From nobody Thu Apr  9 13:42:40 2026
Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com
 [209.85.128.41])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0DEDA245005
	for <linux-kernel@vger.kernel.org>; Sun,  8 Mar 2026 13:55:55 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.41
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772978156; cv=none;
 b=LyAtWWfDxgmPF8R0vn+rsrcV7wBLZjVR4+MPB1OJkkqmskw9gP5iGNjGKd56H0uMAPlyzeaUiieAWoMU5NDVJSWCPQe3eyQO0vCsjZTyv38SY7VKqT3ZURoW8UFsSHzqQ6PrkWjAfAajr9AyX367bXV3MxuOrWwm4sAK8ffVPzQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772978156; c=relaxed/simple;
	bh=jl2y5QIDbJ1AIQKSrYCRu2MnwB0ZCdzqNw3+6c+nJjE=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc;
 b=Ia9UqzCEeldBscq8k5JLseG0GjEyNc0/Q195+OnG8SeWuFBBSoEwtdYaBz/nuPS4b/Z8jhDtBTwurQb9imwvQj4SPnB7HZPxjCxq/hKF/qyF026txwVCHUZ7riI3sS1h/IqZgnYwY3PPUPPF/MkcHlcP2UbHymiTur8Cs/JSXho=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=JEG1rPa4; arc=none smtp.client-ip=209.85.128.41
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="JEG1rPa4"
Received: by mail-wm1-f41.google.com with SMTP id
 5b1f17b1804b1-4852e09e23dso9628265e9.0
        for <linux-kernel@vger.kernel.org>;
 Sun, 08 Mar 2026 06:55:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1772978153; x=1773582953;
 darn=vger.kernel.org;
        h=cc:to:message-id:content-transfer-encoding:mime-version:subject
         :date:from:from:to:cc:subject:date:message-id:reply-to;
        bh=U6JwKP4XInRxqGPRlbFc6LrDJBUwUT3iuApttimOHpU=;
        b=JEG1rPa4QZ30q9pdNqNe+/vszKXY1+NDnI+Zl9Xdag4QZPJ9yQ9nM07mz0/xGKXS41
         +0ZKg8tTRYORbTqcQomvsrAiSC/Kyap1JtTYnVzEV3zY39nxRsk+ve48eW1tg0F7D/Hw
         ZDYdEVSf0NDYteFE4iFpZdpdadvEK88XWurzp1aLErbBOJlFUsYHB9INUYCBbgvMHuYa
         LLlAInG60cwIs75t0Hz0KKOJvtbzgVcdPyBsKaeAh/bvZqJUFjjc+EnyWwwcNUlWU71Y
         TdKP2BSWyH/QaKy9rBCGN6nEDTNd0OwN7YzaCzpkR4Qlpa1YGJAuhDAB83pbCcbuJa2I
         nHOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772978153; x=1773582953;
        h=cc:to:message-id:content-transfer-encoding:mime-version:subject
         :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=U6JwKP4XInRxqGPRlbFc6LrDJBUwUT3iuApttimOHpU=;
        b=bLnrvABMYqH15D2fICIMrvpttSNzJ0EDbhGeORHPrIRpRj9XVAVNFqQL/qbBIHIkLC
         BTjFReAHJMMy1LCiBJC12SjsWY5zWHpy0HbW8Sva4JdrQQ0Yg3siv+oDgHOw+8H0rVsp
         sAvDX+ysaaH5/+EpkWJf9QPjsV4b0BER0na8a/N8ta1N8BGvdNXrEMVKx8h8w0bzH0FB
         pLgq34J8D9DCHB8yAmgX4+5X0+1HrImXC5w7AkswpP45rDIT4fJZ2tQ9cXeTBbOaoPx4
         Z+mX690BENdBsf5c0Mo1hYj5XmTZmZt0X+v2/90uwBGwXLpgcmytOUL746wyYhfdr0AR
         92vg==
X-Gm-Message-State: AOJu0YxO+yPzOcORSPQ+QzvAO2QaEQ1eY0ixOQ3B2WHNoZoectmZiHvd
	6RK21i9widLE75OLiHXoB9FUtm2gJVm0dq4uS4IrqkSc9+WOCRPY7pR3
X-Gm-Gg: ATEYQzyOpIWC6ueWBeXvT5l9+Y1VtUgw7pmSIVrmswOpvU9PQ0zjLDHbS3ZUprg6oN5
	AdfCa+1lQm+HqvE/IIK4OburcAeZcaNlYFy1cb20DcMwn2rC2KJPFJcewKnMUbMGgotyFgNjBKr
	Cby6/7bbhdYlSX2OetIcsj3IH8kGS7FhaXYA8Wb+FmxI7koK11iIlxnH5uzRqWdAiNWJqYHiga2
	KeztPjsccMOi4GGgpRbI/DZGob0t56yiawuY6nECYYQdSEoKHgJL8pGTHUSn5SD35w6nZKP0yfj
	Z3ESIAY5netZM62Hm9sqMp0fKs57RQ5GU5l1XmSWOD/G7wjQjkyAKBCP4BPCleLWf4+NIJh9Jc6
	STNNP9wfxdueNTvjW10rYdh1ccy8v8li9U7j9FbPNvN1l/r1hLqS5sR07vzgfrgLOgQvrkGLQ4c
	UHu3JY960fiSQKSt2LSCy35gqk596lYXfr8O/qRaUTJSyAwsYUK1ntmcSwrg5Koiabo+7MEhIX3
	AQ9oyA=
X-Received: by 2002:a05:600c:46c3:b0:480:6bef:63a0 with SMTP id
 5b1f17b1804b1-48526959433mr144708445e9.21.1772978153271;
        Sun, 08 Mar 2026 06:55:53 -0700 (PDT)
Received: from [10.13.0.20] (ip87-106-117-14.pbiaas.com. [87.106.117.14])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-485276b0adasm169986125e9.10.2026.03.08.06.55.52
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 08 Mar 2026 06:55:52 -0700 (PDT)
From: Julian Orth <ju.orth@gmail.com>
Date: Sun, 08 Mar 2026 14:55:27 +0100
Subject: [PATCH] lib/scatterlist: fix sg_page_count and sg_dma_page_count
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260308-scatterlist-v1-1-39c4566b0bba@gmail.com>
X-B4-Tracking: v=1; b=H4sIAAAAAAAC/6tWKk4tykwtVrJSqFYqSi3LLM7MzwNyDHUUlJIzE
 vPSU3UzU4B8JSMDIzMDYwML3eLkxJKS1KKczOISXYtEA7PkRBMTs6RkQyWgjoKi1LTMCrBp0bG
 1tQCmsamXXQAAAA==
X-Change-ID: 20260308-scatterlist-8a06ca446bc1
To: Andrew Morton <akpm@linux-foundation.org>,
 Imre Deak <imre.deak@intel.com>,
 Sakari Ailus <sakari.ailus@linux.intel.com>, Jason Gunthorpe <jgg@ziepe.ca>,
 Thomas Hellstrom <thellstrom@vmware.com>
Cc: linux-kernel@vger.kernel.org, Julian Orth <ju.orth@gmail.com>
X-Mailer: b4 0.14.3
X-Developer-Signature: v=1; a=ed25519-sha256; t=1772978152; l=2878;
 i=ju.orth@gmail.com; s=20251120; h=from:subject:message-id;
 bh=jl2y5QIDbJ1AIQKSrYCRu2MnwB0ZCdzqNw3+6c+nJjE=;
 b=DHO//4oSl/T5+ve9oELpoiYiN7EMvnWUPoLFLutthBJDcwVOAyqhoQdBi0l98j+OIKD+EBQU5
 IQdWOoxW8vtBBG5++zwjV0XKQ9whkA194M3beFWAQXXIsagq6bIzWJG
X-Developer-Key: i=ju.orth@gmail.com; a=ed25519;
 pk=uM2SS4lelkuIoYHc7v9N9bgBZ3hS632zJS2xjRJLPLI=

