From: Marek Szyprowski <m.szyprowski@samsung.com>
To: dri-devel@lists.freedesktop.org,
iommu@lists.linux-foundation.org, linaro-mm-sig@lists.linaro.org,
linux-kernel@vger.kernel.org
Cc: Marek Szyprowski <m.szyprowski@samsung.com>,
Christoph Hellwig <hch@lst.de>,
Robin Murphy <robin.murphy@arm.com>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
linux-arm-kernel@lists.infradead.org,
David Airlie <airlied@linux.ie>, Daniel Vetter <daniel@ffwll.ch>
Subject: [PATCH v2 00/21] DRM: fix struct sg_table nents vs. orig_nents misuse
Date: Mon, 4 May 2020 14:50:17 +0200 [thread overview]
Message-ID: <20200504125017.5494-1-m.szyprowski@samsung.com> (raw)
In-Reply-To: CGME20200504125032eucas1p2eeaf22690e6b557d69c834cc9dd75855@eucas1p2.samsung.com
Dear All,
During the Exynos DRM GEM rework and fixing the issues in the
drm_prime_sg_to_page_addr_arrays() function [1] I've noticed that most
drivers in DRM framework incorrectly use nents and orig_nents entries of
the struct sg_table.
In case of the most DMA-mapping implementations exchanging those two
entries or using nents for all loops on the scatterlist is harmless,
because they both have the same value. There exists however a DMA-mapping
implementations, for which such incorrect usage breaks things. The nents
returned by dma_map_sg() might be lower than the nents passed as its
parameter and this is perfectly fine. DMA framework or IOMMU is allowed
to join consecutive chunks while mapping if such operation is supported
by the underlying HW (bus, bridge, IOMMU, etc). Example of the case
where dma_map_sg() might return 1 'DMA' chunk for the 4 'physical' pages
is described here [2]
The DMA-mapping framework documentation [3] states that dma_map_sg()
returns the numer of the created entries in the DMA address space.
However the subsequent calls to dma_sync_sg_for_{device,cpu} and
dma_unmap_sg must be called with the original number of entries passed to
dma_map_sg. The common pattern in DRM drivers were to assign the
dma_map_sg() return value to sg_table->nents and use that value for
the subsequent calls to dma_sync_sg_* or dma_unmap_sg functions. Also
the code iterated over nents times to access the pages stored in the
processed scatterlist, while it should use orig_nents as the numer of
the page entries.
I've tried to identify all such incorrect usage of sg_table->nents and
this is a result of my research. It looks that the incorrect pattern has
been copied over the many drivers mainly in the DRM subsystem. Too bad in
most cases it even worked correctly if the system used simple,
linear DMA-mapping implementation, for which swapping nents and
orig_nents doesn't make any difference.
The biggest TODO is DRM/i915 driver and I don't feel brave enough to fix
it fully. The driver creatively uses sg_table->orig_nents to store the
size of the allocate scatterlist and ignores the number of the entries
returned by dma_map_sg function. In this patchset I only fixed the
sg_table objects exported by dmabuf related functions. I hope that I
didn't break anything there.
As a follow-up for this patchset I will prepare a common
dma_{map,sync,unmap}_sgtable() wrappers, which will use a proper sg_table
entries and call respective DMA-mapping functions. I hope this will help
to avoid issue like this in the future.
Patches are based on top of Linux next-20200504.
Best regards,
Marek Szyprowski
References:
[1] https://lkml.org/lkml/2020/3/27/555
[2] https://lkml.org/lkml/2020/3/29/65
[3] Documentation/DMA-API-HOWTO.txt
Changelog:
v2:
- dropped most of the changes to drm/i915
- added fixes for rcar-du, xen, media and ion
- fixed a few issues pointed by kbuild test robot
- added wide cc: list for each patch
v1: https://lore.kernel.org/linux-iommu/c01c9766-9778-fd1f-f36e-2dc7bd376ba4@arm.com/T/#m879a727e4e46b5479ef8603994b1a006fb2aa337
- initial version
Patch summary:
Marek Szyprowski (21):
drm: core: fix sg_table nents vs. orig_nents misuse
drm: amdgpu: fix sg_table nents vs. orig_nents misuse
drm: armada: fix sg_table nents vs. orig_nents misuse
drm: etnaviv: fix sg_table nents vs. orig_nents misuse
drm: exynos: fix sg_table nents vs. orig_nents misuse
drm: i915: fix sg_table nents vs. orig_nents misuse for dmabuf objects
drm: lima: fix sg_table nents vs. orig_nents misuse
drm: msm: fix sg_table nents vs. orig_nents misuse
