[PATCH] arm: dma-mapping: Fix mapping size value

[PATCH] arm: dma-mapping: Fix mapping size value

[Ritesh Harjani]

I am finding an oops after following commit. I am on 3.10.30 kernel but applied
all the latest patches from arch/arm/mm/dma-mapping.c

I added some debug logs to see what is the error, on which I found that we are
incorrectly setting mapping->size value.
Please take a look at this and correct me if I am wrong here.

FAULTY COMMIT:
commit 68efd7d2fb32c2606f1da318b6a851
d933813f27
Author: Marek Szyprowski <m.szyprowski@samsung.com>
Date:   Tue Feb 25 13:01:09 2014 +0100

    arm: dma-mapping: remove order parameter from arm_iommu_create_mapping()


OOPS LOGS:
[26.898145] __alloc_iova#LINE: 1097 start = 0x3500
[26.898159] __alloc_iova#LINE:1136 iova = 0x53500000
[26.898170] __alloc_iova#LINE:1138 mapping->base= 0x50000000
[26.898181] __alloc_iova#LINE:1140 mapping->size = 0x1000000, i = 0
[26.924442] __free_iova, bitmap_index = 3

[Ritesh]: bitmap_index should be 0 for address 0x53500000. see in alloc_iova
above.

[26.924454] __free_iova,addr = 0x53500000
[26.924463] __free_iova,mapping->base = 0x50000000
[26.924472] __free_iova,mapping->size = 0x1000000
[26.924482] __free_iova,bitmap_base = 0x53000000
[26.924490] __free_iova, start = 0x500

[Ritesh]: start should be 0x3500 for address 0x53500000. see in alloc_iova
above.

[26.924533] Unable to handle kernel NULL pointer dereference at virtual
address 000000a0
[26.924543] pgd = e7a84000
[26.924558] [000000a0] *pgd=00000000
[26.924572] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[26.924598] Modules linked in:
[26.924613] CPU: 1 PID: 2263 Comm: BufferLiberator Not tainted 3.10.30+
#144
[26.924624] task: e7370a40 ti: e6e06000 task.ti: e6e06000
[26.924644] PC is at bitmap_clear+0x48/0xd0
[26.924659] LR is at __iommu_remove_mapping+0x130/0x164
[26.924673] pc : [<c02d0814>]    lr : [<c001bd30>]    psr: 20000093
[26.924673] sp : e6e07e20  ip : ffffffff  fp : e6e07e3c
[26.924682] r10: 00000500  r9 : c1333ea8  r8 : 80000013
[26.924692] r7 : ffffffff  r6 : 00000321  r5 : 000000a0  r4 : 00000028
[26.924707] r3 : 00000000  r2 : 00000341  r1 : 00000500  r0 : 00000000
[26.924730] Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment
user
[26.924742] Control: 10c5387d  Table: 77a8406a  DAC: 00000015


See below on how this is wrong:

here iova_base = 0x50000000
iova_size = 0x20000000
=> bits needed to map = 131072.
        => bitmap_size = 0x4000
        since bitmap_size > PAGE_SIZE
        => bitmap_size = PAGE_SIZE,  extensions = 4;

Now, mapping->size is currently set as bitmap_size << PAGE_SHIFT.
        =>mapping->size = 0x1000000.
mapping->size is the IOVA size, which one bitmap can address.

Now mapping->size * extensions should be size (0x20000000).
which is not true, => our bitmap_size is set wrong.

it should be (mapping->bits << PAGE_SIZE) or say
(BITS_PER_BYTE * bitmap_size << PAGE_SIZE)
        => (8 * 0x1000) << 12) = 0x8000000
With this IOVA_SIZE = extensions * mapping->size = 0x20000000



PATCH:

Currently mapping->size is wrongly set resulting
in OOPS (atleast we see OOPS with extension 4).

Fix this.

Signed-off-by: Ritesh Harjani <ritesh.harjani@gmail.com>
---
 arch/arm/mm/dma-mapping.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
index f62aa06..d1701a2 100644
--- a/arch/arm/mm/dma-mapping.c
+++ b/arch/arm/mm/dma-mapping.c
@@ -1963,8 +1963,8 @@ arm_iommu_create_mapping(struct bus_type *bus,
dma_addr_t base, size_t size)
        mapping->nr_bitmaps = 1;
        mapping->extensions = extensions;
        mapping->base = base;
-       mapping->size = bitmap_size << PAGE_SHIFT;
        mapping->bits = BITS_PER_BYTE * bitmap_size;
+       mapping->size = mapping->bits << PAGE_SHIFT;

        spin_lock_init(&mapping->lock);

--
1.8.1.3

[PATCH] arm: dma-mapping: Fix mapping size value

[Ritesh Harjani]

In explaining the issue below, made a mistake of taking PAGE_SIZE
instead of PAGE_SHIFT (mistake mentioned inline).
Although numerical values and patch is correct.


On Sat, Apr 19, 2014 at 4:49 PM, Ritesh Harjani
<ritesh.harjani@gmail.com> wrote:
> I am finding an oops after following commit. I am on 3.10.30 kernel but applied
> all the latest patches from arch/arm/mm/dma-mapping.c
>
> I added some debug logs to see what is the error, on which I found that we are
> incorrectly setting mapping->size value.
> Please take a look at this and correct me if I am wrong here.
>
> FAULTY COMMIT:
> commit 68efd7d2fb32c2606f1da318b6a851
> d933813f27
> Author: Marek Szyprowski <m.szyprowski@samsung.com>
> Date:   Tue Feb 25 13:01:09 2014 +0100
>
>     arm: dma-mapping: remove order parameter from arm_iommu_create_mapping()
>
>
> OOPS LOGS:
> [26.898145] __alloc_iova#LINE: 1097 start = 0x3500
> [26.898159] __alloc_iova#LINE:1136 iova = 0x53500000
> [26.898170] __alloc_iova#LINE:1138 mapping->base= 0x50000000
> [26.898181] __alloc_iova#LINE:1140 mapping->size = 0x1000000, i = 0
> [26.924442] __free_iova, bitmap_index = 3
>
> [Ritesh]: bitmap_index should be 0 for address 0x53500000. see in alloc_iova
> above.
>
> [26.924454] __free_iova,addr = 0x53500000
> [26.924463] __free_iova,mapping->base = 0x50000000
> [26.924472] __free_iova,mapping->size = 0x1000000
> [26.924482] __free_iova,bitmap_base = 0x53000000
> [26.924490] __free_iova, start = 0x500
>
> [Ritesh]: start should be 0x3500 for address 0x53500000. see in alloc_iova
> above.
>
> [26.924533] Unable to handle kernel NULL pointer dereference at virtual
> address 000000a0
> [26.924543] pgd = e7a84000
> [26.924558] [000000a0] *pgd=00000000
> [26.924572] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
> [26.924598] Modules linked in:
> [26.924613] CPU: 1 PID: 2263 Comm: BufferLiberator Not tainted 3.10.30+
> #144
> [26.924624] task: e7370a40 ti: e6e06000 task.ti: e6e06000
> [26.924644] PC is at bitmap_clear+0x48/0xd0
> [26.924659] LR is at __iommu_remove_mapping+0x130/0x164
> [26.924673] pc : [<c02d0814>]    lr : [<c001bd30>]    psr: 20000093
> [26.924673] sp : e6e07e20  ip : ffffffff  fp : e6e07e3c
> [26.924682] r10: 00000500  r9 : c1333ea8  r8 : 80000013
> [26.924692] r7 : ffffffff  r6 : 00000321  r5 : 000000a0  r4 : 00000028
> [26.924707] r3 : 00000000  r2 : 00000341  r1 : 00000500  r0 : 00000000
> [26.924730] Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment
> user
> [26.924742] Control: 10c5387d  Table: 77a8406a  DAC: 00000015
>
>
> See below on how this is wrong:
>
> here iova_base = 0x50000000
> iova_size = 0x20000000
> => bits needed to map = 131072.
>         => bitmap_size = 0x4000
>         since bitmap_size > PAGE_SIZE
>         => bitmap_size = PAGE_SIZE,  extensions = 4;
>
> Now, mapping->size is currently set as bitmap_size << PAGE_SHIFT.
>         =>mapping->size = 0x1000000.
> mapping->size is the IOVA size, which one bitmap can address.
>
> Now mapping->size * extensions should be size (0x20000000).
> which is not true, => our bitmap_size is set wrong.
>
> it should be (mapping->bits << PAGE_SIZE) or say

It should be PAGE_SHIFT here.
> (BITS_PER_BYTE * bitmap_size << PAGE_SIZE)

It should be PAGE_SHIFT here.

>         => (8 * 0x1000) << 12) = 0x8000000
> With this IOVA_SIZE = extensions * mapping->size = 0x20000000
>
>
>
> PATCH:
>
> Currently mapping->size is wrongly set resulting
> in OOPS (atleast we see OOPS with extension 4).
>
> Fix this.
>
> Signed-off-by: Ritesh Harjani <ritesh.harjani@gmail.com>
> ---
>  arch/arm/mm/dma-mapping.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
> index f62aa06..d1701a2 100644
> --- a/arch/arm/mm/dma-mapping.c
> +++ b/arch/arm/mm/dma-mapping.c
> @@ -1963,8 +1963,8 @@ arm_iommu_create_mapping(struct bus_type *bus,
> dma_addr_t base, size_t size)
>         mapping->nr_bitmaps = 1;
>         mapping->extensions = extensions;
>         mapping->base = base;
> -       mapping->size = bitmap_size << PAGE_SHIFT;
>         mapping->bits = BITS_PER_BYTE * bitmap_size;
> +       mapping->size = mapping->bits << PAGE_SHIFT;
>
>         spin_lock_init(&mapping->lock);
>
> --
> 1.8.1.3

[PATCH] arm: dma-mapping: Fix mapping size value

[Laurent Pinchart]

Hi Ritesh,

On Saturday 19 April 2014 16:55:30 Ritesh Harjani wrote:
> In explaining the issue below, made a mistake of taking PAGE_SIZE
> instead of PAGE_SHIFT (mistake mentioned inline).
> Although numerical values and patch is correct.

I was about to send the same patch, so, provided you fix the commit message,

Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

> On Sat, Apr 19, 2014 at 4:49 PM, Ritesh Harjani
> 
> <ritesh.harjani@gmail.com> wrote:
> > I am finding an oops after following commit. I am on 3.10.30 kernel but
> > applied all the latest patches from arch/arm/mm/dma-mapping.c
> > 
> > I added some debug logs to see what is the error, on which I found that we
> > are incorrectly setting mapping->size value.
> > Please take a look at this and correct me if I am wrong here.
> > 
> > FAULTY COMMIT:
> > commit 68efd7d2fb32c2606f1da318b6a851
> > d933813f27
> > Author: Marek Szyprowski <m.szyprowski@samsung.com>
> > Date:   Tue Feb 25 13:01:09 2014 +0100
> > 
> >     arm: dma-mapping: remove order parameter from
> >     arm_iommu_create_mapping()
> > 
> > OOPS LOGS:
> > [26.898145] __alloc_iova#LINE: 1097 start = 0x3500
> > [26.898159] __alloc_iova#LINE:1136 iova = 0x53500000
> > [26.898170] __alloc_iova#LINE:1138 mapping->base= 0x50000000
> > [26.898181] __alloc_iova#LINE:1140 mapping->size = 0x1000000, i = 0
> > [26.924442] __free_iova, bitmap_index = 3
> > 
> > [Ritesh]: bitmap_index should be 0 for address 0x53500000. see in
> > alloc_iova above.
> > 
> > [26.924454] __free_iova,addr = 0x53500000
> > [26.924463] __free_iova,mapping->base = 0x50000000
> > [26.924472] __free_iova,mapping->size = 0x1000000
> > [26.924482] __free_iova,bitmap_base = 0x53000000
> > [26.924490] __free_iova, start = 0x500
> > 
> > [Ritesh]: start should be 0x3500 for address 0x53500000. see in alloc_iova
> > above.
> > 
> > [26.924533] Unable to handle kernel NULL pointer dereference at virtual
> > address 000000a0
> > [26.924543] pgd = e7a84000
> > [26.924558] [000000a0] *pgd=00000000
> > [26.924572] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
> > [26.924598] Modules linked in:
> > [26.924613] CPU: 1 PID: 2263 Comm: BufferLiberator Not tainted 3.10.30+
> > #144
> > [26.924624] task: e7370a40 ti: e6e06000 task.ti: e6e06000
> > [26.924644] PC is at bitmap_clear+0x48/0xd0
> > [26.924659] LR is at __iommu_remove_mapping+0x130/0x164
> > [26.924673] pc : [<c02d0814>]    lr : [<c001bd30>]    psr: 20000093
> > [26.924673] sp : e6e07e20  ip : ffffffff  fp : e6e07e3c
> > [26.924682] r10: 00000500  r9 : c1333ea8  r8 : 80000013
> > [26.924692] r7 : ffffffff  r6 : 00000321  r5 : 000000a0  r4 : 00000028
> > [26.924707] r3 : 00000000  r2 : 00000341  r1 : 00000500  r0 : 00000000
> > [26.924730] Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment
> > user
> > [26.924742] Control: 10c5387d  Table: 77a8406a  DAC: 00000015
> > 
> > 
> > See below on how this is wrong:
> > 
> > here iova_base = 0x50000000
> > iova_size = 0x20000000
> > => bits needed to map = 131072.
> > 
> >         => bitmap_size = 0x4000
> >         since bitmap_size > PAGE_SIZE
> >         => bitmap_size = PAGE_SIZE,  extensions = 4;
> > 
> > Now, mapping->size is currently set as bitmap_size << PAGE_SHIFT.
> > 
> >         =>mapping->size = 0x1000000.
> > 
> > mapping->size is the IOVA size, which one bitmap can address.
> > 
> > Now mapping->size * extensions should be size (0x20000000).
> > which is not true, => our bitmap_size is set wrong.
> > 
> > it should be (mapping->bits << PAGE_SIZE) or say
> 
> It should be PAGE_SHIFT here.
> 
> > (BITS_PER_BYTE * bitmap_size << PAGE_SIZE)
> 
> It should be PAGE_SHIFT here.
> 
> >         => (8 * 0x1000) << 12) = 0x8000000
> > 
> > With this IOVA_SIZE = extensions * mapping->size = 0x20000000
> > 
> > 
> > 
> > PATCH:
> > 
> > Currently mapping->size is wrongly set resulting
> > in OOPS (atleast we see OOPS with extension 4).
> > 
> > Fix this.
> > 
> > Signed-off-by: Ritesh Harjani <ritesh.harjani@gmail.com>
> > ---
> > 
> >  arch/arm/mm/dma-mapping.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
> > index f62aa06..d1701a2 100644
> > --- a/arch/arm/mm/dma-mapping.c
> > +++ b/arch/arm/mm/dma-mapping.c
> > @@ -1963,8 +1963,8 @@ arm_iommu_create_mapping(struct bus_type *bus,
> > dma_addr_t base, size_t size)
> >         mapping->nr_bitmaps = 1;
> >         mapping->extensions = extensions;
> >         mapping->base = base;
> > -       mapping->size = bitmap_size << PAGE_SHIFT;
> >         mapping->bits = BITS_PER_BYTE * bitmap_size;
> > +       mapping->size = mapping->bits << PAGE_SHIFT;
> > 
> >         spin_lock_init(&mapping->lock);
> > 

