>Number:         32700
>Category:       kern
>Synopsis:       userspace bus_dmamap_load is problematic
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Feb 02 15:15:00 +0000 2006
>Originator:     YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
>Release:        NetBSD 3.99.15
>Organization:

>Environment:
	
	
System: NetBSD kaeru 3.99.15 NetBSD 3.99.15 (build.kaeru.xen.nodebug) #: Tue Jan 24 07:52:10 JST 2006 takashi@kaeru:/home/takashi/work/kernel/build.kaeru.xen.nodebug i386
Architecture: i386
Machine: i386
>Description:
	bus_dmamap_load and bus_dmamap_load_uio can take userspace
	addresses.  however, they are fragile, at best.

	- dmover seems to pass userspace addresses to bus_dmamap_load_uio
	  without wiring.  handling of VA which doesn't have page-mapping
	  seems vary on bus_dma implementations.

	- rrunner.c does uvm_vslock loop like the following.
	  it's problematic if (page-extended) iovs are overwrapped.

		for (i = 0; i < uio->uio_iovcnt; i++) {
			iovp = &uio->uio_iov[i];
			error = uvm_vslock(p, iovp->iov_base, iovp->iov_len,
			    VM_PROT_WRITE);

	- even if a driver does uvm_vslock, there are problems described
	  in PR/25639.

>How-To-Repeat:
	code inspection.
>Fix:

>Unformatted: