DMA mapping API on 32-bit X86 with CONFIG_HIGHMEM64G

From: Robert Hancock
Date: Mon Feb 11 2008 - 23:16:39 EST


I was looking at the out-of-tree driver for a PCI high-security module (from a vendor who shall remain nameless) today, as we had a problem reported where the device didn't work properly if the computer had more than 4GB of RAM (this is x86 32-bit, with CONFIG_HIGHMEM64G enabled).

Essentially what it was doing was taking some memory that the userspace app was transferring to/from the device, doing get_user_pages on it, and then using the old-style page_to_phys, etc. functions to DMA on that memory instead of the modern DMA API.

However, I'm not sure this strategy would have worked on this platform even if it had been using the proper DMA API. This device has 32-bit DMA limits and is transferring userspace buffers which with HIGHMEM64G enabled could easily have physical addresses over 4GB. The strategy that Linux Device Drivers, 3rd Edition (chapter 15) suggests is doing get_user_pages, creating an SG list from the returned pages and then using dma_map_sg on that list. However, essentially all dma_map_sg in include/asm-x86/dma-mapping_32.h is:

for_each_sg(sglist, sg, nents, i) {
BUG_ON(!sg_page(sg));

sg->dma_address = sg_phys(sg);
}

which does nothing to ensure that the returned physical address is within the device's DMA mask. On 64-bit this triggers IOMMU mapping but on 32-bit it doesn't seem like this case is handled at all. I believe the block and networking layers have their own ways of ensuring that they don't feed such buffers to their drivers if they can't handle it, but a basic character device driver is kind of left out in the cold here and the DMA API doesn't appear to work as documented in this case. Given that x86-32 kernels don't implement any IOMMU support I'm not sure what it actually could do, other than implementing some kind of software bounce buffering of its own..

Are there any in-tree drivers that use this DMA mapping on get_user_pages strategy that could be affected by this?

I think the get_free_pages trick is actually pretty silly in this case, the size of the data being transferred is likely such that it would be just as fast or faster to copy to a kernel buffer and DMA to/from there..
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/