drm: panfrost: fix sg_table nents vs. orig_nents misuse
drm: radeon: fix sg_table nents vs. orig_nents misuse
drm: rockchip: fix sg_table nents vs. orig_nents misuse
drm: tegra: fix sg_table nents vs. orig_nents misuse
drm: virtio: fix sg_table nents vs. orig_nents misuse
drm: vmwgfx: fix sg_table nents vs. orig_nents misuse
drm: xen: fix sg_table nents vs. orig_nents misuse
drm: host1x: fix sg_table nents vs. orig_nents misuse
drm: rcar-du: fix sg_table nents vs. orig_nents misuse
xen: gntdev: fix sg_table nents vs. orig_nents misuse
dmabuf: fix sg_table nents vs. orig_nents misuse
media: pci: fix common ALSA DMA-mapping related code
staging: ion: fix sg_table nents vs. orig_nents misuse
drivers/dma-buf/heaps/heap-helpers.c | 7 ++++---
drivers/dma-buf/udmabuf.c | 5 +++--
drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 7 ++++---
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 8 ++++----
drivers/gpu/drm/armada/armada_gem.c | 14 ++++++++-----
drivers/gpu/drm/drm_cache.c | 2 +-
drivers/gpu/drm/drm_gem_shmem_helper.c | 7 ++++---
drivers/gpu/drm/drm_prime.c | 9 +++++----
drivers/gpu/drm/etnaviv/etnaviv_gem.c | 10 ++++++----
drivers/gpu/drm/exynos/exynos_drm_g2d.c | 7 ++++---
drivers/gpu/drm/i915/gem/i915_gem_dmabuf.c | 9 +++++----
drivers/gpu/drm/i915/gem/selftests/mock_dmabuf.c | 5 +++--
drivers/gpu/drm/lima/lima_gem.c | 4 ++--
drivers/gpu/drm/msm/msm_gem.c | 8 ++++----
drivers/gpu/drm/msm/msm_iommu.c | 3 ++-
drivers/gpu/drm/panfrost/panfrost_gem.c | 3 ++-
drivers/gpu/drm/panfrost/panfrost_mmu.c | 4 +++-
drivers/gpu/drm/radeon/radeon_ttm.c | 11 ++++++-----
drivers/gpu/drm/rockchip/rockchip_drm_gem.c | 15 +++++++-------
drivers/gpu/drm/tegra/gem.c | 25 ++++++++++++------------
drivers/gpu/drm/tegra/plane.c | 13 ++++++------
drivers/gpu/drm/virtio/virtgpu_object.c | 11 ++++++-----
drivers/gpu/drm/virtio/virtgpu_vq.c | 8 ++++----
drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c | 6 +++---
drivers/gpu/drm/xen/xen_drm_front_gem.c | 2 +-
drivers/gpu/host1x/job.c | 17 ++++++++--------
drivers/media/pci/cx23885/cx23885-alsa.c | 2 +-
drivers/media/pci/cx25821/cx25821-alsa.c | 2 +-
drivers/media/pci/cx88/cx88-alsa.c | 2 +-
drivers/media/pci/saa7134/saa7134-alsa.c | 2 +-
drivers/media/platform/vsp1/vsp1_drm.c | 7 ++++---
drivers/staging/android/ion/ion.c | 17 ++++++++--------
drivers/staging/android/ion/ion_heap.c | 6 +++---
drivers/staging/android/ion/ion_system_heap.c | 2 +-
drivers/xen/gntdev-dmabuf.c | 10 ++++++----
35 files changed, 149 insertions(+), 121 deletions(-)
--
1.9.1
WARNING: multiple messages have this Message-ID (diff)
From: Marek Szyprowski <m.szyprowski@samsung.com>
To: dri-devel@lists.freedesktop.org,
iommu@lists.linux-foundation.org, linaro-mm-sig@lists.linaro.org,
linux-kernel@vger.kernel.org
Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
David Airlie <airlied@linux.ie>, Daniel Vetter <daniel@ffwll.ch>,
Robin Murphy <robin.murphy@arm.com>,
Christoph Hellwig <hch@lst.de>,
linux-arm-kernel@lists.infradead.org
Subject: [PATCH v2 00/21] DRM: fix struct sg_table nents vs. orig_nents misuse
Date: Mon, 4 May 2020 14:50:17 +0200 [thread overview]
Message-ID: <20200504125017.5494-1-m.szyprowski@samsung.com> (raw)
In-Reply-To: CGME20200504125032eucas1p2eeaf22690e6b557d69c834cc9dd75855@eucas1p2.samsung.com
Dear All,
During the Exynos DRM GEM rework and fixing the issues in the
drm_prime_sg_to_page_addr_arrays() function [1] I've noticed that most
drivers in DRM framework incorrectly use nents and orig_nents entries of
the struct sg_table.
In case of the most DMA-mapping implementations exchanging those two
entries or using nents for all loops on the scatterlist is harmless,
because they both have the same value. There exists however a DMA-mapping
implementations, for which such incorrect usage breaks things. The nents
returned by dma_map_sg() might be lower than the nents passed as its
parameter and this is perfectly fine. DMA framework or IOMMU is allowed
to join consecutive chunks while mapping if such operation is supported
by the underlying HW (bus, bridge, IOMMU, etc). Example of the case
where dma_map_sg() might return 1 'DMA' chunk for the 4 'physical' pages
is described here [2]
The DMA-mapping framework documentation [3] states that dma_map_sg()
returns the numer of the created entries in the DMA address space.
However the subsequent calls to dma_sync_sg_for_{device,cpu} and
dma_unmap_sg must be called with the original number of entries passed to
dma_map_sg. The common pattern in DRM drivers were to assign the
dma_map_sg() return value to sg_table->nents and use that value for
the subsequent calls to dma_sync_sg_* or dma_unmap_sg functions. Also
the code iterated over nents times to access the pages stored in the
processed scatterlist, while it should use orig_nents as the numer of
the page entries.
I've tried to identify all such incorrect usage of sg_table->nents and
this is a result of my research. It looks that the incorrect pattern has
been copied over the many drivers mainly in the DRM subsystem. Too bad in
most cases it even worked correctly if the system used simple,
linear DMA-mapping implementation, for which swapping nents and
orig_nents doesn't make any difference.
The biggest TODO is DRM/i915 driver and I don't feel brave enough to fix
it fully. The driver creatively uses sg_table->orig_nents to store the
size of the allocate scatterlist and ignores the number of the entries
returned by dma_map_sg function. In this patchset I only fixed the
sg_table objects exported by dmabuf related functions. I hope that I
didn't break anything there.
As a follow-up for this patchset I will prepare a common
dma_{map,sync,unmap}_sgtable() wrappers, which will use a proper sg_table
entries and call respective DMA-mapping functions. I hope this will help
to avoid issue like this in the future.
Patches are based on top of Linux next-20200504.
Best regards,
Marek Szyprowski
References:
[1] https://lkml.org/lkml/2020/3/27/555
[2] https://lkml.org/lkml/2020/3/29/65
[3] Documentation/DMA-API-HOWTO.txt
Changelog:
v2:
- dropped most of the changes to drm/i915
- added fixes for rcar-du, xen, media and ion
- fixed a few issues pointed by kbuild test robot
- added wide cc: list for each patch
v1: https://lore.kernel.org/linux-iommu/c01c9766-9778-fd1f-f36e-2dc7bd376ba4@arm.com/T/#m879a727e4e46b5479ef8603994b1a006fb2aa337
- initial version
Patch summary:
Marek Szyprowski (21):
drm: core: fix sg_table nents vs. orig_nents misuse
drm: amdgpu: fix sg_table nents vs. orig_nents misuse
drm: armada: fix sg_table nents vs. orig_nents misuse
drm: etnaviv: fix sg_table nents vs. orig_nents misuse
drm: exynos: fix sg_table nents vs. orig_nents misuse
drm: i915: fix sg_table nents vs. orig_nents misuse for dmabuf objects
drm: lima: fix sg_table nents vs. orig_nents misuse
drm: msm: fix sg_table nents vs. orig_nents misuse
drm: panfrost: fix sg_table nents vs. orig_nents misuse
drm: radeon: fix sg_table nents vs. orig_nents misuse
drm: rockchip: fix sg_table nents vs. orig_nents misuse
drm: tegra: fix sg_table nents vs. orig_nents misuse
drm: virtio: fix sg_table nents vs. orig_nents misuse
drm: vmwgfx: fix sg_table nents vs. orig_nents misuse
drm: xen: fix sg_table nents vs. orig_nents misuse
drm: host1x: fix sg_table nents vs. orig_nents misuse
drm: rcar-du: fix sg_table nents vs. orig_nents misuse
xen: gntdev: fix sg_table nents vs. orig_nents misuse
dmabuf: fix sg_table nents vs. orig_nents misuse
media: pci: fix common ALSA DMA-mapping related code
staging: ion: fix sg_table nents vs. orig_nents misuse
drivers/dma-buf/heaps/heap-helpers.c | 7 ++++---
drivers/dma-buf/udmabuf.c | 5 +++--
drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 7 ++++---
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 8 ++++----
drivers/gpu/drm/armada/armada_gem.c | 14 ++++++++-----
drivers/gpu/drm/drm_cache.c | 2 +-
drivers/gpu/drm/drm_gem_shmem_helper.c | 7 ++++---
drivers/gpu/drm/drm_prime.c | 9 +++++----
drivers/gpu/drm/etnaviv/etnaviv_gem.c | 10 ++++++----
drivers/gpu/drm/exynos/exynos_drm_g2d.c | 7 ++++---
drivers/gpu/drm/i915/gem/i915_gem_dmabuf.c | 9 +++++----
drivers/gpu/drm/i915/gem/selftests/mock_dmabuf.c | 5 +++--
drivers/gpu/drm/lima/lima_gem.c | 4 ++--
drivers/gpu/drm/msm/msm_gem.c | 8 ++++----
drivers/gpu/drm/msm/msm_iommu.c | 3 ++-
drivers/gpu/drm/panfrost/panfrost_gem.c | 3 ++-
drivers/gpu/drm/panfrost/panfrost_mmu.c | 4 +++-
drivers/gpu/drm/radeon/radeon_ttm.c | 11 ++++++-----
drivers/gpu/drm/rockchip/rockchip_drm_gem.c | 15 +++++++-------
drivers/gpu/drm/tegra/gem.c | 25 ++++++++++++------------