-- 
Regards,

Laurent Pinchart

[PATCH] arm: dma-mapping: Fix mapping size value

[Ritesh Harjani]

68efd7d2fb("arm: dma-mapping: remove order parameter from
arm_iommu_create_mapping()") is causing kernel panic
because it wrongly sets the value of mapping->size:

Unable to handle kernel NULL pointer dereference at virtual
address 000000a0
pgd = e7a84000
[000000a0] *pgd=00000000
...
PC is at bitmap_clear+0x48/0xd0
LR is at __iommu_remove_mapping+0x130/0x164

Fix it by correcting mapping->size value.

Signed-off-by: Ritesh Harjani <ritesh.harjani@gmail.com>
Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
---
 arch/arm/mm/dma-mapping.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
index f62aa06..6b00be1 100644
--- a/arch/arm/mm/dma-mapping.c
+++ b/arch/arm/mm/dma-mapping.c
@@ -1963,8 +1963,8 @@ arm_iommu_create_mapping(struct bus_type *bus, dma_addr_t base, size_t size)
 	mapping->nr_bitmaps = 1;
 	mapping->extensions = extensions;
 	mapping->base = base;
-	mapping->size = bitmap_size << PAGE_SHIFT;
 	mapping->bits = BITS_PER_BYTE * bitmap_size;
+	mapping->size = mapping->bits << PAGE_SHIFT;
 
 	spin_lock_init(&mapping->lock);
 
-- 
1.8.1.3

[PATCH] arm: dma-mapping: Fix mapping size value

[Laurent Pinchart]

Hi Ritesh,

On Monday 21 April 2014 09:31:38 Ritesh Harjani wrote:
> Fixed the commit message. Please find the new patch below:

Thank you. Your mail has wrapped lines and converted tabs to whitespaces. 
Could you please fix that and resubmit the patch on a mail of its own (use git 
send-email to avoid white space issues), with the subject set to "[PATCH v2] 
arm: dma-mapping: Fix mapping size value" ?

