From nobody Sat Aug 09 18:42:46 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bzqX6624Jz646QN; Sat, 09 Aug 2025 18:42:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bzqX65Kpbz458w; Sat, 09 Aug 2025 18:42:46 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1754764966; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Sw7wNaIXpFxebZhCXIa2M55N2ojZmFYyVCdGquMAI+I=; b=EXiohZXBRlAWnElz03B1tSj2Gx0z8OO4gXIpx/Ba2P2Ia7j66PGEWTSfMjwsF3U9dneA3U kkVmNIxyy23LM3HIj2Ai+GgMKvDc+aUvux3qBKl47A7L06s0j1y1KrQeT+LwfGVJE6ARNs YXFBjhR44U1svJBt8de5cIFV24BhVwGpUgFEB3PTrIOhFxyNWcB20AB4c/hWcYSX7Xuq64 jLtGeEzqiNVIFPzZmLvqnG2vlcchM2pj6WePh7zDdqzOpPGVsmIfLmbpY+Nqmqe4ARUPgn +mSTn89UAp/NdvtcrZEsbmJXZ5qVakDaCUOWbOiFmxg5KKKqE/omhHlKVfVJdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1754764966; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Sw7wNaIXpFxebZhCXIa2M55N2ojZmFYyVCdGquMAI+I=; b=PBCvSbMSAknd1pyAuaKZl1rCy8WSlP0yDijgbf331X4tsI12UiSLMpSZEZDE6Mogw2TKVT QdiU72Zqy1YbZy3+mdmSWklWJZb1rTrMuYQptMG6O3DVX2Sn2n0HKLQbP1C5XKFWefoEql zuYQJt/sffQNNwv3EOFAoGb+zDZwrmIT4w1v+DRsXOZvm6rJIo4UvGVgWWguQLFhTHOHTL YV96ps0tJXty2x2MeL4FD+IQ6VgzdD4odkWSYd2B/YWQBVflbwe0m/FeasYLmA49Bqhfah JRLcwzqXsjk8qF/SHVqv9+AGnIGDr77+FhRtLXYav2HghOMNtj8W5XHlPEKM3A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1754764966; a=rsa-sha256; cv=none; b=KFt39QJ878Yk5qNHC9bWuodBG5EN07eI+0JabIlr2J5/k6SydfBASjPtwtP8BO/cYve64U dqRYDCPBJA6HxZ0Et3xbBn8rm/6n+kONncvT7QZPdQ5VNAVO4w25XJt7KupWLsFLktnpzT tg+vnVT50D67KI+iE7KmQdwCdzSSgfKaPPmpw0UVULIACbwndYJ+3xXqeRIeuQdNoNkw8x qAg2Slkl/IvEXY54cRkSpzDMsrRi1vf4P3sLF2GAGOb8rq+LPpt9wF9Y1sAp71SvhcZq50 ESQTsEoJsMbRxFLC4iNIaK8Z9uutvxcUlf53YVPVsN2/s9eNcsQibvZ6LNWRjw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bzqX64wfjzZNG; Sat, 09 Aug 2025 18:42:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 579Igk70016176; Sat, 9 Aug 2025 18:42:46 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 579IgkJH016173; Sat, 9 Aug 2025 18:42:46 GMT (envelope-from git) Date: Sat, 9 Aug 2025 18:42:46 GMT Message-Id: <202508091842.579IgkJH016173@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mitchell Horne Subject: git: 60fce0e22147 - main - busdma: another fix for small bounce transfers List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mhorne X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 60fce0e22147e7378e5585258aea0645e2274528 Auto-Submitted: auto-generated The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=60fce0e22147e7378e5585258aea0645e2274528 commit 60fce0e22147e7378e5585258aea0645e2274528 Author: Mitchell Horne AuthorDate: 2025-08-09 18:04:27 +0000 Commit: Mitchell Horne CommitDate: 2025-08-09 18:42:33 +0000 busdma: another fix for small bounce transfers More fallout from a77e1f0f81df. When the tag has an alignment requirement but a small (remaining) transfer size, the transfer will be rounded up to exceed its bounds, resulting in memory corruption. The issue is observed on powerpc as noted in the pull request: https://github.com/freebsd/freebsd-src/pull/1415 I also observe the issue locally on riscv hardware, with an 8-byte transfer having 64-byte alignment. There is some uncertainty about the purpose/need for the alignment roundup; both its original intention and present effect. Notably, it is no longer present at all in arm/arm64 implementations. Possibly, this roundup can be removed altogether, but this requires more careful analysis of the edge-cases and history of the property. For now, simply clamp sgsize to be no larger than the remaining buflen, as this is certain to be correct within the current scheme and fixes the affected transfers. Discussed with: jhb, markj MFC after: 3 weeks Fixes: a77e1f0f81df ("busdma: better handling of small segment bouncing") Sponsored by: The FreeBSD Foundation Pull Request: https://github.com/freebsd/freebsd-src/pull/1415 Signed-off-by: Chattrapat Sangmanee Co-authored-by: Chattrapat Sangmanee Differential Revision: https://reviews.freebsd.org/D47807 --- sys/powerpc/powerpc/busdma_machdep.c | 1 + sys/riscv/riscv/busdma_bounce.c | 1 + sys/x86/x86/busdma_bounce.c | 1 + 3 files changed, 3 insertions(+) diff --git a/sys/powerpc/powerpc/busdma_machdep.c b/sys/powerpc/powerpc/busdma_machdep.c index 65f90aa4affa..65a07c7ebc39 100644 --- a/sys/powerpc/powerpc/busdma_machdep.c +++ b/sys/powerpc/powerpc/busdma_machdep.c @@ -648,6 +648,7 @@ _bus_dmamap_load_buffer(bus_dma_tag_t dmat, sgsize = MIN(buflen, PAGE_SIZE - (curaddr & PAGE_MASK)); if (map->pagesneeded != 0 && must_bounce(dmat, curaddr)) { sgsize = roundup2(sgsize, dmat->alignment); + sgsize = MIN(sgsize, buflen); curaddr = add_bounce_page(dmat, map, kvaddr, curaddr, sgsize); } diff --git a/sys/riscv/riscv/busdma_bounce.c b/sys/riscv/riscv/busdma_bounce.c index f652f08bf5dc..9d9556fc72f9 100644 --- a/sys/riscv/riscv/busdma_bounce.c +++ b/sys/riscv/riscv/busdma_bounce.c @@ -672,6 +672,7 @@ bounce_bus_dmamap_load_buffer(bus_dma_tag_t dmat, bus_dmamap_t map, void *buf, map->pagesneeded != 0 && addr_needs_bounce(dmat, curaddr)) { sgsize = roundup2(sgsize, dmat->common.alignment); + sgsize = MIN(sgsize, buflen); curaddr = add_bounce_page(dmat, map, kvaddr, curaddr, sgsize); } else if ((dmat->bounce_flags & BF_COHERENT) == 0) { diff --git a/sys/x86/x86/busdma_bounce.c b/sys/x86/x86/busdma_bounce.c index 040174113104..e86279aa9c98 100644 --- a/sys/x86/x86/busdma_bounce.c +++ b/sys/x86/x86/busdma_bounce.c @@ -726,6 +726,7 @@ bounce_bus_dmamap_load_buffer(bus_dma_tag_t dmat, bus_dmamap_t map, void *buf, map->pagesneeded != 0 && must_bounce(dmat, curaddr)) { sgsize = roundup2(sgsize, dmat->common.alignment); + sgsize = MIN(sgsize, buflen); curaddr = add_bounce_page(dmat, map, kvaddr, curaddr, 0, sgsize); }