drivers/gpu/drm/tegra/plane.c | 13 ++++++------
drivers/gpu/drm/virtio/virtgpu_object.c | 11 ++++++-----
drivers/gpu/drm/virtio/virtgpu_vq.c | 8 ++++----
drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c | 6 +++---
drivers/gpu/drm/xen/xen_drm_front_gem.c | 2 +-
drivers/gpu/host1x/job.c | 17 ++++++++--------
drivers/media/pci/cx23885/cx23885-alsa.c | 2 +-
drivers/media/pci/cx25821/cx25821-alsa.c | 2 +-
drivers/media/pci/cx88/cx88-alsa.c | 2 +-
drivers/media/pci/saa7134/saa7134-alsa.c | 2 +-
drivers/media/platform/vsp1/vsp1_drm.c | 7 ++++---
drivers/staging/android/ion/ion.c | 17 ++++++++--------
drivers/staging/android/ion/ion_heap.c | 6 +++---
drivers/staging/android/ion/ion_system_heap.c | 2 +-
drivers/xen/gntdev-dmabuf.c | 10 ++++++----
35 files changed, 149 insertions(+), 121 deletions(-)
--
1.9.1
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
WARNING: multiple messages have this Message-ID (diff)
From: Marek Szyprowski <m.szyprowski@samsung.com>
To: dri-devel@lists.freedesktop.org,
iommu@lists.linux-foundation.org, linaro-mm-sig@lists.linaro.org,
linux-kernel@vger.kernel.org
Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
David Airlie <airlied@linux.ie>, Daniel Vetter <daniel@ffwll.ch>,
Robin Murphy <robin.murphy@arm.com>,
Christoph Hellwig <hch@lst.de>,
linux-arm-kernel@lists.infradead.org,
Marek Szyprowski <m.szyprowski@samsung.com>
Subject: [PATCH v2 00/21] DRM: fix struct sg_table nents vs. orig_nents misuse
Date: Mon, 4 May 2020 14:50:17 +0200 [thread overview]
Message-ID: <20200504125017.5494-1-m.szyprowski@samsung.com> (raw)
In-Reply-To: CGME20200504125032eucas1p2eeaf22690e6b557d69c834cc9dd75855@eucas1p2.samsung.com
Dear All,
During the Exynos DRM GEM rework and fixing the issues in the
drm_prime_sg_to_page_addr_arrays() function [1] I've noticed that most
drivers in DRM framework incorrectly use nents and orig_nents entries of
the struct sg_table.
In case of the most DMA-mapping implementations exchanging those two
entries or using nents for all loops on the scatterlist is harmless,
because they both have the same value. There exists however a DMA-mapping
implementations, for which such incorrect usage breaks things. The nents
returned by dma_map_sg() might be lower than the nents passed as its
parameter and this is perfectly fine. DMA framework or IOMMU is allowed
to join consecutive chunks while mapping if such operation is supported
by the underlying HW (bus, bridge, IOMMU, etc). Example of the case
where dma_map_sg() might return 1 'DMA' chunk for the 4 'physical' pages
is described here [2]
The DMA-mapping framework documentation [3] states that dma_map_sg()
returns the numer of the created entries in the DMA address space.
However the subsequent calls to dma_sync_sg_for_{device,cpu} and
dma_unmap_sg must be called with the original number of entries passed to
dma_map_sg. The common pattern in DRM drivers were to assign the
dma_map_sg() return value to sg_table->nents and use that value for
the subsequent calls to dma_sync_sg_* or dma_unmap_sg functions. Also
the code iterated over nents times to access the pages stored in the
processed scatterlist, while it should use orig_nents as the numer of
the page entries.
I've tried to identify all such incorrect usage of sg_table->nents and
this is a result of my research. It looks that the incorrect pattern has
been copied over the many drivers mainly in the DRM subsystem. Too bad in
most cases it even worked correctly if the system used simple,
linear DMA-mapping implementation, for which swapping nents and
orig_nents doesn't make any difference.
The biggest TODO is DRM/i915 driver and I don't feel brave enough to fix
it fully. The driver creatively uses sg_table->orig_nents to store the
size of the allocate scatterlist and ignores the number of the entries
returned by dma_map_sg function. In this patchset I only fixed the
sg_table objects exported by dmabuf related functions. I hope that I
didn't break anything there.
As a follow-up for this patchset I will prepare a common
dma_{map,sync,unmap}_sgtable() wrappers, which will use a proper sg_table
entries and call respective DMA-mapping functions. I hope this will help
to avoid issue like this in the future.