> 68efd7d2fb("arm: dma-mapping: remove order parameter from
> arm_iommu_create_mapping()") is causing kernel panic
> because it wrongly sets the mapping->size value.
> 
> Unable to handle kernel NULL pointer dereference at virtual
> address 000000a0
> pgd = e7a84000
> [000000a0] *pgd=00000000
> ...
> PC is at bitmap_clear+0x48/0xd0
> LR is at __iommu_remove_mapping+0x130/
> 0x164
> 
> 
> Fix it by correcting the mapping->size value.
> 
> Signed-off-by: Ritesh Harjani <ritesh.harjani@gmail.com>
> Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> ---
>  arch/arm/mm/dma-mapping.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
> index f62aa06..6b00be1 100644
> --- a/arch/arm/mm/dma-mapping.c
> +++ b/arch/arm/mm/dma-mapping.c
> @@ -1963,8 +1963,8 @@ arm_iommu_create_mapping(struct bus_type *bus,
> dma_addr_t base, size_t size)
>         mapping->nr_bitmaps = 1;
>         mapping->extensions = extensions;
>         mapping->base = base;
> -       mapping->size = bitmap_size << PAGE_SHIFT;
>         mapping->bits = BITS_PER_BYTE * bitmap_size;
> +       mapping->size = mapping->bits << PAGE_SHIFT;
> 
>         spin_lock_init(&mapping->lock);
> 
> 
> --
> 1.8.1.3
> 
> On Mon, Apr 21, 2014 at 4:06 AM, Laurent Pinchart
> 
> <laurent.pinchart@ideasonboard.com> wrote:
> > Hi Ritesh,
> > 
> > On Saturday 19 April 2014 16:55:30 Ritesh Harjani wrote:
> >> In explaining the issue below, made a mistake of taking PAGE_SIZE
> >> instead of PAGE_SHIFT (mistake mentioned inline).
> >> Although numerical values and patch is correct.
> > 
> > I was about to send the same patch, so, provided you fix the commit
> > message,
> > 
> > Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> > 
> >> On Sat, Apr 19, 2014 at 4:49 PM, Ritesh Harjani
> >> 
> >> <ritesh.harjani@gmail.com> wrote:
> >> > I am finding an oops after following commit. I am on 3.10.30 kernel but
> >> > applied all the latest patches from arch/arm/mm/dma-mapping.c
> >> > 
> >> > I added some debug logs to see what is the error, on which I found that
> >> > we
> >> > are incorrectly setting mapping->size value.
> >> > Please take a look at this and correct me if I am wrong here.
> >> > 
> >> > FAULTY COMMIT:
> >> > commit 68efd7d2fb32c2606f1da318b6a851
> >> > d933813f27
> >> > Author: Marek Szyprowski <m.szyprowski@samsung.com>
> >> > Date:   Tue Feb 25 13:01:09 2014 +0100
> >> > 
> >> >     arm: dma-mapping: remove order parameter from
> >> >     arm_iommu_create_mapping()
> >> > 
> >> > OOPS LOGS:
> >> > [26.898145] __alloc_iova#LINE: 1097 start = 0x3500
> >> > [26.898159] __alloc_iova#LINE:1136 iova = 0x53500000
> >> > [26.898170] __alloc_iova#LINE:1138 mapping->base= 0x50000000
> >> > [26.898181] __alloc_iova#LINE:1140 mapping->size = 0x1000000, i = 0
> >> > [26.924442] __free_iova, bitmap_index = 3
> >> > 
> >> > [Ritesh]: bitmap_index should be 0 for address 0x53500000. see in
> >> > alloc_iova above.
> >> > 
> >> > [26.924454] __free_iova,addr = 0x53500000
> >> > [26.924463] __free_iova,mapping->base = 0x50000000
> >> > [26.924472] __free_iova,mapping->size = 0x1000000
> >> > [26.924482] __free_iova,bitmap_base = 0x53000000
> >> > [26.924490] __free_iova, start = 0x500
> >> > 
> >> > [Ritesh]: start should be 0x3500 for address 0x53500000. see in
> >> > alloc_iova
> >> > above.
> >> > 
> >> > [26.924533] Unable to handle kernel NULL pointer dereference at virtual
> >> > address 000000a0
> >> > [26.924543] pgd = e7a84000
> >> > [26.924558] [000000a0] *pgd=00000000
> >> > [26.924572] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
> >> > [26.924598] Modules linked in:
> >> > [26.924613] CPU: 1 PID: 2263 Comm: BufferLiberator Not tainted 3.10.30+
> >> > #144
> >> > [26.924624] task: e7370a40 ti: e6e06000 task.ti: e6e06000
> >> > [26.924644] PC is at bitmap_clear+0x48/0xd0
> >> > [26.924659] LR is at __iommu_remove_mapping+0x130/0x164
> >> > [26.924673] pc : [<c02d0814>]    lr : [<c001bd30>]    psr: 20000093
> >> > [26.924673] sp : e6e07e20  ip : ffffffff  fp : e6e07e3c
> >> > [26.924682] r10: 00000500  r9 : c1333ea8  r8 : 80000013
> >> > [26.924692] r7 : ffffffff  r6 : 00000321  r5 : 000000a0  r4 : 00000028
> >> > [26.924707] r3 : 00000000  r2 : 00000341  r1 : 00000500  r0 : 00000000
> >> > [26.924730] Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM 
> >> > Segment
> >> > user
> >> > [26.924742] Control: 10c5387d  Table: 77a8406a  DAC: 00000015
> >> > 
> >> > 
> >> > See below on how this is wrong:
> >> > 
> >> > here iova_base = 0x50000000
> >> > iova_size = 0x20000000
> >> > => bits needed to map = 131072.
> >> > 
> >> >         => bitmap_size = 0x4000
> >> >         since bitmap_size > PAGE_SIZE
> >> >         => bitmap_size = PAGE_SIZE,  extensions = 4;
> >> > 
> >> > Now, mapping->size is currently set as bitmap_size << PAGE_SHIFT.
> >> > 
> >> >         =>mapping->size = 0x1000000.
> >> > 
> >> > mapping->size is the IOVA size, which one bitmap can address.
> >> > 
> >> > Now mapping->size * extensions should be size (0x20000000).
> >> > which is not true, => our bitmap_size is set wrong.
> >> > 
> >> > it should be (mapping->bits << PAGE_SIZE) or say
> >> 
> >> It should be PAGE_SHIFT here.
> >> 
> >> > (BITS_PER_BYTE * bitmap_size << PAGE_SIZE)
> >> 
> >> It should be PAGE_SHIFT here.
> >> 
> >> >         => (8 * 0x1000) << 12) = 0x8000000
> >> > 
> >> > With this IOVA_SIZE = extensions * mapping->size = 0x20000000
> >> > 
> >> > 
> >> > 
> >> > PATCH:
> >> > 
> >> > Currently mapping->size is wrongly set resulting
> >> > in OOPS (atleast we see OOPS with extension 4).
> >> > 
> >> > Fix this.
> >> > 
> >> > Signed-off-by: Ritesh Harjani <ritesh.harjani@gmail.com>
> >> > ---
> >> > 
> >> >  arch/arm/mm/dma-mapping.c | 2 +-
> >> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >> > 
> >> > diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
> >> > index f62aa06..d1701a2 100644
> >> > --- a/arch/arm/mm/dma-mapping.c
> >> > +++ b/arch/arm/mm/dma-mapping.c
> >> > @@ -1963,8 +1963,8 @@ arm_iommu_create_mapping(struct bus_type *bus,
> >> > dma_addr_t base, size_t size)
> >> > 
> >> >         mapping->nr_bitmaps = 1;
> >> >         mapping->extensions = extensions;
> >> >         mapping->base = base;
> >> > 
> >> > -       mapping->size = bitmap_size << PAGE_SHIFT;
> >> > 
> >> >         mapping->bits = BITS_PER_BYTE * bitmap_size;
> >> > 
> >> > +       mapping->size = mapping->bits << PAGE_SHIFT;
> >> > 
> >> >         spin_lock_init(&mapping->lock);

-- 
Regards,

Laurent Pinchart

[PATCH] arm: dma-mapping: Fix mapping size value

[Laurent Pinchart]

On Monday 21 April 2014 11:53:12 Laurent Pinchart wrote:
> Hi Ritesh,
> 
> On Monday 21 April 2014 09:31:38 Ritesh Harjani wrote:
> > Fixed the commit message. Please find the new patch below:
> Thank you. Your mail has wrapped lines and converted tabs to whitespaces.
> Could you please fix that and resubmit the patch on a mail of its own (use
> git send-email to avoid white space issues), with the subject set to
> "[PATCH v2] arm: dma-mapping: Fix mapping size value" ?

