From f25e305738764cf8cb037bd0cf26402522915e2c Mon Sep 17 00:00:00 2001
From: royger <royger@FreeBSD.org>
Date: Mon, 26 Oct 2015 14:50:35 +0000
Subject: [PATCH] x86/dma_bounce: revert r289834 and r289836

The new load_ma implementation can cause dereferences when used with
certain drivers, back it out until the reason is found:

Fatal trap 12: page fault while in kernel mode
cpuid = 11; apic id = 03
fault virtual address   = 0x30
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff808a2d22
stack pointer           = 0x28:0xfffffe07cc737710
frame pointer           = 0x28:0xfffffe07cc737790
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 13 (g_down)
trap number             = 12
panic: page fault
cpuid = 11
KDB: stack backtrace:
#0 0xffffffff80641647 at kdb_backtrace+0x67
#1 0xffffffff80606762 at vpanic+0x182
#2 0xffffffff806067e3 at panic+0x43
#3 0xffffffff8084eef1 at trap_fatal+0x351
#4 0xffffffff8084f0e4 at trap_pfault+0x1e4
#5 0xffffffff8084e82f at trap+0x4bf
#6 0xffffffff80830d57 at calltrap+0x8
#7 0xffffffff8063beab at _bus_dmamap_load_ccb+0x1fb
#8 0xffffffff8063bc51 at bus_dmamap_load_ccb+0x91
#9 0xffffffff8042dcad at ata_dmaload+0x11d
#10 0xffffffff8042df7e at ata_begin_transaction+0x7e
#11 0xffffffff8042c18e at ataaction+0x9ce
#12 0xffffffff802a220f at xpt_run_devq+0x5bf
#13 0xffffffff802a17ad at xpt_action_default+0x94d
#14 0xffffffff802c0024 at adastart+0x8b4
#15 0xffffffff802a2e93 at xpt_run_allocq+0x193
#16 0xffffffff802c0735 at adastrategy+0xf5
#17 0xffffffff80554206 at g_disk_start+0x426
Uptime: 2m29s
---
 sys/dev/xen/blkfront/blkfront.c |  12 +-
 sys/x86/x86/busdma_bounce.c     | 202 +++-----------------------------
 2 files changed, 21 insertions(+), 193 deletions(-)

diff --git a/sys/dev/xen/blkfront/blkfront.c b/sys/dev/xen/blkfront/blkfront.c
index 0a75d79b1d2..fa8d479331b 100644
--- a/sys/dev/xen/blkfront/blkfront.c
+++ b/sys/dev/xen/blkfront/blkfront.c
@@ -293,12 +293,8 @@ xbd_queue_request(struct xbd_softc *sc, struct xbd_command *cm)
 {
 	int error;
 
-	if (cm->cm_bp != NULL)
-		error = bus_dmamap_load_bio(sc->xbd_io_dmat, cm->cm_map,
-		    cm->cm_bp, xbd_queue_cb, cm, 0);
-	else
-		error = bus_dmamap_load(sc->xbd_io_dmat, cm->cm_map,
-		    cm->cm_data, cm->cm_datalen, xbd_queue_cb, cm, 0);
+	error = bus_dmamap_load(sc->xbd_io_dmat, cm->cm_map, cm->cm_data,
+	    cm->cm_datalen, xbd_queue_cb, cm, 0);
 	if (error == EINPROGRESS) {
 		/*
 		 * Maintain queuing order by freezing the queue.  The next
@@ -358,6 +354,8 @@ xbd_bio_command(struct xbd_softc *sc)
 	}
 
 	cm->cm_bp = bp;
+	cm->cm_data = bp->bio_data;
+	cm->cm_datalen = bp->bio_bcount;
 	cm->cm_sector_number = (blkif_sector_t)bp->bio_pblkno;
 
 	switch (bp->bio_cmd) {
@@ -1011,7 +1009,7 @@ xbd_instance_create(struct xbd_softc *sc, blkif_sector_t sectors,
 
