linux/drivers/parisc
Mikulas Patocka e46e31a369 parisc iommu: fix panic due to trying to allocate too large region
When using the Promise TX2+ SATA controller on PA-RISC, the system often
crashes with kernel panic, for example just writing data with the dd
utility will make it crash.

Kernel panic - not syncing: drivers/parisc/sba_iommu.c: I/O MMU @ 000000000000a000 is out of mapping resources

CPU: 0 PID: 18442 Comm: mkspadfs Not tainted 4.4.0-rc2 #2
Backtrace:
 [<000000004021497c>] show_stack+0x14/0x20
 [<0000000040410bf0>] dump_stack+0x88/0x100
 [<000000004023978c>] panic+0x124/0x360
 [<0000000040452c18>] sba_alloc_range+0x698/0x6a0
 [<0000000040453150>] sba_map_sg+0x260/0x5b8
 [<000000000c18dbb4>] ata_qc_issue+0x264/0x4a8 [libata]
 [<000000000c19535c>] ata_scsi_translate+0xe4/0x220 [libata]
 [<000000000c19a93c>] ata_scsi_queuecmd+0xbc/0x320 [libata]
 [<0000000040499bbc>] scsi_dispatch_cmd+0xfc/0x130
 [<000000004049da34>] scsi_request_fn+0x6e4/0x970
 [<00000000403e95a8>] __blk_run_queue+0x40/0x60
 [<00000000403e9d8c>] blk_run_queue+0x3c/0x68
 [<000000004049a534>] scsi_run_queue+0x2a4/0x360
 [<000000004049be68>] scsi_end_request+0x1a8/0x238
 [<000000004049de84>] scsi_io_completion+0xfc/0x688
 [<0000000040493c74>] scsi_finish_command+0x17c/0x1d0

The cause of the crash is not exhaustion of the IOMMU space, there is
plenty of free pages. The function sba_alloc_range is called with size
0x11000, thus the pages_needed variable is 0x11. The function
sba_search_bitmap is called with bits_wanted 0x11 and boundary size is
0x10 (because dma_get_seg_boundary(dev) returns 0xffff).

The function sba_search_bitmap attempts to allocate 17 pages that must not
cross 16-page boundary - it can't satisfy this requirement
(iommu_is_span_boundary always returns true) and fails even if there are
many free entries in the IOMMU space.

How did it happen that we try to allocate 17 pages that don't cross
16-page boundary? The cause is in the function iommu_coalesce_chunks. This
function tries to coalesce adjacent entries in the scatterlist. The
function does several checks if it may coalesce one entry with the next,
one of those checks is this:

	if (startsg->length + dma_len > max_seg_size)
		break;

When it finishes coalescing adjacent entries, it allocates the mapping:

sg_dma_len(contig_sg) = dma_len;
dma_len = ALIGN(dma_len + dma_offset, IOVP_SIZE);
sg_dma_address(contig_sg) =
	PIDE_FLAG
	| (iommu_alloc_range(ioc, dev, dma_len) << IOVP_SHIFT)
	| dma_offset;

It is possible that (startsg->length + dma_len > max_seg_size) is false
(we are just near the 0x10000 max_seg_size boundary), so the funcion
decides to coalesce this entry with the next entry. When the coalescing
succeeds, the function performs
	dma_len = ALIGN(dma_len + dma_offset, IOVP_SIZE);
And now, because of non-zero dma_offset, dma_len is greater than 0x10000.
iommu_alloc_range (a pointer to sba_alloc_range) is called and it attempts
to allocate 17 pages for a device that must not cross 16-page boundary.

To fix the bug, we must make sure that dma_len after addition of
dma_offset and alignment doesn't cross the segment boundary. I.e. change
	if (startsg->length + dma_len > max_seg_size)
		break;
to
	if (ALIGN(dma_len + dma_offset + startsg->length, IOVP_SIZE) > max_seg_size)
		break;

This patch makes this change (it precalculates max_seg_boundary at the
beginning of the function iommu_coalesce_chunks). I also added a check
that the mapping length doesn't exceed dma_get_seg_boundary(dev) (it is
not needed for Promise TX2+ SATA, but it may be needed for other devices
that have dma_get_seg_boundary lower than dma_get_max_seg_size).

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
2015-12-12 16:07:25 +01:00
..
asp.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
ccio-dma.c pci: remove pci_dma_supported 2015-11-10 16:32:11 -08:00
ccio-rm-dma.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
dino.c PCI: Revert "PCI: Call pci_read_bridge_bases() from core instead of arch code" 2015-09-15 13:18:04 -05:00
eisa_eeprom.c eisa_eeprom: switch to fixed_size_llseek() 2013-06-29 12:57:29 +04:00
eisa_enumerator.c treewide: Fix typo in printk messages 2015-03-06 23:05:39 +01:00
eisa.c parisc: Convert irq namespace 2011-03-29 14:48:08 +02:00
gsc.c parisc: Convert irq namespace 2011-03-29 14:48:08 +02:00
gsc.h
hppb.c drivers/parisc: Use printf extension %pR for struct resource 2013-02-20 22:47:24 +01:00
iommu-helpers.h parisc iommu: fix panic due to trying to allocate too large region 2015-12-12 16:07:25 +01:00
iosapic_private.h
iosapic.c parisc/irq: Use access helper irq_data_get_affinity_mask() 2015-07-31 22:20:04 +02:00
Kconfig parisc: led driver requires CONFIG_VM_EVENT_COUNTERS 2013-02-20 22:51:52 +01:00
lasi.c
lba_pci.c parisc: reduce syslog debug output 2015-10-22 15:45:18 +02:00
led.c procfs: new helper - PDE_DATA(inode) 2013-04-09 14:13:32 -04:00
Makefile
pdc_stable.c parisc: pdc_stable.c: Avoid potential stack overflows 2014-09-21 22:31:08 +02:00
power.c sched, cleanup, treewide: Remove set_current_state(TASK_RUNNING) after schedule() 2014-09-19 12:35:17 +02:00
README.dino Update broken web addresses in the kernel. 2010-10-18 11:03:14 +02:00
sba_iommu.c parisc: use seq_hex_dump() to dump buffers 2015-09-10 13:29:01 -07:00
superio.c parisc: %pf is only for function pointers 2015-04-24 13:45:54 +02:00
wax.c

/*
** HP VISUALIZE Workstation PCI Bus Defect
**
** "HP has discovered a potential system defect that can affect
** the behavior of five models of HP VISUALIZE workstations when
** equipped with third-party or customer-installed PCI I/O expansion
** cards. The defect is limited to the HP C180, C160, C160L, B160L,
** and B132L VISUALIZE workstations, and will only be encountered
** when data is transmitted through PCI I/O expansion cards on the
** PCI bus. HP-supplied graphics cards that utilize the PCI bus are
** not affected."
**
** http://h20000.www2.hp.com/bizsupport/TechSupport/Home.jsp?locale=en_US&prodTypeId=12454&prodSeriesId=44443
**
**	Product		First Good Serial Number
**  C200/C240 (US)	US67350000
**B132L+/B180 (US)	US67390000
**   C200 (Europe)	3713G01000
**  B180L (Europe)	3720G01000
**
** Note that many boards were fixed/replaced under a free replacement
** program. Assume a machine is only "suspect" until proven otherwise.
**
** "The pci_check program will also be available as application
**  patch PHSS_12295"
*/