Please ignore this, I had missed that you have already resent the patch.
> 
> > 68efd7d2fb("arm: dma-mapping: remove order parameter from
> > arm_iommu_create_mapping()") is causing kernel panic
> > because it wrongly sets the mapping->size value.
> > 
> > Unable to handle kernel NULL pointer dereference at virtual
> > address 000000a0
> > pgd = e7a84000
> > [000000a0] *pgd=00000000
> > ...
> > PC is at bitmap_clear+0x48/0xd0
> > LR is at __iommu_remove_mapping+0x130/
> > 0x164
> > 
> > 
> > Fix it by correcting the mapping->size value.
> > 
> > Signed-off-by: Ritesh Harjani <ritesh.harjani@gmail.com>
> > Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> > ---
> > 
> >  arch/arm/mm/dma-mapping.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
> > index f62aa06..6b00be1 100644
> > --- a/arch/arm/mm/dma-mapping.c
> > +++ b/arch/arm/mm/dma-mapping.c
> > @@ -1963,8 +1963,8 @@ arm_iommu_create_mapping(struct bus_type *bus,
> > dma_addr_t base, size_t size)
> > 
> >         mapping->nr_bitmaps = 1;
> >         mapping->extensions = extensions;
> >         mapping->base = base;
> > 
> > -       mapping->size = bitmap_size << PAGE_SHIFT;
> > 
> >         mapping->bits = BITS_PER_BYTE * bitmap_size;
> > 
> > +       mapping->size = mapping->bits << PAGE_SHIFT;
> > 
> >         spin_lock_init(&mapping->lock);
> > 
> > --
> > 1.8.1.3
> > 
> > On Mon, Apr 21, 2014 at 4:06 AM, Laurent Pinchart
> > 
> > <laurent.pinchart@ideasonboard.com> wrote:
> > > Hi Ritesh,
> > > 
> > > On Saturday 19 April 2014 16:55:30 Ritesh Harjani wrote:
> > >> In explaining the issue below, made a mistake of taking PAGE_SIZE
> > >> instead of PAGE_SHIFT (mistake mentioned inline).
> > >> Although numerical values and patch is correct.
> > > 
> > > I was about to send the same patch, so, provided you fix the commit
> > > message,
> > > 
> > > Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> > > 
> > >> On Sat, Apr 19, 2014 at 4:49 PM, Ritesh Harjani
> > >> 
> > >> <ritesh.harjani@gmail.com> wrote:
> > >> > I am finding an oops after following commit. I am on 3.10.30 kernel
> > >> > but
> > >> > applied all the latest patches from arch/arm/mm/dma-mapping.c
> > >> > 
> > >> > I added some debug logs to see what is the error, on which I found
> > >> > that
> > >> > we
> > >> > are incorrectly setting mapping->size value.
> > >> > Please take a look at this and correct me if I am wrong here.
> > >> > 
> > >> > FAULTY COMMIT:
> > >> > commit 68efd7d2fb32c2606f1da318b6a851
> > >> > d933813f27
> > >> > Author: Marek Szyprowski <m.szyprowski@samsung.com>
> > >> > Date:   Tue Feb 25 13:01:09 2014 +0100
> > >> > 
> > >> >     arm: dma-mapping: remove order parameter from
> > >> >     arm_iommu_create_mapping()
> > >> > 
> > >> > OOPS LOGS:
> > >> > [26.898145] __alloc_iova#LINE: 1097 start = 0x3500
> > >> > [26.898159] __alloc_iova#LINE:1136 iova = 0x53500000
> > >> > [26.898170] __alloc_iova#LINE:1138 mapping->base= 0x50000000
> > >> > [26.898181] __alloc_iova#LINE:1140 mapping->size = 0x1000000, i = 0
> > >> > [26.924442] __free_iova, bitmap_index = 3
> > >> > 
> > >> > [Ritesh]: bitmap_index should be 0 for address 0x53500000. see in
> > >> > alloc_iova above.
> > >> > 
> > >> > [26.924454] __free_iova,addr = 0x53500000
> > >> > [26.924463] __free_iova,mapping->base = 0x50000000
> > >> > [26.924472] __free_iova,mapping->size = 0x1000000
> > >> > [26.924482] __free_iova,bitmap_base = 0x53000000
> > >> > [26.924490] __free_iova, start = 0x500
> > >> > 
> > >> > [Ritesh]: start should be 0x3500 for address 0x53500000. see in
> > >> > alloc_iova
> > >> > above.
> > >> > 
> > >> > [26.924533] Unable to handle kernel NULL pointer dereference at
> > >> > virtual
> > >> > address 000000a0
> > >> > [26.924543] pgd = e7a84000
> > >> > [26.924558] [000000a0] *pgd=00000000
> > >> > [26.924572] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
> > >> > [26.924598] Modules linked in:
> > >> > [26.924613] CPU: 1 PID: 2263 Comm: BufferLiberator Not tainted
> > >> > 3.10.30+
> > >> > #144
> > >> > [26.924624] task: e7370a40 ti: e6e06000 task.ti: e6e06000
> > >> > [26.924644] PC is at bitmap_clear+0x48/0xd0
> > >> > [26.924659] LR is at __iommu_remove_mapping+0x130/0x164
> > >> > [26.924673] pc : [<c02d0814>]    lr : [<c001bd30>]    psr: 20000093
> > >> > [26.924673] sp : e6e07e20  ip : ffffffff  fp : e6e07e3c
> > >> > [26.924682] r10: 00000500  r9 : c1333ea8  r8 : 80000013
> > >> > [26.924692] r7 : ffffffff  r6 : 00000321  r5 : 000000a0  r4 :
> > >> > 00000028
> > >> > [26.924707] r3 : 00000000  r2 : 00000341  r1 : 00000500  r0 :
> > >> > 00000000
> > >> > [26.924730] Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM
> > >> > Segment
> > >> > user
> > >> > [26.924742] Control: 10c5387d  Table: 77a8406a  DAC: 00000015
> > >> > 
> > >> > 
> > >> > See below on how this is wrong:
> > >> > 
> > >> > here iova_base = 0x50000000
> > >> > iova_size = 0x20000000
> > >> > => bits needed to map = 131072.
> > >> > 
> > >> >         => bitmap_size = 0x4000
> > >> >         since bitmap_size > PAGE_SIZE
> > >> >         => bitmap_size = PAGE_SIZE,  extensions = 4;
> > >> > 
> > >> > Now, mapping->size is currently set as bitmap_size << PAGE_SHIFT.
> > >> > 
> > >> >         =>mapping->size = 0x1000000.
> > >> > 
> > >> > mapping->size is the IOVA size, which one bitmap can address.
> > >> > 
> > >> > Now mapping->size * extensions should be size (0x20000000).
> > >> > which is not true, => our bitmap_size is set wrong.
> > >> > 
> > >> > it should be (mapping->bits << PAGE_SIZE) or say
> > >> 
> > >> It should be PAGE_SHIFT here.
> > >> 
> > >> > (BITS_PER_BYTE * bitmap_size << PAGE_SIZE)
> > >> 
> > >> It should be PAGE_SHIFT here.
> > >> 
> > >> >         => (8 * 0x1000) << 12) = 0x8000000
> > >> > 
> > >> > With this IOVA_SIZE = extensions * mapping->size = 0x20000000
> > >> > 
> > >> > 
> > >> > 
> > >> > PATCH:
> > >> > 
> > >> > Currently mapping->size is wrongly set resulting
> > >> > in OOPS (atleast we see OOPS with extension 4).
> > >> > 
> > >> > Fix this.
> > >> > 
> > >> > Signed-off-by: Ritesh Harjani <ritesh.harjani@gmail.com>
> > >> > ---
> > >> > 
> > >> >  arch/arm/mm/dma-mapping.c | 2 +-
> > >> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >> > 
> > >> > diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
> > >> > index f62aa06..d1701a2 100644
> > >> > --- a/arch/arm/mm/dma-mapping.c
> > >> > +++ b/arch/arm/mm/dma-mapping.c
> > >> > @@ -1963,8 +1963,8 @@ arm_iommu_create_mapping(struct bus_type *bus,
> > >> > dma_addr_t base, size_t size)
> > >> > 
> > >> >         mapping->nr_bitmaps = 1;
> > >> >         mapping->extensions = extensions;
> > >> >         mapping->base = base;
> > >> > 
> > >> > -       mapping->size = bitmap_size << PAGE_SHIFT;
> > >> > 
> > >> >         mapping->bits = BITS_PER_BYTE * bitmap_size;
> > >> > 
> > >> > +       mapping->size = mapping->bits << PAGE_SHIFT;
> > >> > 
> > >> >         spin_lock_init(&mapping->lock);

