Re: [PATCH v2] Fixes a race in iopt_unmap_iova_range

Next message: Masami Hiramatsu (Google): "[RESEND PATCH v16 1/5] ring-buffer: Flush and stop persistent ring buffer on panic"
Previous message: Masami Hiramatsu (Google): "[RESEND PATCH v16 0/5] ring-buffer: Making persistent ring buffers robust"
In reply to: Sina Hassani: "[PATCH v2] Fixes a race in iopt_unmap_iova_range"
Next in thread: Sina Hassani: "Re: [PATCH v2] Fixes a race in iopt_unmap_iova_range"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jason Gunthorpe

Date: Mon Apr 06 2026 - 21:12:45 EST

On Mon, Apr 06, 2026 at 04:07:01PM -0700, Sina Hassani wrote:

> io_pagetable *iopt, unsigned long start,
> unmapped_bytes += area_last - area_first + 1;
>
> down_write(&iopt->iova_rwsem);
> +
> + /* Do not reconsider things already unmapped in case of
> + * concurrent allocation */
> + start = area_last + 1;

area_last can be ULONG_MAX so this literally overflows to 0. It is why
I formed the suggestion I gave as I did

Jason