Change Details

Most all of the memory used by the cards in the mpr(4) and mps(4) drivers is required, according to the specs and Broadcom developers, to be within a 4GB segment of memory. This includes: - System Request Message Frames pool - Reply Free Queues pool - ReplyDescriptorPost Queues pool - Chain Segments pool - Sense Buffers pool - SystemReply message pool We got a bug report from Dwight Engen, who ran into data corruption in the BAE port of FreeBSD: https://www.baesystems.com/en/product/stop-os ===== We have a port of the FreeBSD mpr driver to our kernel and recently I found an issue under heavy load where a DMA may go to the wrong address. The test system is a Supermicro X10SRH-CLN4F with the onboard SAS3008 controller setup with 2 enterprise Micron SSDs in RAID 0 (striped). I have debugged the issue and narrowed down that the errant DMA is one that has a segment that crosses a 4GB physical boundary. There are more details I can provide if you'd like, but with the attached patch in place I can no longer re-create the issue. I'm not sure if this is a known limit of the card (have not found a datasheet/programming docs for the chip) or our system is just doing something a bit different. Any helpful info or insight would be welcome. Anyway, just thought this might be helpful info if you want to apply a similar fix to FreeBSD. You can ignore/discard the commit message as it is my internal commit (blkio is our own tool we use to write/read every block of a device with CRC verification which is how I found the problem). ===== The commit message was: [PATCH 8/9] mpr: fix memory corrupting DMA when sg segment crosses 4GB boundary Test case was two SSD's in RAID 0 (stripe). The logical disk was then partitioned into two partitions. One partition had lots of filesystem I/O and the other was initially filled using blkio with CRCable data and then read back with blkio CRC verify in a loop. Eventually blkio would report a bad CRC block because the physical page being read-ahead into didn't contain the right data. If the physical address in the arq/segs was for example 0x500003000 the data would actually be DMAed to 0x400003000. ====== The original patch was against mpr(4) before busdma templates were introduced, and only affected the buffer pool (sc->buffer_dmat) in the mpr(4) driver. After some discussion with Dwight and the LSI/Broadcom developers and looking through the driver, it looks like most of the queues in the driver are ok, because they limit the memory used to memory below 4GB. The buffer queue and the chain frames seem to be the exceptions. This is pretty much the same between the mpr(4) and mps(4) drivers. Comments welcome here, is this the right thing to do?

Most all of the memory used by the cards in the mpr(4) and mps(4) drivers is required, according to the specs and Broadcom developers, to be within a 4GB segment of memory. This includes: - System Request Message Frames pool - Reply Free Queues pool - ReplyDescriptorPost Queues pool - Chain Segments pool - Sense Buffers pool - SystemReply message pool We got a bug report from Dwight Engen, who ran into data corruption in the BAE port of FreeBSD: https://www.baesystems.com/en/product/stop-os ===== We have a port of the FreeBSD mpr driver to our kernel and recently I found an issue under heavy load where a DMA may go to the wrong address. The test system is a Supermicro X10SRH-CLN4F with the onboard SAS3008 controller setup with 2 enterprise Micron SSDs in RAID 0 (striped). I have debugged the issue and narrowed down that the errant DMA is one that has a segment that crosses a 4GB physical boundary. There are more details I can provide if you'd like, but with the attached patch in place I can no longer re-create the issue. I'm not sure if this is a known limit of the card (have not found a datasheet/programming docs for the chip) or our system is just doing something a bit different. Any helpful info or insight would be welcome. Anyway, just thought this might be helpful info if you want to apply a similar fix to FreeBSD. You can ignore/discard the commit message as it is my internal commit (blkio is our own tool we use to write/read every block of a device with CRC verification which is how I found the problem). ===== The commit message was: [PATCH 8/9] mpr: fix memory corrupting DMA when sg segment crosses 4GB boundary Test case was two SSD's in RAID 0 (stripe). The logical disk was then partitioned into two partitions. One partition had lots of filesystem I/O and the other was initially filled using blkio with CRCable data and then read back with blkio CRC verify in a loop. Eventually blkio would report a bad CRC block because the physical page being read-ahead into didn't contain the right data. If the physical address in the arq/segs was for example 0x500003000 the data would actually be DMAed to 0x400003000. ====== The original patch was against mpr(4) before busdma templates were introduced, and only affected the buffer pool (sc->buffer_dmat) in the mpr(4) driver. After some discussion with Dwight and the LSI/Broadcom developers and looking through the driver, it looks like most of the queues in the driver are ok, because they limit the memory used to memory below 4GB. The buffer queue and the chain frames seem to be the exceptions. This is pretty much the same between the mpr(4) and mps(4) drivers. Comments welcome here, is this the right thing to do?

Most all of the memory used by the cards in the mpr(4) and mps(4) drivers is required, according to the specs and Broadcom developers, to be within a 4GB segment of memory. This includes: - System Request Message Frames pool - Reply Free Queues pool - ReplyDescriptorPost Queues pool - Chain Segments pool - Sense Buffers pool - SystemReply message pool We got a bug report from Dwight Engen, who ran into data corruption in the BAE port of FreeBSD: https://www.baesystems.com/en/product/stop-os ===== We have a port of the FreeBSD mpr driver to our kernel and recently I found an issue under heavy load where a DMA may go to the wrong address. The test system is a Supermicro X10SRH-CLN4F with the onboard SAS3008 controller setup with 2 enterprise Micron SSDs in RAID 0 (striped). I have debugged the issue and narrowed down that the errant DMA is one that has a segment that crosses a 4GB physical boundary. There are more details I can provide if you'd like, but with the attached patch in place I can no longer re-create the issue. I'm not sure if this is a known limit of the card (have not found a datasheet/programming docs for the chip) or our system is just doing something a bit different. Any helpful info or insight would be welcome. Anyway, just thought this might be helpful info if you want to apply a similar fix to FreeBSD. You can ignore/discard the commit message as it is my internal commit (blkio is our own tool we use to write/read every block of a device with CRC verification which is how I found the the problem). ===== The commit message was: [PATCH 8/9] mpr: fix memory corrupting DMA when sg segment crosses 4GB boundary Test case was two SSD's in RAID 0 (stripe). The logical disk was then partitioned into two partitions. One partition had lots of filesystem I/O and the other was initially filled using blkio with CRCable data and then read back with blkio CRC verify in a loop. Eventually blkio would report a bad CRC block because the physical page being read-ahead into didn't contain the right data. If the physical address in the arq/segs was for example 0x500003000 the data would actually be DMAed to 0x400003000. ====== The original patch was against mpr(4) before busdma templates were introduced, and only affected the buffer pool (sc->buffer_dmat) in the mpr(4) driver. After some discussion with Dwight and the LSI/Broadcom developers and looking through the driver, it looks like most of the queues in the driver are ok, because they limit the memory used to memory below 4GB. The buffer queue and the chain frames seem to be the exceptions. This is pretty much the same between the mpr(4) and mps(4) drivers. Comments welcome here, is this the right thing to do?