The Documentation/DMA-API-HOWTO.txt states that dma_map_sg returns the
numer of the created entries in the DMA address space. However the
subsequent calls to dma_sync_sg_for_{device,cpu} and dma_unmap_sg must be
called with the original number of entries passed to dma_map_sg. The
sg_table->nents in turn holds the result of the dma_map_sg call as stated
in include/linux/scatterlist.h.

This driver creatively uses sg_table->orig_nents to store the size of the
allocate scatterlist and ignores the number of the entries returned by
dma_map_sg function. The sg_table->orig_nents is (mis)used to properly
free the (over)allocated scatterlist.

This patch only fixes the sg_table->nents entries in the sg_table objects
exported by the dmabuf related functions, so the other drivers, which
might share buffers with i915 could rely on the nents and orig_nents
values.

Signed-off-by: Marek Szyprowski <m.szyprow...@samsung.com>
---
For more information, see '[PATCH v2 00/21] DRM: fix struct sg_table nents
vs. orig_nents misuse' thread: https://lkml.org/lkml/2020/5/4/373
---
 drivers/gpu/drm/i915/gem/i915_gem_dmabuf.c       | 9 +++++----
 drivers/gpu/drm/i915/gem/selftests/mock_dmabuf.c | 5 +++--
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/drivers/gpu/drm/i915/gem/i915_gem_dmabuf.c 
b/drivers/gpu/drm/i915/gem/i915_gem_dmabuf.c
index 7db5a79..98159df 100644
--- a/drivers/gpu/drm/i915/gem/i915_gem_dmabuf.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_dmabuf.c
@@ -48,9 +48,10 @@ static struct sg_table *i915_gem_map_dma_buf(struct 
dma_buf_attachment *attachme
                src = sg_next(src);
        }
 
-       if (!dma_map_sg_attrs(attachment->dev,
-                             st->sgl, st->nents, dir,
-                             DMA_ATTR_SKIP_CPU_SYNC)) {
+       st->nents = dma_map_sg_attrs(attachment->dev,
+                                    st->sgl, st->orig_nents, dir,
+                                    DMA_ATTR_SKIP_CPU_SYNC);
+       if (!st->nents) {
                ret = -ENOMEM;
                goto err_free_sg;
        }
@@ -74,7 +75,7 @@ static void i915_gem_unmap_dma_buf(struct dma_buf_attachment 
*attachment,
        struct drm_i915_gem_object *obj = dma_buf_to_obj(attachment->dmabuf);
 
        dma_unmap_sg_attrs(attachment->dev,
-                          sg->sgl, sg->nents, dir,
+                          sg->sgl, sg->orig_nents, dir,
                           DMA_ATTR_SKIP_CPU_SYNC);
        sg_free_table(sg);
        kfree(sg);
diff --git a/drivers/gpu/drm/i915/gem/selftests/mock_dmabuf.c 
b/drivers/gpu/drm/i915/gem/selftests/mock_dmabuf.c
index debaf7b..5723525 100644
--- a/drivers/gpu/drm/i915/gem/selftests/mock_dmabuf.c
+++ b/drivers/gpu/drm/i915/gem/selftests/mock_dmabuf.c
@@ -28,7 +28,8 @@ static struct sg_table *mock_map_dma_buf(struct 
dma_buf_attachment *attachment,
                sg = sg_next(sg);
        }
 
-       if (!dma_map_sg(attachment->dev, st->sgl, st->nents, dir)) {
+       st->nents = dma_map_sg(attachment->dev, st->sgl, st->orig_nents, dir);
+       if (!st->nents) {
                err = -ENOMEM;
                goto err_st;
        }
@@ -46,7 +47,7 @@ static void mock_unmap_dma_buf(struct dma_buf_attachment 
*attachment,
                               struct sg_table *st,
                               enum dma_data_direction dir)
 {
-       dma_unmap_sg(attachment->dev, st->sgl, st->nents, dir);
+       dma_unmap_sg(attachment->dev, st->sgl, st->orig_nents, dir);
        sg_free_table(st);
        kfree(st);
 }
-- 
1.9.1

_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu

Reply via email to