ANDROID: iommu/io-pgtable-arm: Fix unmapping loop in __arm_lpae_unmap()

When unmapping multiple entries, __arm_lpae_unmap() should unmap
one entry at a time and perform TLB maintenance as required for that
entry.

However, the existing logic clears all N entries starting
at a particular point in the page table, and moves on to the
next entry, and clears N entries again, which is not correct.

Ensure that only one entry is cleared and handled at a time,
as was originally intended.

Bug: 178537788
Reported-by: John Stultz <john.stultz@linaro.org>
Fixes: 3c75179a31 ("ANDROID: iommu/io-pgtable-arm: Free underlying page tables for large mappings")
Change-Id: I814418ed0782c1e51316f191fdad939028b75731
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>

drivers/iommu/io-pgtable-arm.c

@@ -244,16 +244,13 @@ static void __arm_lpae_sync_pte(arm_lpae_iopte *ptep, int num_entries,
 				   sizeof(*ptep) * num_entries, DMA_TO_DEVICE);
 }
 
-static void __arm_lpae_set_pte(arm_lpae_iopte *ptep, arm_lpae_iopte pte,
-			       int num_entries, struct io_pgtable_cfg *cfg)
+static void __arm_lpae_clear_pte(arm_lpae_iopte *ptep, struct io_pgtable_cfg *cfg)
 {
-	int i;
 
-	for (i = 0; i < num_entries; i++)
-		ptep[i] = pte;
+	*ptep = 0;
 
 	if (!cfg->coherent_walk)
-		__arm_lpae_sync_pte(ptep, num_entries, cfg);
+		__arm_lpae_sync_pte(ptep, 1, cfg);
 }
 
 static size_t __arm_lpae_unmap(struct arm_lpae_io_pgtable *data,
@@ -643,11 +640,11 @@ static size_t __arm_lpae_unmap(struct arm_lpae_io_pgtable *data,
 			if (WARN_ON(!pte))
 				break;
 
-			__arm_lpae_set_pte(ptep, 0, num_entries, &iop->cfg);
+			__arm_lpae_clear_pte(ptep, &iop->cfg);
 
 			if (!iopte_leaf(pte, lvl, iop->fmt)) {
 				/* Also flush any partial walks */
-				io_pgtable_tlb_flush_walk(iop, iova, num_entries * size,
+				io_pgtable_tlb_flush_walk(iop, iova + i * size, size,
 							  ARM_LPAE_GRANULE(data));
 				__arm_lpae_free_pgtable(data, lvl + 1, iopte_deref(pte, data));
 			} else if (iop->cfg.quirks & IO_PGTABLE_QUIRK_NON_STRICT) {