Subject: kern/32700: userspace bus_dmamap_load is problematic
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <yamt@mwd.biglobe.ne.jp>
List: netbsd-bugs
Date: 02/02/2006 15:15:00
>Number: 32700
>Category: kern
>Synopsis: userspace bus_dmamap_load is problematic
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Feb 02 15:15:00 +0000 2006
>Originator: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
>Release: NetBSD 3.99.15
>Organization:
>Environment:
System: NetBSD kaeru 3.99.15 NetBSD 3.99.15 (build.kaeru.xen.nodebug) #: Tue Jan 24 07:52:10 JST 2006 takashi@kaeru:/home/takashi/work/kernel/build.kaeru.xen.nodebug i386
Architecture: i386
Machine: i386
>Description:
bus_dmamap_load and bus_dmamap_load_uio can take userspace
addresses. however, they are fragile, at best.
- dmover seems to pass userspace addresses to bus_dmamap_load_uio
without wiring. handling of VA which doesn't have page-mapping
seems vary on bus_dma implementations.
- rrunner.c does uvm_vslock loop like the following.
it's problematic if (page-extended) iovs are overwrapped.
for (i = 0; i < uio->uio_iovcnt; i++) {
iovp = &uio->uio_iov[i];
error = uvm_vslock(p, iovp->iov_base, iovp->iov_len,
VM_PROT_WRITE);
- even if a driver does uvm_vslock, there are problems described
in PR/25639.
>How-To-Repeat:
code inspection.
>Fix:
>Unformatted: