xen/gntdev: Fix the abuse of underlying struct page in DMA-buf import (2d2db7d4) · Commits · git / linux-net

drivers/xen/gntdev-dmabuf.c

+25 −25

Original line number	Diff line number	Diff line
		@@ -11,6 +11,7 @@
		#include <linux/kernel.h>
		#include <linux/errno.h>
		#include <linux/dma-buf.h>
		#include <linux/dma-direct.h>
		#include <linux/slab.h>
		#include <linux/types.h>
		#include <linux/uaccess.h>
		@@ -50,7 +51,7 @@ struct gntdev_dmabuf {

		/* Number of pages this buffer has. */
		int nr_pages;
		/* Pages of this buffer. */
		/* Pages of this buffer (only for dma-buf export). */
		struct page **pages;
		};

		@@ -484,7 +485,7 @@ static int dmabuf_exp_from_refs(struct gntdev_priv *priv, int flags,
		/* DMA buffer import support. */

		static int
		dmabuf_imp_grant_foreign_access(struct page *pages, u32 refs,
		dmabuf_imp_grant_foreign_access(unsigned long gfns, u32 refs,
		int count, int domid)
		{
		grant_ref_t priv_gref_head;
		@@ -507,7 +508,7 @@ dmabuf_imp_grant_foreign_access(struct page *pages, u32 refs,
		}

		gnttab_grant_foreign_access_ref(cur_ref, domid,
		xen_page_to_gfn(pages[i]), 0);
		gfns[i], 0);
		refs[i] = cur_ref;
		}

		@@ -529,7 +530,6 @@ static void dmabuf_imp_end_foreign_access(u32 *refs, int count)

		static void dmabuf_imp_free_storage(struct gntdev_dmabuf *gntdev_dmabuf)
		{
		kfree(gntdev_dmabuf->pages);
		kfree(gntdev_dmabuf->u.imp.refs);
		kfree(gntdev_dmabuf);
		}
		@@ -549,12 +549,6 @@ static struct gntdev_dmabuf *dmabuf_imp_alloc_storage(int count)
		if (!gntdev_dmabuf->u.imp.refs)
		goto fail;

		gntdev_dmabuf->pages = kcalloc(count,
		sizeof(gntdev_dmabuf->pages[0]),
		GFP_KERNEL);
		if (!gntdev_dmabuf->pages)
		goto fail;

		gntdev_dmabuf->nr_pages = count;

		for (i = 0; i < count; i++)
		@@ -576,7 +570,8 @@ dmabuf_imp_to_refs(struct gntdev_dmabuf_priv priv, struct device dev,
		struct dma_buf *dma_buf;
		struct dma_buf_attachment *attach;
		struct sg_table *sgt;
		struct sg_page_iter sg_iter;
		struct sg_dma_page_iter sg_iter;
		unsigned long *gfns;
		int i;

		dma_buf = dma_buf_get(fd);
		@@ -624,26 +619,31 @@ dmabuf_imp_to_refs(struct gntdev_dmabuf_priv priv, struct device dev,

		gntdev_dmabuf->u.imp.sgt = sgt;

		/* Now convert sgt to array of pages and check for page validity. */
		i = 0;
		for_each_sgtable_page(sgt, &sg_iter, 0) {
		struct page *page = sg_page_iter_page(&sg_iter);
		/*
		* Check if page is valid: this can happen if we are given
		* a page from VRAM or other resources which are not backed
		* by a struct page.
		*/
		if (!pfn_valid(page_to_pfn(page))) {
		ret = ERR_PTR(-EINVAL);
		gfns = kcalloc(count, sizeof(*gfns), GFP_KERNEL);
		if (!gfns) {
		ret = ERR_PTR(-ENOMEM);
		goto fail_unmap;
		}

		gntdev_dmabuf->pages[i++] = page;
		/*
		* Now convert sgt to array of gfns without accessing underlying pages.
		* It is not allowed to access the underlying struct page of an sg table
		* exported by DMA-buf, but since we deal with special Xen dma device here
		* (not a normal physical one) look at the dma addresses in the sg table
		* and then calculate gfns directly from them.
		*/
		i = 0;
		for_each_sgtable_dma_page(sgt, &sg_iter, 0) {
		dma_addr_t addr = sg_page_iter_dma_address(&sg_iter);
		unsigned long pfn = bfn_to_pfn(XEN_PFN_DOWN(dma_to_phys(dev, addr)));

		gfns[i++] = pfn_to_gfn(pfn);
		}

		ret = ERR_PTR(dmabuf_imp_grant_foreign_access(gntdev_dmabuf->pages,
		ret = ERR_PTR(dmabuf_imp_grant_foreign_access(gfns,
		gntdev_dmabuf->u.imp.refs,
		count, domid));
		kfree(gfns);
		if (IS_ERR(ret))
		goto fail_end_access;