 	sc->xbd_disk->d_mediasize = sectors * sector_size;
 	sc->xbd_disk->d_maxsize = sc->xbd_max_request_size;
-	sc->xbd_disk->d_flags = DISKFLAG_UNMAPPED_BIO;
+	sc->xbd_disk->d_flags = 0;
 	if ((sc->xbd_flags & (XBDF_FLUSH|XBDF_BARRIER)) != 0) {
 		sc->xbd_disk->d_flags |= DISKFLAG_CANFLUSHCACHE;
 		device_printf(sc->xbd_dev,
diff --git a/sys/x86/x86/busdma_bounce.c b/sys/x86/x86/busdma_bounce.c
index db90e940784..ebd6238ef82 100644
--- a/sys/x86/x86/busdma_bounce.c
+++ b/sys/x86/x86/busdma_bounce.c
@@ -79,8 +79,8 @@ struct bounce_page {
 	vm_offset_t	vaddr;		/* kva of bounce buffer */
 	bus_addr_t	busaddr;	/* Physical address */
 	vm_offset_t	datavaddr;	/* kva of client data */
+	vm_page_t	datapage;	/* physical page of client data */
 	vm_offset_t	dataoffs;	/* page offset of client data */
-	vm_page_t	datapage[2];	/* physical page(s) of client data */
 	bus_size_t	datacount;	/* client data count */
 	STAILQ_ENTRY(bounce_page) links;
 };
@@ -135,8 +135,8 @@ static int alloc_bounce_pages(bus_dma_tag_t dmat, u_int numpages);
 static int reserve_bounce_pages(bus_dma_tag_t dmat, bus_dmamap_t map,
 				int commit);
 static bus_addr_t add_bounce_page(bus_dma_tag_t dmat, bus_dmamap_t map,
-				  vm_offset_t vaddr, bus_addr_t addr1,
-				  bus_addr_t addr2, bus_size_t size);
+				  vm_offset_t vaddr, bus_addr_t addr,
+				  bus_size_t size);
 static void free_bounce_page(bus_dma_tag_t dmat, struct bounce_page *bpage);
 int run_filter(bus_dma_tag_t dmat, bus_addr_t paddr);
 static void _bus_dmamap_count_pages(bus_dma_tag_t dmat, bus_dmamap_t map,
@@ -527,51 +527,6 @@ _bus_dmamap_count_pages(bus_dma_tag_t dmat, bus_dmamap_t map, pmap_t pmap,
 	}
 }
 
-static void
-_bus_dmamap_count_ma(bus_dma_tag_t dmat, bus_dmamap_t map, struct vm_page **ma,
-    int ma_offs, bus_size_t buflen, int flags)
-{
-	bus_size_t sg_len, max_sgsize;
-	int page_index;
-	vm_paddr_t paddr;
-
-	if ((map != &nobounce_dmamap && map->pagesneeded == 0)) {
-		CTR4(KTR_BUSDMA, "lowaddr= %d Maxmem= %d, boundary= %d, "
-		    "alignment= %d", dmat->common.lowaddr,
-		    ptoa((vm_paddr_t)Maxmem),
-		    dmat->common.boundary, dmat->common.alignment);
-		CTR3(KTR_BUSDMA, "map= %p, nobouncemap= %p, pagesneeded= %d",
-		    map, &nobounce_dmamap, map->pagesneeded);
-
-		/*
-		 * Count the number of bounce pages
-		 * needed in order to complete this transfer
-		 */
-		page_index = 0;
-		while (buflen > 0) {
-			paddr = ma[page_index]->phys_addr + ma_offs;
-			sg_len = PAGE_SIZE - ma_offs;
-			max_sgsize = MIN(buflen, dmat->common.maxsegsz);
-			sg_len = MIN(sg_len, max_sgsize);
-			if (bus_dma_run_filter(&dmat->common, paddr) != 0) {
-				sg_len = roundup2(sg_len,
-				    dmat->common.alignment);
-				sg_len = MIN(sg_len, max_sgsize);
-				KASSERT((sg_len & (dmat->common.alignment - 1))
-				    == 0, ("Segment size is not aligned"));
-				map->pagesneeded++;
-			}
-			if (((ma_offs + sg_len) & ~PAGE_MASK) != 0)
-				page_index++;
-			ma_offs = (ma_offs + sg_len) & PAGE_MASK;
-			KASSERT(buflen >= sg_len,
-			    ("Segment length overruns original buffer"));
-			buflen -= sg_len;
-		}
-		CTR1(KTR_BUSDMA, "pagesneeded= %d\n", map->pagesneeded);
-	}
-}
-
 static int
 _bus_dmamap_reserve_pages(bus_dma_tag_t dmat, bus_dmamap_t map, int flags)
 {
@@ -677,7 +632,7 @@ bounce_bus_dmamap_load_phys(bus_dma_tag_t dmat, bus_dmamap_t map,
 		    map->pagesneeded != 0 &&
 		    bus_dma_run_filter(&dmat->common, curaddr)) {
 			sgsize = MIN(sgsize, PAGE_SIZE - (curaddr & PAGE_MASK));
-			curaddr = add_bounce_page(dmat, map, 0, curaddr, 0,
+			curaddr = add_bounce_page(dmat, map, 0, curaddr,
 			    sgsize);
 		}
 		sgsize = _bus_dmamap_addseg(dmat, map, curaddr, sgsize, segs,
@@ -746,7 +701,7 @@ bounce_bus_dmamap_load_buffer(bus_dma_tag_t dmat, bus_dmamap_t map, void *buf,
 		    bus_dma_run_filter(&dmat->common, curaddr)) {
 			sgsize = roundup2(sgsize, dmat->common.alignment);
 			sgsize = MIN(sgsize, max_sgsize);
-			curaddr = add_bounce_page(dmat, map, kvaddr, curaddr, 0,
+			curaddr = add_bounce_page(dmat, map, kvaddr, curaddr,
 			    sgsize);
 		} else {
 			sgsize = MIN(sgsize, max_sgsize);
@@ -765,90 +720,6 @@ bounce_bus_dmamap_load_buffer(bus_dma_tag_t dmat, bus_dmamap_t map, void *buf,
 	return (buflen != 0 ? EFBIG : 0); /* XXX better return value here? */
 }
 
-static int
-bounce_bus_dmamap_load_ma(bus_dma_tag_t dmat, bus_dmamap_t map,
-    struct vm_page **ma, bus_size_t buflen, int ma_offs, int flags,
-    bus_dma_segment_t *segs, int *segp)
-{
-	vm_paddr_t paddr, next_paddr;
-	int error, page_index;
-	struct vm_page *page;
-	bus_size_t sgsize, max_sgsize;
-
-	if (dmat->common.flags & BUS_DMA_KEEP_PG_OFFSET) {
-		/*
-		 * If we have to keep the offset of each page this function
-		 * is not suitable, switch back to bus_dmamap_load_ma_triv
-		 * which is going to do the right thing in this case.
-		 */
-		error = bus_dmamap_load_ma_triv(dmat, map, ma, buflen, ma_offs,
-		    flags, segs, segp);
-		return (error);
-	}
-
-	if (map == NULL)
-		map = &nobounce_dmamap;
-
-	if (segs == NULL)
-		segs = dmat->segments;
-
-	if ((dmat->bounce_flags & BUS_DMA_COULD_BOUNCE) != 0) {
-		_bus_dmamap_count_ma(dmat, map, ma, ma_offs, buflen, flags);
-		if (map->pagesneeded != 0) {
-			error = _bus_dmamap_reserve_pages(dmat, map, flags);
-			if (error)
-				return (error);
-		}
-	}
-
-	page_index = 0;
-	page = ma[0];
-	while (buflen > 0) {
-		/*
-		 * Compute the segment size, and adjust counts.
-		 */
-		page = ma[page_index];
-		paddr = page->phys_addr + ma_offs;
-		max_sgsize = MIN(buflen, dmat->common.maxsegsz);
-		sgsize = PAGE_SIZE - ma_offs;
-		if (((dmat->bounce_flags & BUS_DMA_COULD_BOUNCE) != 0) &&
-		    map->pagesneeded != 0 &&
-		    bus_dma_run_filter(&dmat->common, paddr)) {
-			sgsize = roundup2(sgsize, dmat->common.alignment);
-			sgsize = MIN(sgsize, max_sgsize);
-			KASSERT((sgsize & (dmat->common.alignment - 1)) == 0,
-			    ("Segment size is not aligned"));
-			/*
-			 * Check if two pages of the user provided buffer
-			 * are used.
-			 */
-			if (((ma_offs + sgsize) & ~PAGE_MASK) != 0)
-				next_paddr = ma[page_index + 1]->phys_addr;
-			else
-				next_paddr = 0;
-			paddr = add_bounce_page(dmat, map, 0, paddr,
-			    next_paddr, sgsize);
-		} else {
-			sgsize = MIN(sgsize, max_sgsize);
-		}
-		sgsize = _bus_dmamap_addseg(dmat, map, paddr, sgsize, segs,
-		    segp);
-		if (sgsize == 0)
-			break;
-		KASSERT(buflen >= sgsize,
-		    ("Segment length overruns original buffer"));
-		buflen -= sgsize;
-		if (((ma_offs + sgsize) & ~PAGE_MASK) != 0)
-			page_index++;
-		ma_offs = (ma_offs + sgsize) & PAGE_MASK;
-	}
-
-	/*
-	 * Did we fit?
-	 */
-	return (buflen != 0 ? EFBIG : 0); /* XXX better return value here? */
-}
-
 static void
 bounce_bus_dmamap_waitok(bus_dma_tag_t dmat, bus_dmamap_t map,
     struct memdesc *mem, bus_dmamap_callback_t *callback, void *callback_arg)
@@ -892,7 +763,6 @@ bounce_bus_dmamap_sync(bus_dma_tag_t dmat, bus_dmamap_t map,
 {
 	struct bounce_page *bpage;
 	vm_offset_t datavaddr, tempvaddr;
-	bus_size_t datacount1, datacount2;
 
 	if ((bpage = STAILQ_FIRST(&map->bpages)) == NULL)
 		return;
@@ -908,35 +778,17 @@ bounce_bus_dmamap_sync(bus_dma_tag_t dmat, bus_dmamap_t map,
 		while (bpage != NULL) {
 			tempvaddr = 0;
 			datavaddr = bpage->datavaddr;
-			datacount1 = bpage->datacount;
 			if (datavaddr == 0) {
 				tempvaddr =
-				    pmap_quick_enter_page(bpage->datapage[0]);
+				    pmap_quick_enter_page(bpage->datapage);
 				datavaddr = tempvaddr | bpage->dataoffs;
-				datacount1 = min(PAGE_SIZE - bpage->dataoffs,
-				    datacount1);
 			}
 
 			bcopy((void *)datavaddr,
-			    (void *)bpage->vaddr, datacount1);
+			    (void *)bpage->vaddr, bpage->datacount);
 
 			if (tempvaddr != 0)
 				pmap_quick_remove_page(tempvaddr);
-
-			if (bpage->datapage[1] == 0)
-				goto next_w;
-
-			/*
-			 * We are dealing with an unmapped buffer that expands
-			 * over two pages.
-			 */
-			datavaddr = pmap_quick_enter_page(bpage->datapage[1]);
-			datacount2 = bpage->datacount - datacount1;
-			bcopy((void *)datavaddr,
-			    (void *)(bpage->vaddr + datacount1), datacount2);
-			pmap_quick_remove_page(datavaddr);
-
-next_w:
 			bpage = STAILQ_NEXT(bpage, links);
 		}
 		dmat->bounce_zone->total_bounced++;
@@ -946,35 +798,17 @@ next_w:
 		while (bpage != NULL) {
 			tempvaddr = 0;
 			datavaddr = bpage->datavaddr;
-			datacount1 = bpage->datacount;
 			if (datavaddr == 0) {
 				tempvaddr =
-				    pmap_quick_enter_page(bpage->datapage[0]);
+				    pmap_quick_enter_page(bpage->datapage);
 				datavaddr = tempvaddr | bpage->dataoffs;
-				datacount1 = min(PAGE_SIZE - bpage->dataoffs,
-				    datacount1);
 			}
 
-			bcopy((void *)bpage->vaddr, (void *)datavaddr,
-			    datacount1);
+			bcopy((void *)bpage->vaddr,
+			    (void *)datavaddr, bpage->datacount);
 
 			if (tempvaddr != 0)
 				pmap_quick_remove_page(tempvaddr);
-
-			if (bpage->datapage[1] == 0)
-				goto next_r;
-
-			/*
-			 * We are dealing with an unmapped buffer that expands
-			 * over two pages.
-			 */
-			datavaddr = pmap_quick_enter_page(bpage->datapage[1]);
-			datacount2 = bpage->datacount - datacount1;
-			bcopy((void *)(bpage->vaddr + datacount1),
-			    (void *)datavaddr, datacount2);
-			pmap_quick_remove_page(datavaddr);
-
-next_r:
 			bpage = STAILQ_NEXT(bpage, links);
 		}
 		dmat->bounce_zone->total_bounced++;
@@ -1138,7 +972,7 @@ reserve_bounce_pages(bus_dma_tag_t dmat, bus_dmamap_t map, int commit)
 
 static bus_addr_t
 add_bounce_page(bus_dma_tag_t dmat, bus_dmamap_t map, vm_offset_t vaddr,
-		bus_addr_t addr1, bus_addr_t addr2, bus_size_t size)
+		bus_addr_t addr, bus_size_t size)
 {
 	struct bounce_zone *bz;
 	struct bounce_page *bpage;
@@ -1168,16 +1002,12 @@ add_bounce_page(bus_dma_tag_t dmat, bus_dmamap_t map, vm_offset_t vaddr,
 
 	if (dmat->common.flags & BUS_DMA_KEEP_PG_OFFSET) {
 		/* Page offset needs to be preserved. */
-		bpage->vaddr |= addr1 & PAGE_MASK;
-		bpage->busaddr |= addr1 & PAGE_MASK;
-		KASSERT(addr2 == 0,
-	("Trying to bounce multiple pages with BUS_DMA_KEEP_PG_OFFSET"));
+		bpage->vaddr |= addr & PAGE_MASK;
+		bpage->busaddr |= addr & PAGE_MASK;
 	}
 	bpage->datavaddr = vaddr;
-	bpage->datapage[0] = PHYS_TO_VM_PAGE(addr1);
-	KASSERT((addr2 & PAGE_MASK) == 0, ("Second page is not aligned"));
-	bpage->datapage[1] = PHYS_TO_VM_PAGE(addr2);
-	bpage->dataoffs = addr1 & PAGE_MASK;
+	bpage->datapage = PHYS_TO_VM_PAGE(addr);
+	bpage->dataoffs = addr & PAGE_MASK;
 	bpage->datacount = size;
 	STAILQ_INSERT_TAIL(&(map->bpages), bpage, links);
 	return (bpage->busaddr);
@@ -1249,7 +1079,7 @@ struct bus_dma_impl bus_dma_bounce_impl = {
 	.mem_free = bounce_bus_dmamem_free,
 	.load_phys = bounce_bus_dmamap_load_phys,
 	.load_buffer = bounce_bus_dmamap_load_buffer,
-	.load_ma = bounce_bus_dmamap_load_ma,
+	.load_ma = bus_dmamap_load_ma_triv,
 	.map_waitok = bounce_bus_dmamap_waitok,
 	.map_complete = bounce_bus_dmamap_complete,
 	.map_unload = bounce_bus_dmamap_unload,
-- 
2.39.5