66966 – Wrong physical address translation for DMA >4GB

Bug 66966 - Wrong physical address translation for DMA >4GB

Summary: Wrong physical address translation for DMA >4GB

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 2.1
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	2.1
Hardware:	i386
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Larry Woodman
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:	66521
Blocks:	66527
TreeView+	depends on / blocked

Reported:	2002-06-19 09:10 UTC by Martin Wilck
Modified:	2007-11-30 22:06 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2002-06-20 07:39:46 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Patch that solves this problem (439 bytes, patch) 2002-06-19 09:14 UTC, Martin Wilck	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2002:128	0	normal	SHIPPED_LIVE	Moderate: Updated kernel with information security fixes, bug fixes, and updated drivers	2002-06-25 04:00:00 UTC

Description Martin Wilck 2002-06-19 09:10:49 UTC

Description of Problem:

A bug in inlude/asm-i386/io.h leads to wrong page to physical address
translation for DMA memory above 4GB. If high buffers are used for DMA, 
this may lead to DMA transfers to wrong memry regions, which (depending on
the false address) may lead to PCI bus aborts, data corruption, or 
even destruction of elementary kernel code or data (if DMA is carried out
into kernel core memory).

Version-Release number of selected component (if applicable):
2.4.9-e.3

How Reproducible:
Run IO stress test on e.g. a PCI SCSI controller capable of doing 
high-memory DMA (e.g. aic7xxx).

Steps to Reproduce:
1. Start stress test
2. wait
3. 

Actual Results:
Once a DMA buffer above 4GB is allocated (e.g. 0x101010000), the address
translation for the scatter-gather list discards the high bits, leading to
0x001010000. Depending on the address generated and the direction of the IO,
all sorts of errors may result, leaving the system in an undeterimined state.

Expected Results:
IO completes successfully.

Additional Information:

I reported this for RedHat 7.2 in the descussion of bug 66143
The problem is fixed in the 2.4.18 kernels of RedHat 7.3.

I will attach a patch that solves the problem.

Comment 1 Martin Wilck 2002-06-19 09:14:22 UTC

Created attachment 61544 [details]
Patch that solves this problem

Comment 2 Martin Wilck 2002-06-20 07:27:36 UTC

I am interesting what bug 66521 is but I have no permissions to see it.
Could you allow me in?

Comment 3 Larry Woodman 2002-08-05 16:27:01 UTC

Fixed in AS2.1 errata kernel-2.4.9-e.8, released on 7/29.

Larry Woodman

Comment 4 Annie 2003-05-08 15:55:52 UTC

We are seeing memory corruption when using > 4GB memory on AS 2.4.9-e12.  Any 
chance this bug has been re-introduced?  
Annie McQuilken, Experience, Inc.

Comment 5 Martin Wilck 2003-05-09 06:44:14 UTC

Certainly not this one.

Note You need to log in before you can comment on or make changes to this bug.