-- 
Regards,

Laurent Pinchart

[PATCH] arm: dma-mapping: Fix mapping size value

[Will Deacon]

On Mon, Apr 21, 2014 at 07:47:27AM +0100, Ritesh Harjani wrote:
> 68efd7d2fb("arm: dma-mapping: remove order parameter from
> arm_iommu_create_mapping()") is causing kernel panic
> because it wrongly sets the value of mapping->size:
> 
> Unable to handle kernel NULL pointer dereference at virtual
> address 000000a0
> pgd = e7a84000
> [000000a0] *pgd=00000000
> ...
> PC is at bitmap_clear+0x48/0xd0
> LR is at __iommu_remove_mapping+0x130/0x164
> 
> Fix it by correcting mapping->size value.
> 
> Signed-off-by: Ritesh Harjani <ritesh.harjani@gmail.com>
> Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> ---
>  arch/arm/mm/dma-mapping.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
> index f62aa06..6b00be1 100644
> --- a/arch/arm/mm/dma-mapping.c
> +++ b/arch/arm/mm/dma-mapping.c
> @@ -1963,8 +1963,8 @@ arm_iommu_create_mapping(struct bus_type *bus, dma_addr_t base, size_t size)
>  	mapping->nr_bitmaps = 1;
>  	mapping->extensions = extensions;
>  	mapping->base = base;
> -	mapping->size = bitmap_size << PAGE_SHIFT;
>  	mapping->bits = BITS_PER_BYTE * bitmap_size;
> +	mapping->size = mapping->bits << PAGE_SHIFT;

Ok, but given that mapping->size is derived from mapping->bits, do we really
need both of these fields in struct dma_iommu_mapping?

Will

[PATCH] arm: dma-mapping: Fix mapping size value

[Marek Szyprowski]

Hello,

On 2014-04-21 08:47, Ritesh Harjani wrote:
> 68efd7d2fb("arm: dma-mapping: remove order parameter from
> arm_iommu_create_mapping()") is causing kernel panic
> because it wrongly sets the value of mapping->size:
>
> Unable to handle kernel NULL pointer dereference at virtual
> address 000000a0
> pgd = e7a84000
> [000000a0] *pgd=00000000
> ...
> PC is at bitmap_clear+0x48/0xd0
> LR is at __iommu_remove_mapping+0x130/0x164
>
> Fix it by correcting mapping->size value.
>
> Signed-off-by: Ritesh Harjani <ritesh.harjani@gmail.com>
> Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

Thanks for spotting this issue! I'm really sorry for introducing it. I 
will push it to the fixes branch asap.

> ---
>   arch/arm/mm/dma-mapping.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
> index f62aa06..6b00be1 100644
> --- a/arch/arm/mm/dma-mapping.c
> +++ b/arch/arm/mm/dma-mapping.c
> @@ -1963,8 +1963,8 @@ arm_iommu_create_mapping(struct bus_type *bus, dma_addr_t base, size_t size)
>   	mapping->nr_bitmaps = 1;
>   	mapping->extensions = extensions;
>   	mapping->base = base;
> -	mapping->size = bitmap_size << PAGE_SHIFT;
>   	mapping->bits = BITS_PER_BYTE * bitmap_size;
> +	mapping->size = mapping->bits << PAGE_SHIFT;
>   
>   	spin_lock_init(&mapping->lock);

Best regards
-- 
Marek Szyprowski, PhD
Samsung R&D Institute Poland

[PATCH] arm: dma-mapping: Fix mapping size value

[Marek Szyprowski]

Hello,

On 2014-04-22 10:53, Will Deacon wrote:
> On Mon, Apr 21, 2014 at 07:47:27AM +0100, Ritesh Harjani wrote:
> > 68efd7d2fb("arm: dma-mapping: remove order parameter from
> > arm_iommu_create_mapping()") is causing kernel panic
> > because it wrongly sets the value of mapping->size:
> >
> > Unable to handle kernel NULL pointer dereference at virtual
> > address 000000a0
> > pgd = e7a84000
> > [000000a0] *pgd=00000000
> > ...
> > PC is at bitmap_clear+0x48/0xd0
> > LR is at __iommu_remove_mapping+0x130/0x164
> >
> > Fix it by correcting mapping->size value.
> >
> > Signed-off-by: Ritesh Harjani <ritesh.harjani@gmail.com>
> > Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> > ---
> >  arch/arm/mm/dma-mapping.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
> > index f62aa06..6b00be1 100644
> > --- a/arch/arm/mm/dma-mapping.c
> > +++ b/arch/arm/mm/dma-mapping.c
> > @@ -1963,8 +1963,8 @@ arm_iommu_create_mapping(struct bus_type *bus, dma_addr_t base, size_t size)
> >  	mapping->nr_bitmaps = 1;
> >  	mapping->extensions = extensions;
> >  	mapping->base = base;
> > -	mapping->size = bitmap_size << PAGE_SHIFT;
> >  	mapping->bits = BITS_PER_BYTE * bitmap_size;
> > +	mapping->size = mapping->bits << PAGE_SHIFT;
>
> Ok, but given that mapping->size is derived from mapping->bits, do we really
> need both of these fields in struct dma_iommu_mapping?

You are right. I didn't notice this while I was refactoring the code. 
Ritesh,
could you update your patch and simply replace all references of 
mapping->size
with (mapping->bits << PAGE_SHIFT), probably with some temporary variable to
make the code easier to understand? I've didn't apply your patch yet.

Best regards
-- 
Marek Szyprowski, PhD
Samsung R&D Institute Poland

[PATCH] arm: dma-mapping: Fix mapping size value

[Laurent Pinchart]

Hi Marek,

On Wednesday 23 April 2014 10:53:24 Marek Szyprowski wrote:
> On 2014-04-22 10:53, Will Deacon wrote:
> > On Mon, Apr 21, 2014 at 07:47:27AM +0100, Ritesh Harjani wrote:
> > > 68efd7d2fb("arm: dma-mapping: remove order parameter from
> > > arm_iommu_create_mapping()") is causing kernel panic
> > > because it wrongly sets the value of mapping->size:
> > > 
> > > Unable to handle kernel NULL pointer dereference at virtual
> > > address 000000a0
> > > pgd = e7a84000
> > > [000000a0] *pgd=00000000
> > > ...
> > > PC is at bitmap_clear+0x48/0xd0
> > > LR is at __iommu_remove_mapping+0x130/0x164
> > > 
> > > Fix it by correcting mapping->size value.
> > > 
> > > Signed-off-by: Ritesh Harjani <ritesh.harjani@gmail.com>
> > > Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> > > ---
> > > 
> > >  arch/arm/mm/dma-mapping.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
> > > index f62aa06..6b00be1 100644
> > > --- a/arch/arm/mm/dma-mapping.c
> > > +++ b/arch/arm/mm/dma-mapping.c
> > > @@ -1963,8 +1963,8 @@ arm_iommu_create_mapping(struct bus_type *bus,
> > > dma_addr_t base, size_t size)> > 
> > >  	mapping->nr_bitmaps = 1;
> > >  	mapping->extensions = extensions;
> > >  	mapping->base = base;
> > > 
> > > -	mapping->size = bitmap_size << PAGE_SHIFT;
> > > 
> > >  	mapping->bits = BITS_PER_BYTE * bitmap_size;
> > > 
> > > +	mapping->size = mapping->bits << PAGE_SHIFT;
> > 
> > Ok, but given that mapping->size is derived from mapping->bits, do we
> > really need both of these fields in struct dma_iommu_mapping?
> 
> You are right. I didn't notice this while I was refactoring the code.
> Ritesh, could you update your patch and simply replace all references of
> mapping->size with (mapping->bits << PAGE_SHIFT), probably with some
> temporary variable to make the code easier to understand? I've didn't apply
> your patch yet.

As this patch fixes a v3.15 regression, shouldn't it be applied as-is and 
ASAP, with the cleanup that removes mapping->size coming in a later, less 
urgent patch ?

-- 
Regards,

Laurent Pinchart

[PATCH] arm: dma-mapping: Fix mapping size value

[Ritesh Harjani]

Hi Marek/Will

On Wed, Apr 23, 2014 at 3:00 PM, Laurent Pinchart
<laurent.pinchart@ideasonboard.com> wrote:
> Hi Marek,
>
> On Wednesday 23 April 2014 10:53:24 Marek Szyprowski wrote:
>> On 2014-04-22 10:53, Will Deacon wrote:
>> > On Mon, Apr 21, 2014 at 07:47:27AM +0100, Ritesh Harjani wrote:
>> > > 68efd7d2fb("arm: dma-mapping: remove order parameter from
>> > > arm_iommu_create_mapping()") is causing kernel panic
>> > > because it wrongly sets the value of mapping->size:
>> > >
>> > > Unable to handle kernel NULL pointer dereference at virtual
>> > > address 000000a0
>> > > pgd = e7a84000
>> > > [000000a0] *pgd=00000000
>> > > ...
>> > > PC is at bitmap_clear+0x48/0xd0
>> > > LR is at __iommu_remove_mapping+0x130/0x164
>> > >
>> > > Fix it by correcting mapping->size value.
>> > >
>> > > Signed-off-by: Ritesh Harjani <ritesh.harjani@gmail.com>
>> > > Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
>> > > ---
>> > >
>> > >  arch/arm/mm/dma-mapping.c | 2 +-
>> > >  1 file changed, 1 insertion(+), 1 deletion(-)
>> > >
>> > > diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
>> > > index f62aa06..6b00be1 100644
>> > > --- a/arch/arm/mm/dma-mapping.c
>> > > +++ b/arch/arm/mm/dma-mapping.c
>> > > @@ -1963,8 +1963,8 @@ arm_iommu_create_mapping(struct bus_type *bus,
>> > > dma_addr_t base, size_t size)> >
>> > >   mapping->nr_bitmaps = 1;
>> > >   mapping->extensions = extensions;
>> > >   mapping->base = base;
>> > >
>> > > - mapping->size = bitmap_size << PAGE_SHIFT;
>> > >
>> > >   mapping->bits = BITS_PER_BYTE * bitmap_size;
>> > >
>> > > + mapping->size = mapping->bits << PAGE_SHIFT;
>> >
>> > Ok, but given that mapping->size is derived from mapping->bits, do we
>> > really need both of these fields in struct dma_iommu_mapping?
>>
>> You are right. I didn't notice this while I was refactoring the code.
>> Ritesh, could you update your patch and simply replace all references of
>> mapping->size with (mapping->bits << PAGE_SHIFT), probably with some
>> temporary variable to make the code easier to understand? I've didn't apply
>> your patch yet.
>
> As this patch fixes a v3.15 regression, shouldn't it be applied as-is and
> ASAP, with the cleanup that removes mapping->size coming in a later, less
> urgent patch ?

I agree with Laurent. Anyway this cleanup can be taken care when we will be
doing refactoring of common code to lib/iommu-helper.c.

Anyways, if you still insist I can prepare and submit the patch. Let me know
again on this.

