From nobody@FreeBSD.org  Wed Mar  1 00:54:49 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4987F16A420
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  1 Mar 2006 00:54:49 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C96F543D46
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  1 Mar 2006 00:54:48 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k210sm8O018167
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 1 Mar 2006 00:54:48 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k210smRw018166;
	Wed, 1 Mar 2006 00:54:48 GMT
	(envelope-from nobody)
Message-Id: <200603010054.k210smRw018166@www.freebsd.org>
Date: Wed, 1 Mar 2006 00:54:48 GMT
From: Kaustubh Patil <kpatil@vmware.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Problem in bounce buffer handling in sys/amd64/amd64/busdma_machdep.c: _bus_dmamap_load_buffer()
X-Send-Pr-Version: www-2.3

>Number:         93961
>Category:       amd64
>Synopsis:       [busdma] Problem in bounce buffer handling in sys/amd64/amd64/busdma_machdep.c: _bus_dmamap_load_buffer()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-amd64
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 01 01:00:20 GMT 2006
>Closed-Date:    Tue Sep 21 15:17:46 UTC 2010
>Last-Modified:  Tue Sep 21 15:17:46 UTC 2010
>Originator:     Kaustubh Patil
>Release:        5.3-64
>Organization:
VMware, Inc.
>Environment:
>Description:
A couple of us have observed this problem with 5.3-64 bit version on a high
memory machine (> 4GiB memory), but a look at the current code indicates
that the bug might be present in recent branches as well.

_bus_dmamap_load_buffer() first calculates the number of pages that need to be
bounced.

vaddr = trunc_page((vm_offset_t)buf);    ---------- (1)
vendaddr = (vm_offset_t)buf + buflen;

while (vaddr < vendaddr) {
   paddr = pmap_kextract(vaddr);         ---------- (2)
   if (run_filter(dmat, paddr) != 0) {   ---------- (3)
      needbounce = 1;
      map->pagesneeded++;                ---------- (4)
   }
   vaddr += PAGE_SIZE;
}

Consider a dma-map that is set up to indicate the need to bounce
o if the address is in high memory or
o if the address is not page-aligned.

(1) The above code uses trunc_page() on the input virtual address.
(2) This page-aligned address is passed to pmap_kextract(), which returns a
    page-aligned paddr ...
(3) ... which is passed to run_filter(). As the paddr is page-aligned,
    run_filter() finds it okay as far as the page-alignment requirement is
    concerned.
(4) The count obtained is stored in "map->pagesneeded".

Later the function starts allocating bounce pages. However unlike the above code
the allocation code does not align virtual addresses, so run_filter() call
catches the input paddr if it is not page-aligned, then a bounce page is
allocated for it using add_bounce_page() and "map->pagesneeded" is decremented.

Thus this code consumes "map->pagesneeded" for a virtual address that
was not initially identified for bouncing. This potentially leads to other needy
pages not being bounced.

In our scenario this bug caused the mpt driver to pass incorrectly truncated
32-bit addresses in the scatter-gather list, because the data buffer in the high
memory (> 4Gib) was not bounced to < 4Gib memory.

-- Vyacheslav Malyugin, Kaustubh Patil
>How-To-Repeat:

>Fix:
The use of trunc_page() in the counting code seems questionable.
>Release-Note:
>Audit-Trail:
Adding to audit trail from misfiled PR caught in spam trap:

Message-ID: <000601c647d9$ab923940$dea0110a@vmware.com>
From: "Kaustubh Patil" <kaustubh_patil@hotmail.com>
Subject: Re: amd64/93961: Problem in bounce buffer handling in sys/amd64/amd64/busdma_machdep.c: _bus_dmamap_load_buffer()
Date: Tue, 14 Mar 2006 18:39:22 -0800

I would appreciate if somebody can at least confirm that the bug exists
as the way we think it does and that we are not mistaken. Thanks.


From: Mark Tinguely <tinguely@casselton.net>
To: bug-followup@FreeBSD.org, kpatil@vmware.com
Cc:  
Subject: Re: amd64/93961: [busdma] Problem in bounce buffer handling in sys/amd64/amd64/busdma_machdep.c: _bus_dmamap_load_buffer()
Date: Mon, 8 Feb 2010 08:51:23 -0600 (CST)

 IMO, this problem should be closed for amd64 because it has been fix in
 at least FreeBSD 8, if not sooner.
 
 The ARM busdma_machdep.c has this same truncate issue, I have some busdma
 extensions that include starting with the newest i386 sources.
 
 --Mark Tinguely.

From: Mark Tinguely <marktinguely@gmail.com>
To: bug-followup@FreeBSD.org, kpatil@vmware.com
Cc:  
Subject: Re: amd64/93961: [busdma] Problem in bounce buffer handling in sys/amd64/amd64/busdma_machdep.c:
 _bus_dmamap_load_buffer()
Date: Fri, 06 Aug 2010 07:42:56 -0500

 With the bug fixing weekend coming up, revision 176206 fixed this in 
 FreeBSD 8 and revision 200289 fixed this in FreeBSD 7. This patch could 
 be moved to FreeBSD 6 stable and close this problem report.
 
 --Mark Tinguely.
State-Changed-From-To: open->closed 
State-Changed-By: jh 
State-Changed-When: Tue Sep 21 15:17:45 UTC 2010 
State-Changed-Why:  
Reportedly fixed in head, stable/8 and stable/7. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=93961 
>Unformatted:
