linux/drivers/dma
Dan Williams 7787380336 net_dma: mark broken
net_dma can cause data to be copied to a stale mapping if a
copy-on-write fault occurs during dma.  The application sees missing
data.

The following trace is triggered by modifying the kernel to WARN if it
ever triggers copy-on-write on a page that is undergoing dma:

 WARNING: CPU: 24 PID: 2529 at lib/dma-debug.c:485 debug_dma_assert_idle+0xd2/0x120()
 ioatdma 0000:00:04.0: DMA-API: cpu touching an active dma mapped page [pfn=0x16bcd9]
 Modules linked in: iTCO_wdt iTCO_vendor_support ioatdma lpc_ich pcspkr dca
 CPU: 24 PID: 2529 Comm: linbug Tainted: G        W    3.13.0-rc1+ #353
  00000000000001e5 ffff88016f45f688 ffffffff81751041 ffff88017ab0ef70
  ffff88016f45f6d8 ffff88016f45f6c8 ffffffff8104ed9c ffffffff810f3646
  ffff8801768f4840 0000000000000282 ffff88016f6cca10 00007fa2bb699349
 Call Trace:
  [<ffffffff81751041>] dump_stack+0x46/0x58
  [<ffffffff8104ed9c>] warn_slowpath_common+0x8c/0xc0
  [<ffffffff810f3646>] ? ftrace_pid_func+0x26/0x30
  [<ffffffff8104ee86>] warn_slowpath_fmt+0x46/0x50
  [<ffffffff8139c062>] debug_dma_assert_idle+0xd2/0x120
  [<ffffffff81154a40>] do_wp_page+0xd0/0x790
  [<ffffffff811582ac>] handle_mm_fault+0x51c/0xde0
  [<ffffffff813830b9>] ? copy_user_enhanced_fast_string+0x9/0x20
  [<ffffffff8175fc2c>] __do_page_fault+0x19c/0x530
  [<ffffffff8175c196>] ? _raw_spin_lock_bh+0x16/0x40
  [<ffffffff810f3539>] ? trace_clock_local+0x9/0x10
  [<ffffffff810fa1f4>] ? rb_reserve_next_event+0x64/0x310
  [<ffffffffa0014c00>] ? ioat2_dma_prep_memcpy_lock+0x60/0x130 [ioatdma]
  [<ffffffff8175ffce>] do_page_fault+0xe/0x10
  [<ffffffff8175c862>] page_fault+0x22/0x30
  [<ffffffff81643991>] ? __kfree_skb+0x51/0xd0
  [<ffffffff813830b9>] ? copy_user_enhanced_fast_string+0x9/0x20
  [<ffffffff81388ea2>] ? memcpy_toiovec+0x52/0xa0
  [<ffffffff8164770f>] skb_copy_datagram_iovec+0x5f/0x2a0
  [<ffffffff8169d0f4>] tcp_rcv_established+0x674/0x7f0
  [<ffffffff816a68c5>] tcp_v4_do_rcv+0x2e5/0x4a0
  [..]
 ---[ end trace e30e3b01191b7617 ]---
 Mapped at:
  [<ffffffff8139c169>] debug_dma_map_page+0xb9/0x160
  [<ffffffff8142bf47>] dma_async_memcpy_pg_to_pg+0x127/0x210
  [<ffffffff8142cce9>] dma_memcpy_pg_to_iovec+0x119/0x1f0
  [<ffffffff81669d3c>] dma_skb_copy_datagram_iovec+0x11c/0x2b0
  [<ffffffff8169d1ca>] tcp_rcv_established+0x74a/0x7f0:

...the problem is that the receive path falls back to cpu-copy in
several locations and this trace is just one of the areas.  A few
options were considered to fix this:

1/ sync all dma whenever a cpu copy branch is taken

2/ modify the page fault handler to hold off while dma is in-flight

Option 1 adds yet more cpu overhead to an "offload" that struggles to compete
with cpu-copy.  Option 2 adds checks for behavior that is already documented as
broken when using get_user_pages().  At a minimum a debug mode is warranted to
catch and flag these violations of the dma-api vs get_user_pages().

Thanks to David for his reproducer.

Cc: <stable@vger.kernel.org>
Cc: Dave Jiang <dave.jiang@intel.com>
Cc: Vinod Koul <vinod.koul@intel.com>
Cc: Alexander Duyck <alexander.h.duyck@intel.com>
Reported-by: David Whipple <whipple@securedatainnovations.ch>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2013-12-18 12:53:43 -08:00
..
bestcomm drivers: clean-up prom.h implicit includes 2013-10-09 20:04:04 -05:00
dw Merge branch 'next' of git://git.infradead.org/users/vkoul/slave-dma 2013-11-20 13:20:24 -08:00
ioat Merge commit 'dmaengine-3.13-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/djbw/dmaengine 2013-11-16 12:02:36 +05:30
ipu dmaengine: ipu: fix warnings from 64-bit dma_addr_t printouts 2013-11-13 14:10:48 +05:30
ppc4xx dma: fix build warnings in ppc4xx 2013-12-12 22:43:41 -08:00
sh rcar-hpbdma: initialise plane information when halted 2013-11-28 13:46:00 +05:30
acpi-dma.c acpi-dma: remove ugly conversion 2013-08-25 16:43:45 +05:30
amba-pl08x.c Fix pl08x warnings 2013-12-04 11:22:05 +05:30
at_hdmac_regs.h dmaengine: at_hdmac: remove unused function 2013-12-12 22:43:41 -08:00
at_hdmac.c Merge commit 'dmaengine-3.13-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/djbw/dmaengine 2013-11-16 12:02:36 +05:30
coh901318_lli.c Merge branch 'next' of git://git.infradead.org/users/vkoul/slave-dma 2013-02-26 09:24:48 -08:00
coh901318.c dmaengine: coh901318: use DMA_COMPLETE for dma completion status 2013-10-25 11:15:56 +05:30
coh901318.h dma: coh901318: merge header files 2013-01-07 17:36:37 +01:00
cppi41.c dma: cppi41: return code > 0 of pm_runtime_get_sync() is not an error 2013-11-12 14:28:25 +05:30
dma-jz4740.c dmaengine: jz4740: use DMA_COMPLETE for dma completion status 2013-10-25 11:15:58 +05:30
dmaengine.c dmaengine: fix sleep in atomic 2013-12-13 00:57:03 -08:00
dmaengine.h dmaengine: consolidate initialization of cookies 2012-03-13 11:37:22 +05:30
dmatest.c dmatest: fix build warning on mips 2013-12-12 22:43:41 -08:00
edma.c Merge branch 'next' of git://git.infradead.org/users/vkoul/slave-dma 2013-11-20 13:20:24 -08:00
ep93xx_dma.c dmaengine: remove DMA unmap from drivers 2013-11-14 11:04:38 -08:00
fsldma.c dma: fix fsldma build warnings 2013-12-12 22:43:41 -08:00
fsldma.h DMA: Freescale: update driver to support 8-channel DMA engine 2013-11-13 14:26:27 +05:30
imx-dma.c Merge branch 'for-linus' into next 2013-10-31 22:36:13 +05:30
imx-sdma.c Merge branch 'next' of git://git.infradead.org/users/vkoul/slave-dma 2013-11-20 13:20:24 -08:00
intel_mid_dma_regs.h dma: fix comments 2012-09-01 08:57:12 -07:00
intel_mid_dma.c dmaengine: intel_mid_dma: use DMA_COMPLETE for dma completion status 2013-10-25 11:16:04 +05:30
iop-adma.c Merge commit 'dmaengine-3.13-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/djbw/dmaengine 2013-11-16 12:02:36 +05:30
iovlock.c
k3dma.c dmaengine: k3dma: use DMA_COMPLETE for dma completion status 2013-10-25 11:16:07 +05:30
Kconfig net_dma: mark broken 2013-12-18 12:53:43 -08:00
Makefile dmaengine: add driver for Samsung s3c24xx SoCs 2013-10-08 06:42:10 +09:00
mmp_pdma.c dma: mmp_pdma: add missing platform_set_drvdata() in mmp_pdma_probe() 2013-11-28 13:39:11 +05:30
mmp_tdma.c Merge branch 'next' of git://git.infradead.org/users/vkoul/slave-dma 2013-11-20 13:20:24 -08:00
mpc512x_dma.c drivers: clean-up prom.h implicit includes 2013-10-09 20:04:04 -05:00
mv_xor.c dmaengine: mv_xor: fix oops when channels fail to initialise 2013-12-12 22:48:53 -08:00
mv_xor.h dma: mv_xor: Fix mis-usage of mmio 'base' and 'high_base' registers 2013-11-14 11:04:42 -08:00
mxs-dma.c dma: mxs-dma: Use semaphores for cyclic DMA 2013-11-13 15:38:31 +05:30
of-dma.c dma: of: make error message more meaningful by adding the node name 2013-08-19 14:45:05 +05:30
omap-dma.c dmaengine: omap: use DMA_COMPLETE for dma completion status 2013-10-25 11:16:11 +05:30
pch_dma.c pch_dma: Add MODULE_DEVICE_TABLE 2013-09-02 11:59:58 +05:30
pl330.c dma: pl330: ensure DMA descriptors are zero-initialised 2013-12-18 10:08:56 -08:00
s3c24xx-dma.c dma: fix build breakage in s3c24xx-dma 2013-12-04 11:24:30 +05:30
sa11x0-dma.c dmaengine: sa11x0: use DMA_COMPLETE for dma completion status 2013-10-25 11:16:13 +05:30
sirf-dma.c dmaengine: sirf: add PM entries for sleep and runtime 2013-08-13 17:01:01 +05:30
ste_dma40_ll.c dmaengine: ste_dma40_ll: Replace meaningless register set with comment 2013-06-04 11:12:10 +02:00
ste_dma40_ll.h dmaengine: ste_dma40: Remove unnecessary call to d40_phy_cfg() 2013-05-23 21:13:19 +02:00
ste_dma40.c dmaengine: ste: use DMA_COMPLETE for dma completion status 2013-10-25 11:16:15 +05:30
tegra20-apb-dma.c dmaengine: tegra: use DMA_COMPLETE for dma completion status 2013-10-25 11:16:16 +05:30
timb_dma.c dmaengine: remove DMA unmap from drivers 2013-11-14 11:04:38 -08:00
TODO dmaengine: remove ste_dma40 from issue_pending TODO 2011-07-14 04:02:08 +05:30
txx9dmac.c dma: fix build warnings in txx9 2013-12-12 22:43:41 -08:00
txx9dmac.h dmaengine: move last completed cookie into generic dma_chan structure 2012-03-13 11:36:06 +05:30
virt-dma.c dmaengine: virt-dma: add support for cyclic DMA periodic callbacks 2012-07-01 14:15:23 +01:00
virt-dma.h dmaengine: virt-dma: add support for cyclic DMA periodic callbacks 2012-07-01 14:15:23 +01:00