With addition of commit 029ae067431a
("drm/i915: Fix potential overflow of shmem scatterlist length")
max_segment size was included in calculating a number of pages
for the scatterlist. This meant that segment sizes considerably
smaller than number of pages in a folio [1], were not enough to
jump to the next folio. In result, sg_set_folio() was called
multiple times with nr_pages smaller than folio size, using
many scatterlists, all pointing to the beginning pages of the
folio and never fully covering its range of pages and corrupting
mappings.[1] See shmem_get_pages(), where segment size is set to PAGE_SIZE. Suggested-by: Janusz Krzysztofik <[email protected]> Fixes: 029ae067431a ("drm/i915: Fix potential overflow of shmem scatterlist length") Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/work_items/15816 Signed-off-by: Krzysztof Karas <[email protected]> --- drivers/gpu/drm/i915/gem/i915_gem_shmem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/gem/i915_gem_shmem.c b/drivers/gpu/drm/i915/gem/i915_gem_shmem.c index 06543ae60706..ac9b263c341a 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_shmem.c +++ b/drivers/gpu/drm/i915/gem/i915_gem_shmem.c @@ -156,7 +156,7 @@ int shmem_sg_alloc_table(struct drm_i915_private *i915, struct sg_table *st, nr_pages = min_array(((unsigned long[]) { folio_nr_pages(folio), page_count - i, - max_segment / PAGE_SIZE, + i915_sg_segment_size(i915->drm.dev) / PAGE_SIZE, }), 3); if (!i || -- 2.34.1
