From b15a3891c916f32a29832886a053a48be2741d4d Mon Sep 17 00:00:00 2001 From: Jan Beulich Date: Thu, 13 Mar 2008 09:13:30 +0000 Subject: avoid endless loops in lib/swiotlb.c Commit 681cc5cd3efbeafca6386114070e0bfb5012e249 ("iommu sg merging: swiotlb: respect the segment boundary limits") introduced two possibilities for entering an endless loop in lib/swiotlb.c: - if max_slots is zero (possible if mask is ~0UL) - if the number of slots requested fits into a swiotlb segment, but is too large for the part of a segment which remains after considering offset_slots This fixes them Signed-off-by: Jan Beulich Cc: FUJITA Tomonori Cc: Andrew Morton Signed-off-by: Linus Torvalds --- lib/swiotlb.c | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) (limited to 'lib') diff --git a/lib/swiotlb.c b/lib/swiotlb.c index 4bb5a11e18a2..025922807e6e 100644 --- a/lib/swiotlb.c +++ b/lib/swiotlb.c @@ -310,7 +310,9 @@ map_single(struct device *hwdev, char *buffer, size_t size, int dir) start_dma_addr = virt_to_bus(io_tlb_start) & mask; offset_slots = ALIGN(start_dma_addr, 1 << IO_TLB_SHIFT) >> IO_TLB_SHIFT; - max_slots = ALIGN(mask + 1, 1 << IO_TLB_SHIFT) >> IO_TLB_SHIFT; + max_slots = mask + 1 + ? ALIGN(mask + 1, 1 << IO_TLB_SHIFT) >> IO_TLB_SHIFT + : 1UL << (BITS_PER_LONG - IO_TLB_SHIFT); /* * For mappings greater than a page, we limit the stride (and @@ -333,16 +335,18 @@ map_single(struct device *hwdev, char *buffer, size_t size, int dir) index = ALIGN(io_tlb_index, stride); if (index >= io_tlb_nslabs) index = 0; - - while (is_span_boundary(index, nslots, offset_slots, - max_slots)) { - index += stride; - if (index >= io_tlb_nslabs) - index = 0; - } wrap = index; do { + while (is_span_boundary(index, nslots, offset_slots, + max_slots)) { + index += stride; + if (index >= io_tlb_nslabs) + index = 0; + if (index == wrap) + goto not_found; + } + /* * If we find a slot that indicates we have 'nslots' * number of contiguous buffers, we allocate the @@ -367,14 +371,12 @@ map_single(struct device *hwdev, char *buffer, size_t size, int dir) goto found; } - do { - index += stride; - if (index >= io_tlb_nslabs) - index = 0; - } while (is_span_boundary(index, nslots, offset_slots, - max_slots)); + index += stride; + if (index >= io_tlb_nslabs) + index = 0; } while (index != wrap); + not_found: spin_unlock_irqrestore(&io_tlb_lock, flags); return NULL; } -- cgit v1.2.3