On 2026-07-03 9:35 pm, Jason Gunthorpe wrote:
On Fri, Jul 03, 2026 at 07:58:32PM +0100, Robin Murphy wrote:
On 03/07/2026 5:22 pm, Jason Gunthorpe wrote:
On Wed, Jul 01, 2026 at 10:44:37AM +0000, Krzysztof Karas wrote:
It is possible, when a very large mapping uses a single
scatterlist, that padding overflows scatterlist's length field.
This results in:
   1) silently wrapping the value
   2) smaller than desired mappings produced by iommu_map_sg
   3) leaving mapped bytes in memory (no iommu_unmap)

Address this issue by adding overflow detection for previous
scatterlist length field.

Urk, this is unfortunate, it means we cannot map certain kinds of
scatterlists? Meaning there is a condition that makes a scatterlist
ill formed?

This seems like something that needs to be more clearly documented and
we need to ensure at least the common scatterlist builders don't hit
it..

Well, it's taken 10 years to be caught by a test which seemingly expects the
mapping of a single absurdly giant scatterlist to fail anyway,

If your server has 0.5TB of ram a 4G IO isn't actually that large.
Randomly getting a few contiguous 1G hugetlbfs pages is not even that
unlikely. Something like FSDAX has a very high chance of getting high
contiguity pages in files.

Sure, but how many servers had 0.5TB of RAM in 2015? And how many of those were running the arm64 DMA mapping code? As I said, both this merging logic and the iommu_map_sg() interface itself were essentially written to support media buffers on Android phones which didn't even have 4GB of RAM in total. Yes, things have moved on by now, but correspondingly it has also been decided that the ~30-year-old scatterlist design also doesn't scale to modern use-cases anyway, and is being replaced, so limitations of a "legacy" API that don't have any meaningful impact to its existing users are hardly something to panic about. If DRM does want to be able to *reliably* map massive amounts of RAM then it can adopt the new IOMMU API, for this and all the other reasons that that new API was promised to be "better".

So I wouldn't be quite so dismissive that this is not something a real
user can hit.

I'm not being dismissive - clearly it can be hit. My point is that anyone who *does* hit it can only expect it to fail (as indeed this particular IGT test seems to), because it has never worked. You cannot encode a 4GB scatterlist segment, because it overflows UINT_MAX. And if you did try to bodge it and pass a UINT_MAX length segment to iommu_map_sg() then that will also fail because it's not aligned to an IOMMU page size. It's purely the matter of *how* exactly it fails which could do with fixing.

here, but I suspect this is likely just regular iova_granule rounding
overflowing when the segment boundary is the maximum 4GB, since the largest
representable segment length is 4GB - 1.

It looks like the iommu_dma_map_sg() algorithm only works reliably if
the scatterlist entry size is less than UINT_MAX/2, otherwise it can
risk overflowing when it pads.

AFAICS, the overflow can only happen with a 4GB boundary mask, and for two conditions:

- rounding up the current segment, when s->length + s->offset > 4GB - iova_granule (but still <= 4GB otherwise it's bogus anyway) - padding the previous segment in the case where the current segment would otherwise cross the next boundary, when prev->offset = 0 and prev->length + s->length >= 4GB

So yes, limiting any individual segment to <=2GB would end up avoiding both those conditions, but it would also impact plenty of cases that *do* currently work fine, e.g. 1GB+3GB+3GB. The limitation is really that you can't have two consecutive segments where the first starts exactly on a 4GB boundary and the sum of both their sizes >=4GB.

API wise I expect any arbitary input to sg_alloc_table_from_pages() to
result in a scatterlist that iommu_dma_map_sg() will map. This
patch highlights there are cornere cases where that isn't true, it
should be fixed..

Technically sg_alloc_table_from_pages() carries no such assumption, only sg_alloc_table_from_pages_segment() (or __sg_alloc_table_from_pages()) with the correct dma_seg_boundary value for the given device. But even then in the worst case, they should still end up splitting segments at 4GB-PAGE_SIZE due to the fundamental int limitation, and so only be at risk of putting two such segments back-to-back.

I agree we shouldn't overcomplicate iommu_dma_map_sg(), so the
simplest fix is to introduce a SG_MAX_LENGTH set to UINT_MAX/2,
justified by the logic in iommu_dma_map_sg(). Fixup the core sg_alloc
code to respect that. WARN_ON in iommu_dma_map_sg() if a malformed
scatterlist entry is presented. Add a WARN_ON under DMA debugging
kconfig as well for the physical path.

Again, it's not "malformed", it's just an edge case of certain otherwise-valid scatterlist layouts that are not supported in this one DMA API implementation. Nothing in the DMA API ever guarantees that any particular mapping must succeed. Furthermore I don't see that anyone's asking for this to actually be supported, just to fail cleanly and correctly without inadvertently corrupting state.

Thanks,
Robin.

Reply via email to