forked from Minki/linux
566fb90e05
swiotlb-xen uses very different ways to allocate coherent memory on x86 vs arm. On the former it allocates memory from the page allocator, while on the later it reuses the dma-direct allocator the handles the complexities of non-coherent DMA on arm platforms. Unfortunately the complexities of trying to deal with the two cases in the swiotlb-xen.c code lead to a bug in the handling of DMA_ATTR_NO_KERNEL_MAPPING on arm. With the DMA_ATTR_NO_KERNEL_MAPPING flag the coherent memory allocator does not actually allocate coherent memory, but just a DMA handle for some memory that is DMA addressable by the device, but which does not have to have a kernel mapping. Thus dereferencing the return value will lead to kernel crashed and memory corruption. Fix this by using the dma-direct allocator directly for arm, which works perfectly fine because on arm swiotlb-xen is only used when the domain is 1:1 mapped, and then simplifying the remaining code to only cater for the x86 case with DMA coherent device. Reported-by: Rahul Singh <Rahul.Singh@arm.com> Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Rahul Singh <rahul.singh@arm.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> Tested-by: Rahul Singh <rahul.singh@arm.com>
144 lines
3.8 KiB
C
144 lines
3.8 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
#include <linux/cpu.h>
|
|
#include <linux/dma-direct.h>
|
|
#include <linux/dma-map-ops.h>
|
|
#include <linux/gfp.h>
|
|
#include <linux/highmem.h>
|
|
#include <linux/export.h>
|
|
#include <linux/memblock.h>
|
|
#include <linux/of_address.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/types.h>
|
|
#include <linux/vmalloc.h>
|
|
#include <linux/swiotlb.h>
|
|
|
|
#include <xen/xen.h>
|
|
#include <xen/interface/grant_table.h>
|
|
#include <xen/interface/memory.h>
|
|
#include <xen/page.h>
|
|
#include <xen/xen-ops.h>
|
|
#include <xen/swiotlb-xen.h>
|
|
|
|
#include <asm/cacheflush.h>
|
|
#include <asm/xen/hypercall.h>
|
|
#include <asm/xen/interface.h>
|
|
|
|
static gfp_t xen_swiotlb_gfp(void)
|
|
{
|
|
phys_addr_t base;
|
|
u64 i;
|
|
|
|
for_each_mem_range(i, &base, NULL) {
|
|
if (base < (phys_addr_t)0xffffffff) {
|
|
if (IS_ENABLED(CONFIG_ZONE_DMA32))
|
|
return __GFP_DMA32;
|
|
return __GFP_DMA;
|
|
}
|
|
}
|
|
|
|
return GFP_KERNEL;
|
|
}
|
|
|
|
static bool hypercall_cflush = false;
|
|
|
|
/* buffers in highmem or foreign pages cannot cross page boundaries */
|
|
static void dma_cache_maint(struct device *dev, dma_addr_t handle,
|
|
size_t size, u32 op)
|
|
{
|
|
struct gnttab_cache_flush cflush;
|
|
|
|
cflush.offset = xen_offset_in_page(handle);
|
|
cflush.op = op;
|
|
handle &= XEN_PAGE_MASK;
|
|
|
|
do {
|
|
cflush.a.dev_bus_addr = dma_to_phys(dev, handle);
|
|
|
|
if (size + cflush.offset > XEN_PAGE_SIZE)
|
|
cflush.length = XEN_PAGE_SIZE - cflush.offset;
|
|
else
|
|
cflush.length = size;
|
|
|
|
HYPERVISOR_grant_table_op(GNTTABOP_cache_flush, &cflush, 1);
|
|
|
|
cflush.offset = 0;
|
|
handle += cflush.length;
|
|
size -= cflush.length;
|
|
} while (size);
|
|
}
|
|
|
|
/*
|
|
* Dom0 is mapped 1:1, and while the Linux page can span across multiple Xen
|
|
* pages, it is not possible for it to contain a mix of local and foreign Xen
|
|
* pages. Calling pfn_valid on a foreign mfn will always return false, so if
|
|
* pfn_valid returns true the pages is local and we can use the native
|
|
* dma-direct functions, otherwise we call the Xen specific version.
|
|
*/
|
|
void xen_dma_sync_for_cpu(struct device *dev, dma_addr_t handle,
|
|
size_t size, enum dma_data_direction dir)
|
|
{
|
|
if (dir != DMA_TO_DEVICE)
|
|
dma_cache_maint(dev, handle, size, GNTTAB_CACHE_INVAL);
|
|
}
|
|
|
|
void xen_dma_sync_for_device(struct device *dev, dma_addr_t handle,
|
|
size_t size, enum dma_data_direction dir)
|
|
{
|
|
if (dir == DMA_FROM_DEVICE)
|
|
dma_cache_maint(dev, handle, size, GNTTAB_CACHE_INVAL);
|
|
else
|
|
dma_cache_maint(dev, handle, size, GNTTAB_CACHE_CLEAN);
|
|
}
|
|
|
|
bool xen_arch_need_swiotlb(struct device *dev,
|
|
phys_addr_t phys,
|
|
dma_addr_t dev_addr)
|
|
{
|
|
unsigned int xen_pfn = XEN_PFN_DOWN(phys);
|
|
unsigned int bfn = XEN_PFN_DOWN(dma_to_phys(dev, dev_addr));
|
|
|
|
/*
|
|
* The swiotlb buffer should be used if
|
|
* - Xen doesn't have the cache flush hypercall
|
|
* - The Linux page refers to foreign memory
|
|
* - The device doesn't support coherent DMA request
|
|
*
|
|
* The Linux page may be spanned acrros multiple Xen page, although
|
|
* it's not possible to have a mix of local and foreign Xen page.
|
|
* Furthermore, range_straddles_page_boundary is already checking
|
|
* if buffer is physically contiguous in the host RAM.
|
|
*
|
|
* Therefore we only need to check the first Xen page to know if we
|
|
* require a bounce buffer because the device doesn't support coherent
|
|
* memory and we are not able to flush the cache.
|
|
*/
|
|
return (!hypercall_cflush && (xen_pfn != bfn) &&
|
|
!dev_is_dma_coherent(dev));
|
|
}
|
|
|
|
static int __init xen_mm_init(void)
|
|
{
|
|
struct gnttab_cache_flush cflush;
|
|
int rc;
|
|
|
|
if (!xen_swiotlb_detect())
|
|
return 0;
|
|
|
|
/* we can work with the default swiotlb */
|
|
if (!io_tlb_default_mem.nslabs) {
|
|
rc = swiotlb_init_late(swiotlb_size_or_default(),
|
|
xen_swiotlb_gfp(), NULL);
|
|
if (rc < 0)
|
|
return rc;
|
|
}
|
|
|
|
cflush.op = 0;
|
|
cflush.a.dev_bus_addr = 0;
|
|
cflush.offset = 0;
|
|
cflush.length = 0;
|
|
if (HYPERVISOR_grant_table_op(GNTTABOP_cache_flush, &cflush, 1) != -ENOSYS)
|
|
hypercall_cflush = true;
|
|
return 0;
|
|
}
|
|
arch_initcall(xen_mm_init);
|