iommu-helper.c -> find_next_zero_area errors

[Kyle Hubert]

In the function find_next_zero_area in iommu-helper.c, I think there
are two small issues. For one, it appears the conditionals after
find_next_zero_bit will cause failures when there is still room in the
IOMMU area. Here is the code in question:

  15again:
  16        index = find_next_zero_bit(map, size, start);
  17
  18        /* Align allocation */
  19        index = (index + align_mask) & ~align_mask;
  20
  21        end = index + nr;
  22        if (end >= size)
  23                return -1;
  24        for (i = index; i < end; i++) {
  25                if (test_bit(i, map)) {
  26                        start = i+1;
  27                        goto again;
  28                }
  29        }
  30        return index;

On line 16, we get the index with the next zero bit in the bit-field.
Then the "end" value is compared against size on line 22. By testing
for >=, an allocation of 64 elements in a 64 bit bit-field would
result in (0 + 64) >= 64. This means it would return -1, or, no space.
Anything that butts against the end of the area will fail.

Then continuing on to line 24, we see the for loop starting at the
"index" value. Index was just returned by find_next_zero_bit, so we
know it's zero, and there is no reason to call test_bit on it. This is
just a spurious execution of the loop.

I would think you would want it to look like this:

-       if (end >= size)
+       if (end > size)
               return -1;
-       for (i = index; i < end; i++) {
+       for (i = index + 1; i < end; i++) {

Thanks,

-Kyle Hubert
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/