Patches are based on top of Linux next-20200504.
Best regards,
Marek Szyprowski
References:
[1] https://lkml.org/lkml/2020/3/27/555
[2] https://lkml.org/lkml/2020/3/29/65
[3] Documentation/DMA-API-HOWTO.txt
Changelog:
v2:
- dropped most of the changes to drm/i915
- added fixes for rcar-du, xen, media and ion
- fixed a few issues pointed by kbuild test robot
- added wide cc: list for each patch
v1: https://lore.kernel.org/linux-iommu/c01c9766-9778-fd1f-f36e-2dc7bd376ba4@arm.com/T/#m879a727e4e46b5479ef8603994b1a006fb2aa337
- initial version
Patch summary:
Marek Szyprowski (21):
drm: core: fix sg_table nents vs. orig_nents misuse
drm: amdgpu: fix sg_table nents vs. orig_nents misuse
drm: armada: fix sg_table nents vs. orig_nents misuse
drm: etnaviv: fix sg_table nents vs. orig_nents misuse
drm: exynos: fix sg_table nents vs. orig_nents misuse
drm: i915: fix sg_table nents vs. orig_nents misuse for dmabuf objects
drm: lima: fix sg_table nents vs. orig_nents misuse
drm: msm: fix sg_table nents vs. orig_nents misuse
drm: panfrost: fix sg_table nents vs. orig_nents misuse
drm: radeon: fix sg_table nents vs. orig_nents misuse
drm: rockchip: fix sg_table nents vs. orig_nents misuse
drm: tegra: fix sg_table nents vs. orig_nents misuse
drm: virtio: fix sg_table nents vs. orig_nents misuse
drm: vmwgfx: fix sg_table nents vs. orig_nents misuse
drm: xen: fix sg_table nents vs. orig_nents misuse
drm: host1x: fix sg_table nents vs. orig_nents misuse
drm: rcar-du: fix sg_table nents vs. orig_nents misuse
xen: gntdev: fix sg_table nents vs. orig_nents misuse
dmabuf: fix sg_table nents vs. orig_nents misuse
media: pci: fix common ALSA DMA-mapping related code
staging: ion: fix sg_table nents vs. orig_nents misuse
drivers/dma-buf/heaps/heap-helpers.c | 7 ++++---
drivers/dma-buf/udmabuf.c | 5 +++--
drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 7 ++++---
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 8 ++++----
drivers/gpu/drm/armada/armada_gem.c | 14 ++++++++-----
drivers/gpu/drm/drm_cache.c | 2 +-
drivers/gpu/drm/drm_gem_shmem_helper.c | 7 ++++---
drivers/gpu/drm/drm_prime.c | 9 +++++----
drivers/gpu/drm/etnaviv/etnaviv_gem.c | 10 ++++++----
drivers/gpu/drm/exynos/exynos_drm_g2d.c | 7 ++++---
drivers/gpu/drm/i915/gem/i915_gem_dmabuf.c | 9 +++++----
drivers/gpu/drm/i915/gem/selftests/mock_dmabuf.c | 5 +++--
drivers/gpu/drm/lima/lima_gem.c | 4 ++--
drivers/gpu/drm/msm/msm_gem.c | 8 ++++----
drivers/gpu/drm/msm/msm_iommu.c | 3 ++-
drivers/gpu/drm/panfrost/panfrost_gem.c | 3 ++-
drivers/gpu/drm/panfrost/panfrost_mmu.c | 4 +++-
drivers/gpu/drm/radeon/radeon_ttm.c | 11 ++++++-----
drivers/gpu/drm/rockchip/rockchip_drm_gem.c | 15 +++++++-------
drivers/gpu/drm/tegra/gem.c | 25 ++++++++++++------------
drivers/gpu/drm/tegra/plane.c | 13 ++++++------
drivers/gpu/drm/virtio/virtgpu_object.c | 11 ++++++-----
drivers/gpu/drm/virtio/virtgpu_vq.c | 8 ++++----
drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c | 6 +++---
drivers/gpu/drm/xen/xen_drm_front_gem.c | 2 +-
drivers/gpu/host1x/job.c | 17 ++++++++--------
drivers/media/pci/cx23885/cx23885-alsa.c | 2 +-
drivers/media/pci/cx25821/cx25821-alsa.c | 2 +-
drivers/media/pci/cx88/cx88-alsa.c | 2 +-
drivers/media/pci/saa7134/saa7134-alsa.c | 2 +-
drivers/media/platform/vsp1/vsp1_drm.c | 7 ++++---
drivers/staging/android/ion/ion.c | 17 ++++++++--------
drivers/staging/android/ion/ion_heap.c | 6 +++---
drivers/staging/android/ion/ion_system_heap.c | 2 +-
drivers/xen/gntdev-dmabuf.c | 10 ++++++----
35 files changed, 149 insertions(+), 121 deletions(-)
--
1.9.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Marek Szyprowski <m.szyprowski@samsung.com>
To: dri-devel@lists.freedesktop.org,
iommu@lists.linux-foundation.org, linaro-mm-sig@lists.linaro.org,
linux-kernel@vger.kernel.org
Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
David Airlie <airlied@linux.ie>,
Robin Murphy <robin.murphy@arm.com>,
Christoph Hellwig <hch@lst.de>,
linux-arm-kernel@lists.infradead.org,
Marek Szyprowski <m.szyprowski@samsung.com>
Subject: [PATCH v2 00/21] DRM: fix struct sg_table nents vs. orig_nents misuse
Date: Mon, 4 May 2020 14:50:17 +0200 [thread overview]
Message-ID: <20200504125017.5494-1-m.szyprowski@samsung.com> (raw)
In-Reply-To: CGME20200504125032eucas1p2eeaf22690e6b557d69c834cc9dd75855@eucas1p2.samsung.com
Dear All,
During the Exynos DRM GEM rework and fixing the issues in the
drm_prime_sg_to_page_addr_arrays() function [1] I've noticed that most
drivers in DRM framework incorrectly use nents and orig_nents entries of
the struct sg_table.
