On Thu, Nov 20, 2025 at 11:28:25AM +0200, Leon Romanovsky wrote:
+static struct scatterlist *fill_sg_entry(struct scatterlist *sgl, size_t length,
dma_addr_t addr)+{
- unsigned int len, nents;
- int i;
- nents = DIV_ROUND_UP(length, UINT_MAX);
- for (i = 0; i < nents; i++) {
len = min_t(size_t, length, UINT_MAX);length -= len;/** DMABUF abuses scatterlist to create a scatterlist* that does not have any CPU list, only the DMA list.* Always set the page related values to NULL to ensure* importers can't use it. The phys_addr based DMA API* does not require the CPU list for mapping or unmapping.*/sg_set_page(sgl, NULL, 0, 0);sg_dma_address(sgl) = addr + i * UINT_MAX;
(i * UINT_MAX) happens in 32-bit before being promoted to dma_addr_t for addition with addr. Overflows for i >=2 when length >= 8 GiB. Needs a cast:
sg_dma_address(sgl) = addr + (dma_addr_t)i * UINT_MAX;
Discovered this while debugging why dma-buf import was failing for an 8 GiB dma-buf using my earlier toy program [1]. It was surfaced by ib_umem_find_best_pgsz() returning 0 due to malformed scatterlist, which bubbles up as an EINVAL.
$ ./test_dmabuf 0000:05:00.0 3 4 0 0x200000000 opening 0000:05:00.0 via /dev/vfio/56 allocating dma_buf bar_idx=4, bar_offset=0x0, size=0x200000000 allocated dma_buf fd=6 discovered 4 ibv devices: mlx5_0 mlx5_1 mlx5_2 mlx5_3 opened ibv device 3: mlx5_3 test_dmabuf.c:154 Condition failed: 'mr' (errno=22: Invalid argument)
$ sudo retsnoop -e mlx5_ib_reg_user_mr_dmabuf -a 'mlx5*' -a 'ib_umem*' -a '*umr*' -a 'vfio_pci*' -a 'dma_buf_*' -x EINVAL -T Receiving data... 13:56:22.257907 -> 13:56:22.258275 TID/PID 948895/948895 (test_dmabuf/test_dmabuf): FUNCTION CALLS RESULT DURATION -------------------------------------------- -------------------- --------- → mlx5_ib_reg_user_mr_dmabuf ↔ mlx5r_umr_resource_init [0] 2.224us → ib_umem_dmabuf_get → ib_umem_dmabuf_get_with_dma_device ↔ dma_buf_get [0xff11012a6a098c00] 0.972us → dma_buf_dynamic_attach ↔ vfio_pci_dma_buf_attach [0] 2.003us ← dma_buf_dynamic_attach [0xff1100012793e400] 10.566us ← ib_umem_dmabuf_get_with_dma_device [0xff110127a6c74480] 15.794us ← ib_umem_dmabuf_get [0xff110127a6c74480] 25.258us → mlx5_ib_init_dmabuf_mr → ib_umem_dmabuf_map_pages → dma_buf_map_attachment → vfio_pci_dma_buf_map ↔ dma_buf_map [0xff1100012977f700] 4.918us ← vfio_pci_dma_buf_map [0xff1100012977f700] 8.362us ← dma_buf_map_attachment [0xff1100012977f700] 10.956us ← ib_umem_dmabuf_map_pages [0] 17.336us ↔ ib_umem_find_best_pgsz [0] 6.280us → ib_umem_dmabuf_unmap_pages → dma_buf_unmap_attachment → vfio_pci_dma_buf_unmap ↔ dma_buf_unmap [void] 2.023us ← vfio_pci_dma_buf_unmap [void] 6.700us ← dma_buf_unmap_attachment [void] 8.142us ← ib_umem_dmabuf_unmap_pages [void] 14.953us ← mlx5_ib_init_dmabuf_mr [-EINVAL] 67.272us → mlx5r_umr_revoke_mr → mlx5r_umr_post_send_wait → mlx5r_umr_post_send ↔ mlx5r_begin_wqe [0] 1.703us ↔ mlx5r_finish_wqe [void] 1.633us ↔ mlx5r_ring_db [void] 1.312us ← mlx5r_umr_post_send [0] 27.451us ← mlx5r_umr_post_send_wait [0] 126.541us ← mlx5r_umr_revoke_mr [0] 141.925us → ib_umem_release → ib_umem_dmabuf_release ↔ ib_umem_dmabuf_revoke [void] 1.582us ↔ dma_buf_detach [void] 3.765us ↔ dma_buf_put [void] 0.531us ← ib_umem_dmabuf_release [void] 23.315us ← ib_umem_release [void] 40.301us ← mlx5_ib_reg_user_mr_dmabuf [-EINVAL] 363.280us
[1] https://lore.kernel.org/all/aQkLcAxEn4qmF3c4@devgpu015.cco6.facebook.com/
Alex