Re: [PATCH 1/5] block: rewrite blk_bvec_map_sg to avoid a nth_page call

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Apr 19, 2019 at 10:27 AM Ming Lei <tom.leiming@xxxxxxxxx> wrote:
>
> On Thu, Apr 18, 2019 at 5:59 AM Guenter Roeck <linux@xxxxxxxxxxxx> wrote:
> >
> > On Wed, Apr 17, 2019 at 07:27:24AM +0200, Christoph Hellwig wrote:
> > > Now that I've fixed the sparc32 iommu code in another thread:  can
> > > you send me your rootfs and qemu arm command line for the failing
> > > one?  I have a hard time parsing your buildbot output.
> >
> > FWIW: mmc_blk_data_prep() calls blk_rq_map_sg() with a large offset value.
> > The old code translated this into:
> >
> > blk_bvec_map_sg(q=c77a0000 len=13824 offset=18944)
> >   sg_set_page(sg=c6015000 p=c7efd180 l=13824 o=2560)
> >
> > The new code leaves offset unchanged:
> >
> > blk_bvec_map_sg(q=c76c0528 len=13824 offset=18944)
> >   sg_set_page(sg=c6035000 p=c7f2af00 l=13824 o=18944)
> >
> > Traceback:
> >
> > [<c065e3d4>] (blk_rq_map_sg) from [<c0ca1444>] (mmc_blk_data_prep+0x1b0/0x2c8)
> > [<c0ca1444>] (mmc_blk_data_prep) from [<c0ca15ac>] (mmc_blk_rw_rq_prep+0x50/0x178)
> > [<c0ca15ac>] (mmc_blk_rw_rq_prep) from [<c0ca48bc>] (mmc_blk_mq_issue_rq+0x290/0x878)
> > [<c0ca48bc>] (mmc_blk_mq_issue_rq) from [<c0ca52e4>] (mmc_mq_queue_rq+0x128/0x234)
> > [<c0ca52e4>] (mmc_mq_queue_rq) from [<c066350c>] (blk_mq_dispatch_rq_list+0xc8/0x5e8)
> > [<c066350c>] (blk_mq_dispatch_rq_list) from [<c06681a8>] (blk_mq_do_dispatch_sched+0x60/0xfc)
> > [<c06681a8>] (blk_mq_do_dispatch_sched) from [<c06688b8>] (blk_mq_sched_dispatch_requests+0x134/0x1b0)
> > [<c06688b8>] (blk_mq_sched_dispatch_requests) from [<c0661f08>] (__blk_mq_run_hw_queue+0xa4/0x138)
> > [<c0661f08>] (__blk_mq_run_hw_queue) from [<c03622a0>] (process_one_work+0x218/0x510)
> > [<c03622a0>] (process_one_work) from [<c0363230>] (worker_thread+0x44/0x5bc)
> >
> > This results in bad data transfers, which ultimately causes the crash.
>
> There are several bugs related with kmap(sg_page(sg)), such as:
>
> sdhci_kmap_atomic()
> tmio_mmc_kmap_atomic()
> wbsd_map_sg()

Cc mmc maillist:

Looks there are more such bad uses:

au1xmmc_send_pio()
au1xmmc_receive_pio()
mmc_spi_data_do()
sdricoh_request()

However, seems tifm_sd.c notices this issue, see tifm_sd_transfer_data().

Thanks,
Ming Lei
[Index of Archives]     [Linux RAID]     [Linux SCSI]     [Linux ATA RAID]     [IDE]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Device Mapper]

  Powered by Linux