tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

dma-buf: improve sg_table debugging hack v4

This debugging hack is important to enforce the rule that importers
should *never* touch the underlying struct page of the exporter.

Instead of just mangling the page link create a copy of the sg_table
but only copy over the DMA addresses and not the pages.

This will cause a NULL pointer de-reference if the importer tries to
touch the struct page. Still quite a hack but this at least allows the
exporter to properly keeps it's sg_table intact while allowing the
DMA-buf maintainer to find and fix misbehaving importers and finally
switch over to using a different data structure in the future.

v2: improve the hack further by using a wrapper structure and explaining
the background a bit more in the commit message.
v3: fix some whitespace issues, use sg_assign_page().
v4: give the functions a better name

Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Link: https://lore.kernel.org/r/20251205130604.1582-1-christian.koenig@amd.com

Christian König 51db5336 4ebaaa3b

+59 -13
+59 -13
drivers/dma-buf/dma-buf.c
··· 35 35 36 36 #include "dma-buf-sysfs-stats.h" 37 37 38 + /* Wrapper to hide the sg_table page link from the importer */ 39 + struct dma_buf_sg_table_wrapper { 40 + struct sg_table *original; 41 + struct sg_table wrapper; 42 + }; 43 + 38 44 static inline int is_dma_buf_file(struct file *); 39 45 40 46 static DEFINE_MUTEX(dmabuf_list_mutex); ··· 834 828 } 835 829 EXPORT_SYMBOL_NS_GPL(dma_buf_put, "DMA_BUF"); 836 830 837 - static void mangle_sg_table(struct sg_table *sg_table) 831 + static int dma_buf_wrap_sg_table(struct sg_table **sg_table) 838 832 { 839 - #ifdef CONFIG_DMABUF_DEBUG 840 - int i; 841 - struct scatterlist *sg; 833 + struct scatterlist *to_sg, *from_sg; 834 + struct sg_table *from = *sg_table; 835 + struct dma_buf_sg_table_wrapper *to; 836 + int i, ret; 842 837 843 - /* To catch abuse of the underlying struct page by importers mix 844 - * up the bits, but take care to preserve the low SG_ bits to 845 - * not corrupt the sgt. The mixing is undone on unmap 846 - * before passing the sgt back to the exporter. 838 + if (!IS_ENABLED(CONFIG_DMABUF_DEBUG)) 839 + return 0; 840 + 841 + /* 842 + * To catch abuse of the underlying struct page by importers copy the 843 + * sg_table without copying the page_link and give only the copy back to 844 + * the importer. 847 845 */ 848 - for_each_sgtable_sg(sg_table, sg, i) 849 - sg->page_link ^= ~0xffUL; 850 - #endif 846 + to = kzalloc(sizeof(*to), GFP_KERNEL); 847 + if (!to) 848 + return -ENOMEM; 851 849 850 + ret = sg_alloc_table(&to->wrapper, from->nents, GFP_KERNEL); 851 + if (ret) 852 + goto free_to; 853 + 854 + to_sg = to->wrapper.sgl; 855 + for_each_sgtable_dma_sg(from, from_sg, i) { 856 + to_sg->offset = 0; 857 + to_sg->length = 0; 858 + sg_assign_page(to_sg, NULL); 859 + sg_dma_address(to_sg) = sg_dma_address(from_sg); 860 + sg_dma_len(to_sg) = sg_dma_len(from_sg); 861 + to_sg = sg_next(to_sg); 862 + } 863 + 864 + to->original = from; 865 + *sg_table = &to->wrapper; 866 + return 0; 867 + 868 + free_to: 869 + kfree(to); 870 + return ret; 871 + } 872 + 873 + static void dma_buf_unwrap_sg_table(struct sg_table **sg_table) 874 + { 875 + struct dma_buf_sg_table_wrapper *copy; 876 + 877 + if (!IS_ENABLED(CONFIG_DMABUF_DEBUG)) 878 + return; 879 + 880 + copy = container_of(*sg_table, typeof(*copy), wrapper); 881 + *sg_table = copy->original; 882 + sg_free_table(&copy->wrapper); 883 + kfree(copy); 852 884 } 853 885 854 886 static inline bool ··· 1183 1139 if (ret < 0) 1184 1140 goto error_unmap; 1185 1141 } 1186 - mangle_sg_table(sg_table); 1142 + ret = dma_buf_wrap_sg_table(&sg_table); 1143 + if (ret) 1144 + goto error_unmap; 1187 1145 1188 1146 if (IS_ENABLED(CONFIG_DMA_API_DEBUG)) { 1189 1147 struct scatterlist *sg; ··· 1266 1220 1267 1221 dma_resv_assert_held(attach->dmabuf->resv); 1268 1222 1269 - mangle_sg_table(sg_table); 1223 + dma_buf_unwrap_sg_table(&sg_table); 1270 1224 attach->dmabuf->ops->unmap_dma_buf(attach, sg_table, direction); 1271 1225 1272 1226 if (dma_buf_pin_on_map(attach))