| Message ID | 20200504125359.5678-9-m.szyprowski@samsung.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | DRM: fix struct sg_table nents vs. orig_nents misuse | expand |
On 04/05/2020 13:53, Marek Szyprowski wrote: > The Documentation/DMA-API-HOWTO.txt states that dma_map_sg returns the > numer of the created entries in the DMA address space. However the > subsequent calls to dma_sync_sg_for_{device,cpu} and dma_unmap_sg must be > called with the original number of entries passed to dma_map_sg. The > sg_table->nents in turn holds the result of the dma_map_sg call as stated > in include/linux/scatterlist.h. Adapt the code to obey those rules. I find this commit message a bit confusing, but AFAICT the problem with the Panfrost code is really in mmu_map_sg() where we don't have the return value from dma_map_sg() and the for_each_sg() loop could (in theory) run off the end of the list. The fix seems correct - store the return where it's meant to be (nents) and make sure when unmapping we use the original (orig_nents). So you might also consider adding: Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver") Even better would be the wrappers you mention in the cover letter! ;) Reviewed-by: Steven Price <steven.price@arm.com> > > Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> > --- > For more information, see '[PATCH v2 00/21] DRM: fix struct sg_table nents > vs. orig_nents misuse' thread: https://lkml.org/lkml/2020/5/4/373 > --- > drivers/gpu/drm/panfrost/panfrost_gem.c | 3 ++- > drivers/gpu/drm/panfrost/panfrost_mmu.c | 4 +++- > 2 files changed, 5 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/panfrost/panfrost_gem.c b/drivers/gpu/drm/panfrost/panfrost_gem.c > index 17b654e..22fec7c 100644 > --- a/drivers/gpu/drm/panfrost/panfrost_gem.c > +++ b/drivers/gpu/drm/panfrost/panfrost_gem.c > @@ -42,7 +42,8 @@ static void panfrost_gem_free_object(struct drm_gem_object *obj) > for (i = 0; i < n_sgt; i++) { > if (bo->sgts[i].sgl) { > dma_unmap_sg(pfdev->dev, bo->sgts[i].sgl, > - bo->sgts[i].nents, DMA_BIDIRECTIONAL); > + bo->sgts[i].orig_nents, > + DMA_BIDIRECTIONAL); > sg_free_table(&bo->sgts[i]); > } > } > diff --git a/drivers/gpu/drm/panfrost/panfrost_mmu.c b/drivers/gpu/drm/panfrost/panfrost_mmu.c > index ed28aeb..2d9b1f9 100644 > --- a/drivers/gpu/drm/panfrost/panfrost_mmu.c > +++ b/drivers/gpu/drm/panfrost/panfrost_mmu.c > @@ -517,7 +517,9 @@ static int panfrost_mmu_map_fault_addr(struct panfrost_device *pfdev, int as, > if (ret) > goto err_pages; > > - if (!dma_map_sg(pfdev->dev, sgt->sgl, sgt->nents, DMA_BIDIRECTIONAL)) { > + sgt->nents = dma_map_sg(pfdev->dev, sgt->sgl, sgt->orig_nents, > + DMA_BIDIRECTIONAL); > + if (!sgt->nents) { > ret = -EINVAL; > goto err_map; > } >
diff --git a/drivers/gpu/drm/panfrost/panfrost_gem.c b/drivers/gpu/drm/panfrost/panfrost_gem.c index 17b654e..22fec7c 100644 --- a/drivers/gpu/drm/panfrost/panfrost_gem.c +++ b/drivers/gpu/drm/panfrost/panfrost_gem.c @@ -42,7 +42,8 @@ static void panfrost_gem_free_object(struct drm_gem_object *obj) for (i = 0; i < n_sgt; i++) { if (bo->sgts[i].sgl) { dma_unmap_sg(pfdev->dev, bo->sgts[i].sgl, - bo->sgts[i].nents, DMA_BIDIRECTIONAL); + bo->sgts[i].orig_nents, + DMA_BIDIRECTIONAL); sg_free_table(&bo->sgts[i]); } } diff --git a/drivers/gpu/drm/panfrost/panfrost_mmu.c b/drivers/gpu/drm/panfrost/panfrost_mmu.c index ed28aeb..2d9b1f9 100644 --- a/drivers/gpu/drm/panfrost/panfrost_mmu.c +++ b/drivers/gpu/drm/panfrost/panfrost_mmu.c @@ -517,7 +517,9 @@ static int panfrost_mmu_map_fault_addr(struct panfrost_device *pfdev, int as, if (ret) goto err_pages; - if (!dma_map_sg(pfdev->dev, sgt->sgl, sgt->nents, DMA_BIDIRECTIONAL)) { + sgt->nents = dma_map_sg(pfdev->dev, sgt->sgl, sgt->orig_nents, + DMA_BIDIRECTIONAL); + if (!sgt->nents) { ret = -EINVAL; goto err_map; }
The Documentation/DMA-API-HOWTO.txt states that dma_map_sg returns the numer of the created entries in the DMA address space. However the subsequent calls to dma_sync_sg_for_{device,cpu} and dma_unmap_sg must be called with the original number of entries passed to dma_map_sg. The sg_table->nents in turn holds the result of the dma_map_sg call as stated in include/linux/scatterlist.h. Adapt the code to obey those rules. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> --- For more information, see '[PATCH v2 00/21] DRM: fix struct sg_table nents vs. orig_nents misuse' thread: https://lkml.org/lkml/2020/5/4/373 --- drivers/gpu/drm/panfrost/panfrost_gem.c | 3 ++- drivers/gpu/drm/panfrost/panfrost_mmu.c | 4 +++- 2 files changed, 5 insertions(+), 2 deletions(-)