On Fri, 2024-06-28 at 00:32 +0000, Mina Almasry wrote:
+int net_devmem_bind_dmabuf(struct net_device *dev, unsigned int dmabuf_fd,
struct net_devmem_dmabuf_binding **out)
+{
- struct net_devmem_dmabuf_binding *binding;
- static u32 id_alloc_next;
- struct scatterlist *sg;
- struct dma_buf *dmabuf;
- unsigned int sg_idx, i;
- unsigned long virtual;
- int err;
- dmabuf = dma_buf_get(dmabuf_fd);
- if (IS_ERR(dmabuf))
return -EBADFD;
- binding = kzalloc_node(sizeof(*binding), GFP_KERNEL,
dev_to_node(&dev->dev));
- if (!binding) {
err = -ENOMEM;
goto err_put_dmabuf;
- }
- binding->dev = dev;
- err = xa_alloc_cyclic(&net_devmem_dmabuf_bindings, &binding->id,
binding, xa_limit_32b, &id_alloc_next,
GFP_KERNEL);
- if (err < 0)
goto err_free_binding;
- xa_init_flags(&binding->bound_rxq_list, XA_FLAGS_ALLOC);
- refcount_set(&binding->ref, 1);
- binding->dmabuf = dmabuf;
- binding->attachment = dma_buf_attach(binding->dmabuf, dev->dev.parent);
- if (IS_ERR(binding->attachment)) {
err = PTR_ERR(binding->attachment);
goto err_free_id;
- }
- binding->sgt =
dma_buf_map_attachment(binding->attachment, DMA_FROM_DEVICE);
- if (IS_ERR(binding->sgt)) {
err = PTR_ERR(binding->sgt);
goto err_detach;
- }
- /* For simplicity we expect to make PAGE_SIZE allocations, but the
* binding can be much more flexible than that. We may be able to
* allocate MTU sized chunks here. Leave that for future work...
*/
- binding->chunk_pool =
gen_pool_create(PAGE_SHIFT, dev_to_node(&dev->dev));
- if (!binding->chunk_pool) {
err = -ENOMEM;
goto err_unmap;
- }
- virtual = 0;
- for_each_sgtable_dma_sg(binding->sgt, sg, sg_idx) {
dma_addr_t dma_addr = sg_dma_address(sg);
struct dmabuf_genpool_chunk_owner *owner;
size_t len = sg_dma_len(sg);
struct net_iov *niov;
owner = kzalloc_node(sizeof(*owner), GFP_KERNEL,
dev_to_node(&dev->dev));
I'm sorry for not catching this earlier, but it looks like the above allocation lacks a NULL check.
Thanks,
Paolo