diff options
| author | Austin Shafer <ashafer@badland.io> | 2023-04-21 07:56:50 +0000 |
|---|---|---|
| committer | Bjoern A. Zeeb <bz@FreeBSD.org> | 2023-11-29 16:36:05 +0000 |
| commit | 934b2489b951698adc5d4c3421fa66fb80be7052 (patch) | |
| tree | d8680cd059646304c5bbc0f537a6a0faa31c77ab | |
| parent | 88910886fa50a6eccdc7d263778143ddd68c61df (diff) | |
| download | src-934b2489b951698adc5d4c3421fa66fb80be7052.tar.gz src-934b2489b951698adc5d4c3421fa66fb80be7052.zip | |
linuxkpi: Fix __sg_alloc_table_from_pages loop
Commit 3e0856b63fe0e375a0951e05c2ef98bb2ebd9421 updated
__sg_alloc_table_from_pages to use the same API as linux, but modified
the loop condition when going over the pages in a sg list. Part of the
change included moving the sg_next call out of the for loop and into the
body, which causes an off by one error when traversing the list. Since
sg_next is called before the loop body it will skip the first element
and read one past the last element.
This caused panics when running PRIME with nvidia-drm as the off-by-one
issue causes a NULL dereference.
(cherry picked from commit 3f686532c9b4fd603d4ad2d3392232cff24188f4)
Commit 3f686532c9b4 tried to fix an issue with not properly starting
at the first page in the sg list to prevent a panic. This worked but
with the side effect of incrementing "s" during the final iteration
causing it to be NULL since the list had ended.
In cases non-DEBUG kernels this causes a panic with drm-5.15, since
"s" is NULL when we later pass it to sg_mark_end().
This change decouples the iteration sg from the return value so that
it is never incremented past the final page in the chain.
(cherry picked from commit 09b0401e91a92bcb58ea1873857b42f8211f660f)
| -rw-r--r-- | sys/compat/linuxkpi/common/include/linux/scatterlist.h | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/sys/compat/linuxkpi/common/include/linux/scatterlist.h b/sys/compat/linuxkpi/common/include/linux/scatterlist.h index 17928f9c50e5..e462d5c649f1 100644 --- a/sys/compat/linuxkpi/common/include/linux/scatterlist.h +++ b/sys/compat/linuxkpi/common/include/linux/scatterlist.h @@ -343,7 +343,7 @@ __sg_alloc_table_from_pages(struct sg_table *sgt, { unsigned int i, segs, cur, len; int rc; - struct scatterlist *s; + struct scatterlist *s, *sg_iter; #if defined(LINUXKPI_VERSION) && LINUXKPI_VERSION >= 51300 if (prv != NULL) { @@ -377,11 +377,17 @@ __sg_alloc_table_from_pages(struct sg_table *sgt, #endif cur = 0; - for (i = 0, s = sgt->sgl; i < sgt->orig_nents; i++) { + for_each_sg(sgt->sgl, sg_iter, sgt->orig_nents, i) { unsigned long seg_size; unsigned int j; - s = sg_next(s); + /* + * We need to make sure that when we exit this loop "s" has the + * last sg in the chain so we can call sg_mark_end() on it. + * Only set this inside the loop since sg_iter will be iterated + * until it is NULL. + */ + s = sg_iter; len = 0; for (j = cur + 1; j < count; ++j) { |