In case of the most DMA-mapping implementations exchanging those two
entries or using nents for all loops on the scatterlist is harmless,
because they both have the same value. There exists however a DMA-mapping
implementations, for which such incorrect usage breaks things. The nents
returned by dma_map_sg() might be lower than the nents passed as its
parameter and this is perfectly fine. DMA framework or IOMMU is allowed
to join consecutive chunks while mapping if such operation is supported
by the underlying HW (bus, bridge, IOMMU, etc). Example of the case
where dma_map_sg() might return 1 'DMA' chunk for the 4 'physical' pages
is described here [2]
The DMA-mapping framework documentation [3] states that dma_map_sg()
returns the numer of the created entries in the DMA address space.
However the subsequent calls to dma_sync_sg_for_{device,cpu} and
dma_unmap_sg must be called with the original number of entries passed to
dma_map_sg. The common pattern in DRM drivers were to assign the
dma_map_sg() return value to sg_table->nents and use that value for
the subsequent calls to dma_sync_sg_* or dma_unmap_sg functions. Also
the code iterated over nents times to access the pages stored in the
processed scatterlist, while it should use orig_nents as the numer of
the page entries.
I've tried to identify all such incorrect usage of sg_table->nents and
this is a result of my research. It looks that the incorrect pattern has
been copied over the many drivers mainly in the DRM subsystem. Too bad in
most cases it even worked correctly if the system used simple,
linear DMA-mapping implementation, for which swapping nents and
orig_nents doesn't make any difference.
The biggest TODO is DRM/i915 driver and I don't feel brave enough to fix
it fully. The driver creatively uses sg_table->orig_nents to store the
size of the allocate scatterlist and ignores the number of the entries
returned by dma_map_sg function. In this patchset I only fixed the
sg_table objects exported by dmabuf related functions. I hope that I
didn't break anything there.
As a follow-up for this patchset I will prepare a common
dma_{map,sync,unmap}_sgtable() wrappers, which will use a proper sg_table
entries and call respective DMA-mapping functions. I hope this will help
to avoid issue like this in the future.
Patches are based on top of Linux next-20200504.
Best regards,
Marek Szyprowski
References:
[1] https://lkml.org/lkml/2020/3/27/555
[2] https://lkml.org/lkml/2020/3/29/65
[3] Documentation/DMA-API-HOWTO.txt
Changelog:
v2:
- dropped most of the changes to drm/i915
- added fixes for rcar-du, xen, media and ion
- fixed a few issues pointed by kbuild test robot
- added wide cc: list for each patch
v1: https://lore.kernel.org/linux-iommu/c01c9766-9778-fd1f-f36e-2dc7bd376ba4@arm.com/T/#m879a727e4e46b5479ef8603994b1a006fb2aa337
- initial version
Patch summary:
Marek Szyprowski (21):
drm: core: fix sg_table nents vs. orig_nents misuse
drm: amdgpu: fix sg_table nents vs. orig_nents misuse
drm: armada: fix sg_table nents vs. orig_nents misuse
drm: etnaviv: fix sg_table nents vs. orig_nents misuse
drm: exynos: fix sg_table nents vs. orig_nents misuse
drm: i915: fix sg_table nents vs. orig_nents misuse for dmabuf objects
drm: lima: fix sg_table nents vs. orig_nents misuse
drm: msm: fix sg_table nents vs. orig_nents misuse
drm: panfrost: fix sg_table nents vs. orig_nents misuse
drm: radeon: fix sg_table nents vs. orig_nents misuse
drm: rockchip: fix sg_table nents vs. orig_nents misuse
drm: tegra: fix sg_table nents vs. orig_nents misuse
drm: virtio: fix sg_table nents vs. orig_nents misuse
drm: vmwgfx: fix sg_table nents vs. orig_nents misuse
drm: xen: fix sg_table nents vs. orig_nents misuse
drm: host1x: fix sg_table nents vs. orig_nents misuse
drm: rcar-du: fix sg_table nents vs. orig_nents misuse
xen: gntdev: fix sg_table nents vs. orig_nents misuse
dmabuf: fix sg_table nents vs. orig_nents misuse
