lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6aa0e294-9007-287a-ffb7-e3fbe50e2321@samsung.com>
Date:   Fri, 27 Mar 2020 09:26:57 +0100
From:   Marek Szyprowski <m.szyprowski@...sung.com>
To:     Shane Francis <bigbeeshane@...il.com>,
        dri-devel@...ts.freedesktop.org
Cc:     airlied@...ux.ie, linux-kernel@...r.kernel.org,
        amd-gfx-request@...ts.freedesktop.org, alexander.deucher@....com,
        christian.koenig@....com
Subject: Re: [v4,1/3] drm/prime: use dma length macro when mapping sg

On 2020-03-27 08:54, Marek Szyprowski wrote:
> On 2020-03-25 10:07, Shane Francis wrote:
>> As dma_map_sg can reorganize scatter-gather lists in a
>> way that can cause some later segments to be empty we should
>> always use the sg_dma_len macro to fetch the actual length.
>>
>> This could now be 0 and not need to be mapped to a page or
>> address array
>>
>> Signed-off-by: Shane Francis <bigbeeshane@...il.com>
>> Reviewed-by: Michael J. Ruhl <michael.j.ruhl@...el.com>
> This patch landed in linux-next 20200326 and it causes a kernel panic 
> on various Exynos SoC based boards.
>> ---
>>   drivers/gpu/drm/drm_prime.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c
>> index 86d9b0e45c8c..1de2cde2277c 100644
>> --- a/drivers/gpu/drm/drm_prime.c
>> +++ b/drivers/gpu/drm/drm_prime.c
>> @@ -967,7 +967,7 @@ int drm_prime_sg_to_page_addr_arrays(struct 
>> sg_table *sgt, struct page **pages,
>>         index = 0;
>>       for_each_sg(sgt->sgl, sg, sgt->nents, count) {
>> -        len = sg->length;
>> +        len = sg_dma_len(sg);
>>           page = sg_page(sg);
>>           addr = sg_dma_address(sg);
>
> Sorry, but this code is wrong :(
>
> The scatterlist elements (sg) describes memory chunks in physical 
> memory and in the DMA (IO virtual) space. However in general, you 
> cannot assume 1:1 mapping between them. If you access sg_page(sg) 
> (basically sg->page), you must match it with sg->length. When you 
> access sg_dma_address(sg) (again, in most cases it is 
> sg->dma_address), then you must match it with sg_dma_len(sg). The 
> sg->dma_address might not be the dma address of the sg->page.
>
> In some cases (when IOMMU is available, it performs aggregation of the 
> scatterlist chunks and a few other, minor requirements), the whole 
> scatterlist might be mapped into contiguous DMA address space and 
> filled only to the first sg element.
>
> The proper way to iterate over a scatterlists to get both the pages 
> and the DMA addresses assigned to them is:
>
> int drm_prime_sg_to_page_addr_arrays(struct sg_table *sgt, struct page 
> **pages,
>                                      dma_addr_t *addrs, int max_entries)
> {
>         unsigned count;
>         struct scatterlist *sg;
>         struct page *page;
>         u32 page_len, page_index;
>         dma_addr_t addr;
>         u32 dma_len, dma_index;
>
>         page_index = 0;
>         dma_index = 0;
>         for_each_sg(sgt->sgl, sg, sgt->nents, count) {
>                 page_len = sg->length;
>                 page = sg_page(sg);
>                 dma_len = sg_dma_len(sg);
>                 addr = sg_dma_address(sg);
>
>                 while (pages && page_len > 0) {
>                         if (WARN_ON(page_index >= max_entries))
>                                 return -1;
>                         pages[page_index] = page;
>                         page++;
>                         page_len -= PAGE_SIZE;
>                         page_index++;
>                 }
>
>                 while (addrs && dma_len > 0) {
>                         if (WARN_ON(dma_index >= max_entries))
>                                 return -1;
>                         addrs[dma_index] = addr;
>                         addr += PAGE_SIZE;
>                         dma_len -= PAGE_SIZE;
>                         dma_index++;
>                 }
>         }
>
>         return 0;
> }
>
> I will send a patch in a few minutes with the above fixed code.

Here is the fix: https://patchwork.freedesktop.org/patch/359081/

Best regards
-- 
Marek Szyprowski, PhD
Samsung R&D Institute Poland

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