REGRESSION in 6.0-rc7 caused by patch "ARM/dma-mapping: use dma-direct unconditionally"
Marek Behún
kabel at kernel.org
Thu Oct 20 12:10:31 PDT 2022
On Thu, 20 Oct 2022 19:22:07 +0100
"Russell King (Oracle)" <linux at armlinux.org.uk> wrote:
> On Tue, Oct 04, 2022 at 10:36:05AM +0200, Marcin Wojtas wrote:
> > wt., 4 paź 2022 o 10:26 Marek Behún <kabel at kernel.org> napisał(a):
> > >
> > > On Mon, 3 Oct 2022 23:30:31 +0200
> > > Marcin Wojtas <mw at semihalf.com> wrote:
> > >
> > > > Hi Marek,
> > > >
> > > >
> > > > pon., 3 paź 2022 o 17:33 Marek Behún <kabel at kernel.org> napisał(a):
> > > > >
> > > > > On Mon, 3 Oct 2022 15:11:44 +0100
> > > > > "Russell King (Oracle)" <linux at armlinux.org.uk> wrote:
> > > > >
> > > > > > On Mon, Oct 03, 2022 at 09:30:37AM +0200, Christoph Hellwig wrote:
> > > > > > > On Fri, Sep 30, 2022 at 05:02:05PM +0200, Marek Behún wrote:
> > > > > > > > It seems that the null pointer dereference comes from the data variable
> > > > > > > > having zero value. We assign
> > > > > > > > data = (u8 *)(uintptr_t)rx_desc->buf_cookie;
> > > > > > >
> > > > > > > I never see any assignment to ->buf_cookie in the driver, what am
> > > > > > > I missing?
> > > > > >
> > > > > > I think Marek's setup (like my setups) use the hardware buffer manager,
> > > > > > and it's hardware that fills in the "buf_cookie", which is supposed to
> > > > > > be the virtual address of the buffer.
> > > > > >
> > > > > > Each buffer supplied to the hardware buffer manager is supposed to
> > > > > > contain the virtual address in the first 32-bit word in that buffer.
> > > > > >
> > > > > > This is done by mvneta_bm_construct():
> > > > > >
> > > > > > /* In order to update buf_cookie field of RX descriptor properly,
> > > > > > * BM hardware expects buf virtual address to be placed in the
> > > > > > * first four bytes of mapped buffer.
> > > > > > */
> > > > > > *(u32 *)buf = (u32)buf;
> > > > > >
> > > > > > immediately prior to dma_map_single(..., DMA_FROM_DEVICE) is called.
> > > > > >
> > > > > > If I had to guess, I would suggest that this write is being lost via
> > > > > > cache invalidation, and given that the hardware BM both reads and
> > > > > > writes this buffer, DMA_FROM_DEVICE is not correct, it should be
> > > > > > DMA_BIDIRECTIONAL.
> > > > > >
> > > >
> > > > I think the DMA_FROM_DEVICE is used rather properly in the RX path of
> > > > the driver - the CPU doesn't access the payload afterward. The BM only
> > > > pushes the pointers back and forth between internal SRAM ('internal
> > > > pool' - BPPI) to DRAM ('external pool' - BPPE) and the descriptors,
> > > > but afaik it should not touch the buffer contents. But maybe somehow
> > > > it affects the coherency and DMA_BIDIRECTIONAL are indeed required...
> > > > About the coherency itself - please see my comment below.
> > > >
> > > > Another thought - when writing to *buf (memory normal) shouldn't we add a dsb()?
> > > >
> > > > > > Changing that is probably going to need DMA_FROM_DEVICE also changed
> > > > > > elsewhere in the mvneta_bm and mvneta driver.
> > > > > >
> > > > > > I'm not in a position where I could test that out. Marek?
> > > > > >
> > > > >
> > > > > Hello Russell,
> > > > >
> > > > > thanks for your suggestion!
> > > > >
> > > > > Adding Pali, since he has some information (see at the end of this
> > > > > message).
> > > > >
> > > > > The attached patch seems to solve the null-pointer dereference.
> > > >
> > > > Did you manage to measure performance impact?
> > >
> > > I did not measure any performance impacts. But DMA directianlity
> > > within mvneta seems to be a different bug, as Russell replied, and maybe
> > > was just revealed by this.
> > >
> > > > I have one overall concern here. On all kinds of A38x-based boards I
> > > > worked on, by default, the firmware set all devices (e.g. network,
> > > > AHCI, XHCI) on MBUS as fully IO cache coherent - it should be
> > > > reflected in the MVNETA_WIN_BASE(w) registers attribute field. Bits
> > > > [15:8] should be set to 0x1D (or 0x1E if there is a second DRAM CS
> > > > used). Can you please try adding 'dma-coherent;' property under the
> > > > 'internal-regs' node?
> > >
> > > Yes, adding dma-coherent solves this issue. See other emails. The
> > > proper solution IMO is to default to dma-coherent on the platform,
> > > which can be done in a simple way (I've sent a patch). We want to be
> > > compatible with older device-trees.
> > >
> >
> > Thanks a lot for testing. I agree we must maintain the backward
> > compatibility with older DT's. To summarize, I think we should end up
> > with 3 patches:
> > 1. Update arch/arm/mm/dma-mapping.c as suggested by Christoph.
> > 2. Add 'dma-coherent' in armada-38x.dtsi.
> > 3. Fix DMA attribute in mvneta_bm_construct().
> >
> > In case any help is needed from my side, please let me know.
>
> Is it possible that this would also cause data corruption reading from
> a SATA card on armada-38x platforms?
>
> I'm getting with 6.0:
>
> [ 1.410115] EXT4-fs error (device sda1): htree_dirblock_to_tree:1093: inode #256: block 8797: comm systemd: bad entry in directory: rec_len % 4 != 0 - offset=0, inode=33188, rec_len=35097, size=4096 fake=0
>
> which appears to be due to reading bad data from the SATA device -
> what this tells me in inode and rec_len is not what is actually on
> the device in question.
>
> Booting back to 5.19 gives a clean filesystem which has no errors,
> so it isn't filesystem corruption, it is an inability for 6.0 to
> read data correctly from the device.
>
It's very probable. Don't use 6.0 or apply Christoph's patches.
Marek
More information about the linux-arm-kernel
mailing list