Hello,

On Friday, March 30, 2012 4:24 AM Krishna Reddy wrote:

Hi,
I have found a bug in arm_iommu_map_sg().

quoted

+int arm_iommu_map_sg(struct device *dev, struct scatterlist *sg, int nents,
+		     enum dma_data_direction dir, struct dma_attrs *attrs) {
+	struct scatterlist *s = sg, *dma = sg, *start = sg;
+	int i, count = 0;
+	unsigned int offset = s->offset;
+	unsigned int size = s->offset + s->length;
+	unsigned int max = dma_get_max_seg_size(dev);
+
+	for (i = 1; i < nents; i++) {
+		s->dma_address = ARM_DMA_ERROR;
+		s->dma_length = 0;
+
+		s = sg_next(s);

With above code, the last sg element's dma_length is not getting set to zero.
This causing additional incorrect  unmapping during arm_iommu_unmap_sg call and
leading to random crashes.
The order of above three lines should be as follows.
		s = sg_next(s);

		s->dma_address = ARM_DMA_ERROR;
		s->dma_length = 0;

You are right, the order of those lines must be reversed. In all my test codes the 
scatter list was initially cleared, so I missed this typical off-by-one error. 
Thanks for spotting it!

Best regards
-- 
Marek Szyprowski
Samsung Poland R&D Center