com>,
        Sathya Prakash <sathya.prakash@broadcom.com>,
        Chaitra P B <chaitra.basappa@broadcom.com>,
        Suganath Prabu Subramani
        <suganath-prabu.subramani@broadcom.com>,
        iommu@lists.linux-foundation.org, linux-mm@kvack.org,
        linux-scsi@vger.kernel.org, MPT-FusionLinux.pdl@broadcom.com
X-ASG-Orig-Subj: [PATCH v2 7/9] dmapool: debug: prevent endless loop in case
 of
 corruption
Message-ID: <36e483e9-d779-497a-551e-32f96e184b49@cybernetics.com>
Date: Thu, 2 Aug 2018 16:00:37 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
Content-Language: en-US
X-Barracuda-Connect: UNKNOWN[10.157.1.126]
X-Barracuda-Start-Time: 1533240037
X-Barracuda-Encrypted: DES-CBC3-SHA
X-Barracuda-URL: https://10.157.1.122:443/cgi-mod/mark.cgi
X-Barracuda-Scan-Msg-Size: 1676
X-Virus-Scanned: by bsmtpd at cybernetics.com
X-Barracuda-BRTS-Status: 1
Sender: linux-scsi-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-scsi.vger.kernel.org>
X-Mailing-List: linux-scsi@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Prevent a possible endless loop with DMAPOOL_DEBUG enabled if a buggy
driver corrupts DMA pool memory.

Signed-off-by: Tony Battersby <tonyb@cybernetics.com>

--- linux/mm/dmapool.c.orig	2018-08-02 10:14:25.000000000 -0400
+++ linux/mm/dmapool.c	2018-08-02 10:16:17.000000000 -0400
@@ -449,16 +449,35 @@ void dma_pool_free(struct dma_pool *pool
 	{
 		void *page_vaddr = vaddr - offset;
 		unsigned int chain = page->dma_free_o;
+		size_t total_free = 0;
+
 		while (chain < pool->allocation) {
-			if (chain != offset) {
-				chain = *(int *)(page_vaddr + chain);
-				continue;
+			if (unlikely(chain == offset)) {
+				spin_unlock_irqrestore(&pool->lock, flags);
+				dev_err(pool->dev,
+					"dma_pool_free %s, dma %pad already free\n",
+					pool->name, &dma);
+				return;
+			}
+
+			/*
+			 * The calculation of the number of blocks per
+			 * allocation is actually more complicated than this
+			 * because of the boundary value.  But this comparison
+			 * does not need to be exact; it just needs to prevent
+			 * an endless loop in case a buggy driver causes a
+			 * circular loop in the freelist.
+			 */
+			total_free += pool->size;
+			if (unlikely(total_free >= pool->allocation)) {
+				spin_unlock_irqrestore(&pool->lock, flags);
+				dev_err(pool->dev,
+					"dma_pool_free %s, freelist corrupted\n",
+					pool->name);
+				return;
 			}
-			spin_unlock_irqrestore(&pool->lock, flags);
-			dev_err(pool->dev,
-				"dma_pool_free %s, dma %pad already free\n",
-				pool->name, &dma);
-			return;
+
+			chain = *(int *)(page_vaddr + chain);
 		}
 	}
 	memset(vaddr, POOL_POISON_FREED, pool->size);