tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

dma-buf: heaps: Skip sync if not mapped

This patch is basically a port of Ørjan Eide's similar patch for ION
https://lore.kernel.org/lkml/20200414134629.54567-1-orjan.eide@arm.com/

Only sync the sg-list of dma-buf heap attachment when the attachment
is actually mapped on the device.

dma-bufs may be synced at any time. It can be reached from user space
via DMA_BUF_IOCTL_SYNC, so there are no guarantees from callers on when
syncs may be attempted, and dma_buf_end_cpu_access() and
dma_buf_begin_cpu_access() may not be paired.

Since the sg_list's dma_address isn't set up until the buffer is used
on the device, and dma_map_sg() is called on it, the dma_address will be
NULL if sync is attempted on the dma-buf before it's mapped on a device.

Before v5.0 (commit 55897af63091 ("dma-direct: merge swiotlb_dma_ops
into the dma_direct code")) this was a problem as the dma-api (at least
the swiotlb_dma_ops on arm64) would use the potentially invalid
dma_address. How that failed depended on how the device handled physical
address 0. If 0 was a valid address to physical ram, that page would get
flushed a lot, while the actual pages in the buffer would not get synced
correctly. While if 0 is an invalid physical address it may cause a
fault and trigger a crash.

In v5.0 this was incidentally fixed by commit 55897af63091 ("dma-direct:
merge swiotlb_dma_ops into the dma_direct code"), as this moved the
dma-api to use the page pointer in the sg_list, and (for Ion buffers at
least) this will always be valid if the sg_list exists at all.

But, this issue is re-introduced in v5.3 with
commit 449fa54d6815 ("dma-direct: correct the physical addr in
dma_direct_sync_sg_for_cpu/device") moves the dma-api back to the old
behaviour and picks the dma_address that may be invalid.

dma-buf core doesn't ensure that the buffer is mapped on the device, and
thus have a valid sg_list, before calling the exporter's
begin_cpu_access.

Logic and commit message originally by: Ørjan Eide <orjan.eide@arm.com>

Cc: Sumit Semwal <sumit.semwal@linaro.org>
Cc: Liam Mark <lmark@codeaurora.org>
Cc: Laura Abbott <labbott@kernel.org>
Cc: Brian Starkey <Brian.Starkey@arm.com>
Cc: Hridya Valsaraju <hridya@google.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Sandeep Patil <sspatil@google.com>
Cc: Daniel Mentz <danielmentz@google.com>
Cc: Chris Goldsworthy <cgoldswo@codeaurora.org>
Cc: Ørjan Eide <orjan.eide@arm.com>
Cc: Robin Murphy <robin.murphy@arm.com>
Cc: Ezequiel Garcia <ezequiel@collabora.com>
Cc: Simon Ser <contact@emersion.fr>
Cc: James Jones <jajones@nvidia.com>
Cc: linux-media@vger.kernel.org
Cc: dri-devel@lists.freedesktop.org
Reviewed-by: Brian Starkey <brian.starkey@arm.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20201121235002.69945-5-john.stultz@linaro.org

authored by

John Stultz and committed by
Sumit Semwal 4c68e499 064fae53

+20
+10
drivers/dma-buf/heaps/cma_heap.c
··· 43 43 struct device *dev; 44 44 struct sg_table table; 45 45 struct list_head list; 46 + bool mapped; 46 47 }; 47 48 48 49 static int cma_heap_attach(struct dma_buf *dmabuf, ··· 68 67 69 68 a->dev = attachment->dev; 70 69 INIT_LIST_HEAD(&a->list); 70 + a->mapped = false; 71 71 72 72 attachment->priv = a; 73 73 ··· 103 101 ret = dma_map_sgtable(attachment->dev, table, direction, 0); 104 102 if (ret) 105 103 return ERR_PTR(-ENOMEM); 104 + a->mapped = true; 106 105 return table; 107 106 } 108 107 ··· 111 108 struct sg_table *table, 112 109 enum dma_data_direction direction) 113 110 { 111 + struct dma_heap_attachment *a = attachment->priv; 112 + 113 + a->mapped = false; 114 114 dma_unmap_sgtable(attachment->dev, table, direction, 0); 115 115 } 116 116 ··· 128 122 129 123 mutex_lock(&buffer->lock); 130 124 list_for_each_entry(a, &buffer->attachments, list) { 125 + if (!a->mapped) 126 + continue; 131 127 dma_sync_sgtable_for_cpu(a->dev, &a->table, direction); 132 128 } 133 129 mutex_unlock(&buffer->lock); ··· 148 140 149 141 mutex_lock(&buffer->lock); 150 142 list_for_each_entry(a, &buffer->attachments, list) { 143 + if (!a->mapped) 144 + continue; 151 145 dma_sync_sgtable_for_device(a->dev, &a->table, direction); 152 146 } 153 147 mutex_unlock(&buffer->lock);
+10
drivers/dma-buf/heaps/system_heap.c
··· 37 37 struct device *dev; 38 38 struct sg_table *table; 39 39 struct list_head list; 40 + bool mapped; 40 41 }; 41 42 42 43 static struct sg_table *dup_sg_table(struct sg_table *table) ··· 85 84 a->table = table; 86 85 a->dev = attachment->dev; 87 86 INIT_LIST_HEAD(&a->list); 87 + a->mapped = false; 88 88 89 89 attachment->priv = a; 90 90 ··· 122 120 if (ret) 123 121 return ERR_PTR(ret); 124 122 123 + a->mapped = true; 125 124 return table; 126 125 } 127 126 ··· 130 127 struct sg_table *table, 131 128 enum dma_data_direction direction) 132 129 { 130 + struct dma_heap_attachment *a = attachment->priv; 131 + 132 + a->mapped = false; 133 133 dma_unmap_sgtable(attachment->dev, table, direction, 0); 134 134 } 135 135 ··· 148 142 invalidate_kernel_vmap_range(buffer->vaddr, buffer->len); 149 143 150 144 list_for_each_entry(a, &buffer->attachments, list) { 145 + if (!a->mapped) 146 + continue; 151 147 dma_sync_sgtable_for_cpu(a->dev, a->table, direction); 152 148 } 153 149 mutex_unlock(&buffer->lock); ··· 169 161 flush_kernel_vmap_range(buffer->vaddr, buffer->len); 170 162 171 163 list_for_each_entry(a, &buffer->attachments, list) { 164 + if (!a->mapped) 165 + continue; 172 166 dma_sync_sgtable_for_device(a->dev, a->table, direction); 173 167 } 174 168 mutex_unlock(&buffer->lock);