media: pci: fix common ALSA DMA-mapping related code
staging: ion: fix sg_table nents vs. orig_nents misuse
drivers/dma-buf/heaps/heap-helpers.c | 7 ++++---
drivers/dma-buf/udmabuf.c | 5 +++--
drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 7 ++++---
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 8 ++++----
drivers/gpu/drm/armada/armada_gem.c | 14 ++++++++-----
drivers/gpu/drm/drm_cache.c | 2 +-
drivers/gpu/drm/drm_gem_shmem_helper.c | 7 ++++---
drivers/gpu/drm/drm_prime.c | 9 +++++----
drivers/gpu/drm/etnaviv/etnaviv_gem.c | 10 ++++++----
drivers/gpu/drm/exynos/exynos_drm_g2d.c | 7 ++++---
drivers/gpu/drm/i915/gem/i915_gem_dmabuf.c | 9 +++++----
drivers/gpu/drm/i915/gem/selftests/mock_dmabuf.c | 5 +++--
drivers/gpu/drm/lima/lima_gem.c | 4 ++--
drivers/gpu/drm/msm/msm_gem.c | 8 ++++----
drivers/gpu/drm/msm/msm_iommu.c | 3 ++-
drivers/gpu/drm/panfrost/panfrost_gem.c | 3 ++-
drivers/gpu/drm/panfrost/panfrost_mmu.c | 4 +++-
drivers/gpu/drm/radeon/radeon_ttm.c | 11 ++++++-----
drivers/gpu/drm/rockchip/rockchip_drm_gem.c | 15 +++++++-------
drivers/gpu/drm/tegra/gem.c | 25 ++++++++++++------------
drivers/gpu/drm/tegra/plane.c | 13 ++++++------
drivers/gpu/drm/virtio/virtgpu_object.c | 11 ++++++-----
drivers/gpu/drm/virtio/virtgpu_vq.c | 8 ++++----
drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c | 6 +++---
drivers/gpu/drm/xen/xen_drm_front_gem.c | 2 +-
drivers/gpu/host1x/job.c | 17 ++++++++--------
drivers/media/pci/cx23885/cx23885-alsa.c | 2 +-
drivers/media/pci/cx25821/cx25821-alsa.c | 2 +-
drivers/media/pci/cx88/cx88-alsa.c | 2 +-
drivers/media/pci/saa7134/saa7134-alsa.c | 2 +-
drivers/media/platform/vsp1/vsp1_drm.c | 7 ++++---
drivers/staging/android/ion/ion.c | 17 ++++++++--------
drivers/staging/android/ion/ion_heap.c | 6 +++---
drivers/staging/android/ion/ion_system_heap.c | 2 +-
drivers/xen/gntdev-dmabuf.c | 10 ++++++----
35 files changed, 149 insertions(+), 121 deletions(-)
--
1.9.1
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
next parent reply other threads:[~2020-05-04 12:50 UTC|newest]
Thread overview: 111+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20200504125032eucas1p2eeaf22690e6b557d69c834cc9dd75855@eucas1p2.samsung.com>
2020-05-04 12:50 ` Marek Szyprowski [this message]
2020-05-04 12:50 ` [PATCH v2 00/21] DRM: fix struct sg_table nents vs. orig_nents misuse Marek Szyprowski
2020-05-04 12:50 ` Marek Szyprowski
2020-05-04 12:50 ` Marek Szyprowski
2020-05-04 12:52 ` Christoph Hellwig
2020-05-04 12:52 ` Christoph Hellwig
2020-05-04 12:52 ` Christoph Hellwig
2020-05-04 13:05 ` Marek Szyprowski
2020-05-04 13:05 ` Marek Szyprowski
2020-05-04 13:05 ` Marek Szyprowski
2020-05-04 13:05 ` Marek Szyprowski
2020-05-04 13:11 ` Christoph Hellwig
2020-05-04 13:11 ` Christoph Hellwig
2020-05-04 13:11 ` Christoph Hellwig
[not found] ` <CGME20200504125409eucas1p2225bf61e6a293eb4da81ec26341488f3@eucas1p2.samsung.com>
2020-05-04 12:53 ` [PATCH v2 01/21] drm: core: fix " Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
[not found] ` <CGME20200504125410eucas1p21e7a58138893b2fd1d599832357c9f21@eucas1p2.samsung.com>
2020-05-04 12:53 ` [PATCH v2 02/21] drm: amdgpu: " Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
[not found] ` <CGME20200504125411eucas1p1d516115c221176c0903d77336b563c26@eucas1p1.samsung.com>
2020-05-04 12:53 ` [PATCH v2 03/21] drm: armada: " Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
[not found] ` <CGME20200504125412eucas1p263f2029c4fd299db92b365d7b66316a0@eucas1p2.samsung.com>
2020-05-04 12:53 ` [PATCH v2 04/21] drm: etnaviv: " Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
[not found] ` <CGME20200504125412eucas1p1aa394ac0f9a88fb7be0ec2359690c416@eucas1p1.samsung.com>
2020-05-04 12:53 ` [PATCH v2 05/21] drm: exynos: " Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
[not found] ` <CGME20200504125413eucas1p23d4a2a1b9f3ffec973914228b0533d04@eucas1p2.samsung.com>