>
> --
> Regards,
>
> Laurent Pinchart
>

Thanks
Ritesh

[PATCH] arm: dma-mapping: Fix mapping size value

[Marek Szyprowski]

Hello,

On 2014-04-23 12:04, Ritesh Harjani wrote:
> Hi Marek/Will
>
> On Wed, Apr 23, 2014 at 3:00 PM, Laurent Pinchart
> <laurent.pinchart@ideasonboard.com> wrote:
> > Hi Marek,
> >
> > On Wednesday 23 April 2014 10:53:24 Marek Szyprowski wrote:
> >> On 2014-04-22 10:53, Will Deacon wrote:
> >> > On Mon, Apr 21, 2014 at 07:47:27AM +0100, Ritesh Harjani wrote:
> >> > > 68efd7d2fb("arm: dma-mapping: remove order parameter from
> >> > > arm_iommu_create_mapping()") is causing kernel panic
> >> > > because it wrongly sets the value of mapping->size:
> >> > >
> >> > > Unable to handle kernel NULL pointer dereference at virtual
> >> > > address 000000a0
> >> > > pgd = e7a84000
> >> > > [000000a0] *pgd=00000000
> >> > > ...
> >> > > PC is at bitmap_clear+0x48/0xd0
> >> > > LR is at __iommu_remove_mapping+0x130/0x164
> >> > >
> >> > > Fix it by correcting mapping->size value.
> >> > >
> >> > > Signed-off-by: Ritesh Harjani <ritesh.harjani@gmail.com>
> >> > > Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> >> > > ---
> >> > >
> >> > >  arch/arm/mm/dma-mapping.c | 2 +-
> >> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> >> > >
> >> > > diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
> >> > > index f62aa06..6b00be1 100644
> >> > > --- a/arch/arm/mm/dma-mapping.c
> >> > > +++ b/arch/arm/mm/dma-mapping.c
> >> > > @@ -1963,8 +1963,8 @@ arm_iommu_create_mapping(struct bus_type *bus,
> >> > > dma_addr_t base, size_t size)> >
> >> > >   mapping->nr_bitmaps = 1;
> >> > >   mapping->extensions = extensions;
> >> > >   mapping->base = base;
> >> > >
> >> > > - mapping->size = bitmap_size << PAGE_SHIFT;
> >> > >
> >> > >   mapping->bits = BITS_PER_BYTE * bitmap_size;
> >> > >
> >> > > + mapping->size = mapping->bits << PAGE_SHIFT;
> >> >
> >> > Ok, but given that mapping->size is derived from mapping->bits, do we
> >> > really need both of these fields in struct dma_iommu_mapping?
> >>
> >> You are right. I didn't notice this while I was refactoring the code.
> >> Ritesh, could you update your patch and simply replace all references of
> >> mapping->size with (mapping->bits << PAGE_SHIFT), probably with some
> >> temporary variable to make the code easier to understand? I've didn't apply
> >> your patch yet.
> >
> > As this patch fixes a v3.15 regression, shouldn't it be applied as-is and
> > ASAP, with the cleanup that removes mapping->size coming in a later, less
> > urgent patch ?
>
> I agree with Laurent. Anyway this cleanup can be taken care when we will be
> doing refactoring of common code to lib/iommu-helper.c.
>
> Anyways, if you still insist I can prepare and submit the patch. Let me know
> again on this.

Ok, I've merged the patch as is and I will send pull request soon.
Please include the above discussed cleanup while refactoring common code 
to lib.

Best regards
-- 
Marek Szyprowski, PhD
Samsung R&D Institute Poland

[PATCH] arm: dma-mapping: Fix mapping size value

[Ritesh Harjani]

Ok thanks Marek,

I was about to send a new patch (as I had now got hold of my system).
Anyways, I will add this discussion of cleaning up this variable in my
to-do list.


Thanks
Ritesh

On Wed, Apr 23, 2014 at 6:47 PM, Marek Szyprowski
<m.szyprowski@samsung.com> wrote:
> Hello,
>
>
> On 2014-04-23 12:04, Ritesh Harjani wrote:
>>
>> Hi Marek/Will
>>
>> On Wed, Apr 23, 2014 at 3:00 PM, Laurent Pinchart
>> <laurent.pinchart@ideasonboard.com> wrote:
>> > Hi Marek,
>> >
>> > On Wednesday 23 April 2014 10:53:24 Marek Szyprowski wrote:
>> >> On 2014-04-22 10:53, Will Deacon wrote:
>> >> > On Mon, Apr 21, 2014 at 07:47:27AM +0100, Ritesh Harjani wrote:
>> >> > > 68efd7d2fb("arm: dma-mapping: remove order parameter from
>> >> > > arm_iommu_create_mapping()") is causing kernel panic
>> >> > > because it wrongly sets the value of mapping->size:
>> >> > >
>> >> > > Unable to handle kernel NULL pointer dereference at virtual
>> >> > > address 000000a0
>> >> > > pgd = e7a84000
>> >> > > [000000a0] *pgd=00000000
>> >> > > ...
>> >> > > PC is at bitmap_clear+0x48/0xd0
>> >> > > LR is at __iommu_remove_mapping+0x130/0x164
>> >> > >
>> >> > > Fix it by correcting mapping->size value.
>> >> > >
>> >> > > Signed-off-by: Ritesh Harjani <ritesh.harjani@gmail.com>
>> >> > > Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
>> >> > > ---
>> >> > >
>> >> > >  arch/arm/mm/dma-mapping.c | 2 +-
>> >> > >  1 file changed, 1 insertion(+), 1 deletion(-)
>> >> > >
>> >> > > diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
>> >> > > index f62aa06..6b00be1 100644
>> >> > > --- a/arch/arm/mm/dma-mapping.c
>> >> > > +++ b/arch/arm/mm/dma-mapping.c
>> >> > > @@ -1963,8 +1963,8 @@ arm_iommu_create_mapping(struct bus_type
>> >> > > *bus,
>> >> > > dma_addr_t base, size_t size)> >
>> >> > >   mapping->nr_bitmaps = 1;
>> >> > >   mapping->extensions = extensions;
>> >> > >   mapping->base = base;
>> >> > >
>> >> > > - mapping->size = bitmap_size << PAGE_SHIFT;
>> >> > >
>> >> > >   mapping->bits = BITS_PER_BYTE * bitmap_size;
>> >> > >
>> >> > > + mapping->size = mapping->bits << PAGE_SHIFT;
>> >> >
>> >> > Ok, but given that mapping->size is derived from mapping->bits, do we
>> >> > really need both of these fields in struct dma_iommu_mapping?
>> >>
>> >> You are right. I didn't notice this while I was refactoring the code.
>> >> Ritesh, could you update your patch and simply replace all references
>> >> of
>> >> mapping->size with (mapping->bits << PAGE_SHIFT), probably with some
>> >> temporary variable to make the code easier to understand? I've didn't
>> >> apply
>> >> your patch yet.
>> >
>> > As this patch fixes a v3.15 regression, shouldn't it be applied as-is
>> > and
>> > ASAP, with the cleanup that removes mapping->size coming in a later,
>> > less
>> > urgent patch ?
>>
>> I agree with Laurent. Anyway this cleanup can be taken care when we will
>> be
>> doing refactoring of common code to lib/iommu-helper.c.
>>
>> Anyways, if you still insist I can prepare and submit the patch. Let me
>> know
>> again on this.
>
>
> Ok, I've merged the patch as is and I will send pull request soon.
> Please include the above discussed cleanup while refactoring common code to
> lib.
>
>
> Best regards
> --
> Marek Szyprowski, PhD
> Samsung R&D Institute Poland
>