A user reported memory corruption in the Jay wayland compositor [1]. The
corruption started when archlinux enabled
CONFIG_TRANSPARENT_HUGEPAGE_SHMEM_HUGE_WITHIN_SIZE in kernel 6.19.5.

The compositor uses udmabuf to upload memory from memfds to the GPU.
When running an affected kernel, the following warnings are logged:

    a - addrs >=3D max_entries
    WARNING: drivers/gpu/drm/drm_prime.c:1089 at drm_prime_sg_to_dma_addr_a=
rray+0x86/0xc0, CPU#31: jay/1864
    [...]
    Call Trace:
     <TASK>
     amdgpu_bo_move+0x188/0x800 [amdgpu 3b451640234948027c09e9b39e6520bc7e5=
471cf]

Disabling the use of huge pages at runtime via
/sys/kernel/mm/transparent_hugepage/shmem_enabled fixes the issue.

udmabuf allocates a scatterlist with buffer_size/PAGE_SIZE entries. Each
entry has a length of PAGE_SIZE. With huge pages disabled, it appears
that sg->offset is always 0. With huge pages enabled, sg->offset is
incremented by PAGE_SIZE until the end of the huge page.

With the code before this patch, this causes __sg_page_iter_dma_next to
iterate 1 + 2 + 3 + ... + 512 times over a single huge page instead of
512 times.

This effect can be seen in the screenshot provided by the user where
parts of the image are repeated and with each repetition the base offset
shifts by one page and the size of the repeated data grows by one page.

[1]: https://github.com/mahkoh/jay/issues/779

Fixes: a321e91b6d73 ("lib/scatterlist: add simple page iterator")
Fixes: d901b2760dc6 ("lib/scatterlist: Provide a DMA page iterator")
Signed-off-by: Julian Orth <ju.orth@gmail.com>
---
I have not verified if this negatively affects any other users of the
iterator interface. In particular, if sg->offset is allowed to not be
page aligned.

The use of sg->offset in these functions looks suspect and removing it
fixes the issue. I have not looked further than that.
---
 lib/scatterlist.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/scatterlist.c b/lib/scatterlist.c
index d773720d11bf..001f33ec4e49 100644
--- a/lib/scatterlist.c
+++ b/lib/scatterlist.c
@@ -738,7 +738,7 @@ EXPORT_SYMBOL(__sg_page_iter_start);
=20
 static int sg_page_count(struct scatterlist *sg)
 {
-	return PAGE_ALIGN(sg->offset + sg->length) >> PAGE_SHIFT;
+	return PAGE_ALIGN(sg->length) >> PAGE_SHIFT;
 }
=20
 bool __sg_page_iter_next(struct sg_page_iter *piter)
@@ -762,7 +762,7 @@ EXPORT_SYMBOL(__sg_page_iter_next);
=20
 static int sg_dma_page_count(struct scatterlist *sg)
 {
-	return PAGE_ALIGN(sg->offset + sg_dma_len(sg)) >> PAGE_SHIFT;
+	return PAGE_ALIGN(sg_dma_len(sg)) >> PAGE_SHIFT;
 }
=20
 bool __sg_page_iter_dma_next(struct sg_dma_page_iter *dma_iter)

---
base-commit: fb07430e6f98ccff61f6f1a06d01d7f12e29c6d3
change-id: 20260308-scatterlist-8a06ca446bc1

Best regards,
--=20
Julian Orth <ju.orth@gmail.com>