2020-05-04 12:53 ` [PATCH v2 06/21] drm: i915: fix sg_table nents vs. orig_nents misuse for dmabuf objects Marek Szyprowski
2020-05-04 12:53 ` [Intel-gfx] " Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
[not found] ` <CGME20200504125414eucas1p1dc1cbef1c50f430b738e74129babb95b@eucas1p1.samsung.com>
2020-05-04 12:53 ` [PATCH v2 07/21] drm: lima: fix sg_table nents vs. orig_nents misuse Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
[not found] ` <CGME20200504125415eucas1p2757f9a71add8c7547bc8f85906468113@eucas1p2.samsung.com>
2020-05-04 12:53 ` [PATCH v2 08/21] drm: msm: " Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
[not found] ` <CGME20200504125415eucas1p1eea125ce87eec4e7c2e2dcc75f965896@eucas1p1.samsung.com>
2020-05-04 12:53 ` [PATCH v2 09/21] drm: panfrost: " Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 13:27 ` Steven Price
2020-05-04 13:27 ` Steven Price
2020-05-04 13:27 ` Steven Price
2020-05-04 13:27 ` Steven Price
[not found] ` <CGME20200504125416eucas1p2ab599ff4137e6c25d6847b83e7f69613@eucas1p2.samsung.com>
2020-05-04 12:53 ` [PATCH v2 10/21] drm: radeon: " Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
[not found] ` <CGME20200504125417eucas1p1672a3ad3263e5f6b9162ecf7bef7af2b@eucas1p1.samsung.com>
2020-05-04 12:53 ` [PATCH v2 11/21] drm: rockchip: " Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
[not found] ` <CGME20200504125418eucas1p190ccb7626f969de8c6d53d216ea12a96@eucas1p1.samsung.com>
2020-05-04 12:53 ` [PATCH v2 13/21] drm: virtio: " Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
[not found] ` <CGME20200504125419eucas1p2de6a2146cc694e4fa8e9c11024447cc6@eucas1p2.samsung.com>
2020-05-04 12:53 ` [PATCH v2 14/21] drm: vmwgfx: " Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
[not found] ` <CGME20200504125420eucas1p2387a795af11e62779e8aa7f7673a8562@eucas1p2.samsung.com>
2020-05-04 12:53 ` [PATCH v2 15/21] drm: xen: " Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
[not found] ` <CGME20200504125418eucas1p2d649919f1969a85c8f7dfc8c73d58459@eucas1p2.samsung.com>
[not found] ` <20200504125359.5678-1-m.szyprowski-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>
2020-05-04 12:53 ` [PATCH v2 12/21] drm: tegra: " Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` [PATCH v2 16/21] drm: host1x: " Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
[not found] ` <CGME20200504125421eucas1p12d5bd93de51ec15b9287e2e3bd2e2ee5@eucas1p1.samsung.com>
2020-05-04 12:53 ` [PATCH v2 17/21] drm: rcar-du: " Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
[not found] ` <CGME20200504125422eucas1p206476912d5137bcad804bccbd75ed2f0@eucas1p2.samsung.com>
2020-05-04 12:53 ` [PATCH v2 18/21] xen: gntdev: " Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
[not found] ` <CGME20200504125423eucas1p24639a2eae17ebc634e022a6c7d448981@eucas1p2.samsung.com>
2020-05-04 12:53 ` [PATCH v2 19/21] dmabuf: " Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
[not found] ` <CGME20200504125424eucas1p16cb0c33de857e1f470173c66710c088b@eucas1p1.samsung.com>
2020-05-04 12:53 ` [PATCH v2 20/21] media: pci: fix common ALSA DMA-mapping related code Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
[not found] ` <CGME20200504125424eucas1p2a654aa95d553e10422dcb5125f960a49@eucas1p2.samsung.com>
2020-05-04 12:53 ` [PATCH v2 21/21] staging: ion: fix sg_table nents vs. orig_nents misuse Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
2020-05-04 12:53 ` Marek Szyprowski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200504125017.5494-1-m.szyprowski@samsung.com \
--to=m.szyprowski@samsung.com \
--cc=airlied@linux.ie \
--cc=b.zolnierkie@samsung.com \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=hch@lst.de \
--cc=iommu@lists.linux-foundation.org \
--cc=linaro-mm-sig@lists.linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=robin.murphy@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.