RE: Data corruption on i.MX6 IPU in arm_copy_from_user()

From: David Laight
Date: Thu May 27 2021 - 10:06:20 EST


From: Russell King <linux@xxxxxxxxxxxxxxx>
> Sent: 26 May 2021 14:19
>
> On Wed, May 26, 2021 at 02:29:07PM +0200, Krzysztof Hałasa wrote:
> > "Russell King (Oracle)" <linux@xxxxxxxxxxxxxxx> writes:
> >
> > > Surely someone is not using copy_*_user() to copy data from userspace
> > > direct to MMIO space... that would be crazy.
> >
> > No, it's the other way around: reading MMIO mapped to userspace (mmap
> > on /dev/mem) and copying it to simple kernel buffer (e.g. pipe buffer).
> > I.e., the MMIO is the userspace here (thus copy_from_user()).
>
> Ah. I think we assume copy_from_user() will be used on memory only and
> not device mappings.
>
> In any case, looking at the architecture reference manual, LDM is
> permitted on device and strongly ordered mappings, and the memory
> subsystem is required to decompose it into a series of 32-bit accesses.
> So, it sounds to me like there could be a hardware bug in the buses/IPU
> causing this.
>
> Can you try using LDM directly inside the kernel and seeing what effect
> it has when reading the IPU? A simple test module should be sufficient.
> I suspect it'll show the same thing - basically, that using LDM to the
> IPU is broken.

I was wondering if there is some kind of page fault on the first access?

What happens if you repeat the write() ?

FWIW you don't want to try this on x86.
The MMIO addresses are likely to be uncached but the copy
function is likely to decide to use the ERMS 'rep movsb' so
suddenly you get single byte PCIe reads!
What you really want is the largest AVX register available.

David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)