Re: [RFC 1/2] drm/i915/shmem: Prevent overflows on small segments

Wed, 27 May 2026 07:29:19 -0700 

Hi Krzysztof,

On Wed, 2026-05-27 at 14:08 +0000, Krzysztof Karas wrote:
> With addition of commit 029ae067431a
> ("drm/i915: Fix potential overflow of shmem scatterlist length")
> max_segment size was included in calculating a number of pages
> for the scatterlist. This meant that segment sizes considerably
> smaller than number of pages in a folio [1], were not enough to
> jump to the next folio.

I think that scope of the issue you are addressing was limited specifically
to max_segment == PAGE_SIZE, passed from shmem_get_pages() to
shmem_sg_alloc_table() after first attempt with max_segment ==
i915_sg_segment_size() failed.  Then, if that's the case and I'm not wrong,
your "considerably smaller" wording is not strict enough for me.

Other than that, I think that this change correctly fixes the bug that I
introduced with the blamed patch (sorry).

When resubmitting, please add [email protected] to Cc:,
that's mandatory for i915 patches.

Thanks,
Janusz


> In result, sg_set_folio() was called
> multiple times with nr_pages smaller than folio size, using
> many scatterlists, all pointing to the beginning pages of the
> folio and never fully covering its range of pages and corrupting
> mappings.
> 
> [1] See shmem_get_pages(), where segment size is set to
> PAGE_SIZE.
> 
> Suggested-by: Janusz Krzysztofik <[email protected]>
> Fixes: 029ae067431a ("drm/i915: Fix potential overflow of shmem scatterlist 
> length")
> Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/work_items/15816
> Signed-off-by: Krzysztof Karas <[email protected]>
> ---
>  drivers/gpu/drm/i915/gem/i915_gem_shmem.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/i915/gem/i915_gem_shmem.c 
> b/drivers/gpu/drm/i915/gem/i915_gem_shmem.c
> index 06543ae60706..ac9b263c341a 100644
> --- a/drivers/gpu/drm/i915/gem/i915_gem_shmem.c
> +++ b/drivers/gpu/drm/i915/gem/i915_gem_shmem.c
> @@ -156,7 +156,7 @@ int shmem_sg_alloc_table(struct drm_i915_private *i915, 
> struct sg_table *st,
>               nr_pages = min_array(((unsigned long[]) {
>                                       folio_nr_pages(folio),
>                                       page_count - i,
> -                                     max_segment / PAGE_SIZE,
> +                                     i915_sg_segment_size(i915->drm.dev) / 
> PAGE_SIZE,
>                                     }), 3);
>  
>               if (!i ||

Reply via email to