Linaro-mm-sig December 2022

linaro-mm-sig@lists.linaro.org

27 participants
21 discussions

[PATCH v2] usb: gadget: aspeed_udc: Add check for dma_alloc_coherent

by Jiasheng Jiang

Add the check for the return value of dma_alloc_coherent in order to avoid NULL pointer dereference. This flaw was found using an experimental static analysis tool we are developing, APP-Miner, which has not been disclosed. The allyesconfig build using GCC 9.3.0 shows no new warning. As we don't have a UDC device to test with, no runtime testing was able to be performed. Signed-off-by: Jiasheng Jiang <jiasheng(a)iscas.ac.cn> --- Changelog: v1 -> v2: 1. Add "goto err;" when allocation fails. --- drivers/usb/gadget/udc/aspeed_udc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/usb/gadget/udc/aspeed_udc.c b/drivers/usb/gadget/udc/aspeed_udc.c index 01968e2167f9..7dc2457c7460 100644 --- a/drivers/usb/gadget/udc/aspeed_udc.c +++ b/drivers/usb/gadget/udc/aspeed_udc.c @@ -1516,6 +1516,10 @@ static int ast_udc_probe(struct platform_device *pdev) AST_UDC_EP_DMA_SIZE * AST_UDC_NUM_ENDPOINTS, &udc->ep0_buf_dma, GFP_KERNEL); + if (!udc->ep0_buf) { + rc = -ENOMEM; + goto err; + } udc->gadget.speed = USB_SPEED_UNKNOWN; udc->gadget.max_speed = USB_SPEED_HIGH; -- 2.25.1

2 years

[PATCH v2] net: ksz884x: Remove some unused functions

by Jiapeng Chong

These functions are defined in the ksz884x.c file, but not called elsewhere, so delete these unused functions. drivers/net/ethernet/micrel/ksz884x.c:2212:20: warning: unused function 'port_cfg_force_flow_ctrl'. Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=3418 Reported-by: Abaci Robot <abaci(a)linux.alibaba.com> Signed-off-by: Jiapeng Chong <jiapeng.chong(a)linux.alibaba.com> --- Changes in v2: -Delete more unused functions. drivers/net/ethernet/micrel/ksz884x.c | 89 --------------------------- 1 file changed, 89 deletions(-) diff --git a/drivers/net/ethernet/micrel/ksz884x.c b/drivers/net/ethernet/micrel/ksz884x.c index e6acd1e7b263..5d6ed7a63e59 100644 --- a/drivers/net/ethernet/micrel/ksz884x.c +++ b/drivers/net/ethernet/micrel/ksz884x.c @@ -2209,102 +2209,13 @@ static inline void port_cfg_back_pressure(struct ksz_hw *hw, int p, int set) KS8842_PORT_CTRL_2_OFFSET, PORT_BACK_PRESSURE, set); } -static inline void port_cfg_force_flow_ctrl(struct ksz_hw *hw, int p, int set) -{ - port_cfg(hw, p, - KS8842_PORT_CTRL_2_OFFSET, PORT_FORCE_FLOW_CTRL, set); -} - -static inline int port_chk_back_pressure(struct ksz_hw *hw, int p) -{ - return port_chk(hw, p, - KS8842_PORT_CTRL_2_OFFSET, PORT_BACK_PRESSURE); -} - -static inline int port_chk_force_flow_ctrl(struct ksz_hw *hw, int p) -{ - return port_chk(hw, p, - KS8842_PORT_CTRL_2_OFFSET, PORT_FORCE_FLOW_CTRL); -} - /* Spanning Tree */ -static inline void port_cfg_rx(struct ksz_hw *hw, int p, int set) -{ - port_cfg(hw, p, - KS8842_PORT_CTRL_2_OFFSET, PORT_RX_ENABLE, set); -} - -static inline void port_cfg_tx(struct ksz_hw *hw, int p, int set) -{ - port_cfg(hw, p, - KS8842_PORT_CTRL_2_OFFSET, PORT_TX_ENABLE, set); -} - static inline void sw_cfg_fast_aging(struct ksz_hw *hw, int set) { sw_cfg(hw, KS8842_SWITCH_CTRL_1_OFFSET, SWITCH_FAST_AGING, set); } -static inline void sw_flush_dyn_mac_table(struct ksz_hw *hw) -{ - if (!(hw->overrides & FAST_AGING)) { - sw_cfg_fast_aging(hw, 1); - mdelay(1); - sw_cfg_fast_aging(hw, 0); - } -} - -/* VLAN */ - -static inline void port_cfg_ins_tag(struct ksz_hw *hw, int p, int insert) -{ - port_cfg(hw, p, - KS8842_PORT_CTRL_1_OFFSET, PORT_INSERT_TAG, insert); -} - -static inline void port_cfg_rmv_tag(struct ksz_hw *hw, int p, int remove) -{ - port_cfg(hw, p, - KS8842_PORT_CTRL_1_OFFSET, PORT_REMOVE_TAG, remove); -} - -static inline int port_chk_ins_tag(struct ksz_hw *hw, int p) -{ - return port_chk(hw, p, - KS8842_PORT_CTRL_1_OFFSET, PORT_INSERT_TAG); -} - -static inline int port_chk_rmv_tag(struct ksz_hw *hw, int p) -{ - return port_chk(hw, p, - KS8842_PORT_CTRL_1_OFFSET, PORT_REMOVE_TAG); -} - -static inline void port_cfg_dis_non_vid(struct ksz_hw *hw, int p, int set) -{ - port_cfg(hw, p, - KS8842_PORT_CTRL_2_OFFSET, PORT_DISCARD_NON_VID, set); -} - -static inline void port_cfg_in_filter(struct ksz_hw *hw, int p, int set) -{ - port_cfg(hw, p, - KS8842_PORT_CTRL_2_OFFSET, PORT_INGRESS_VLAN_FILTER, set); -} - -static inline int port_chk_dis_non_vid(struct ksz_hw *hw, int p) -{ - return port_chk(hw, p, - KS8842_PORT_CTRL_2_OFFSET, PORT_DISCARD_NON_VID); -} - -static inline int port_chk_in_filter(struct ksz_hw *hw, int p) -{ - return port_chk(hw, p, - KS8842_PORT_CTRL_2_OFFSET, PORT_INGRESS_VLAN_FILTER); -} - /* Mirroring */ static inline void port_cfg_mirror_sniffer(struct ksz_hw *hw, int p, int set) -- 2.20.1.7.g153144c

2 years

[PATCH v2] usb: gadget: aspeed_udc: Add check for dma_alloc_coherent

by Jiasheng Jiang

Add the check for the return value of dma_alloc_coherent in order to avoid NULL pointer dereference. Fixes: 055276c13205 ("usb: gadget: add Aspeed ast2600 udc driver") Signed-off-by: Jiasheng Jiang <jiasheng(a)iscas.ac.cn> --- Changelog: v1 -> v2: 1. Add "goto err;" when allocation fails. --- drivers/usb/gadget/udc/aspeed_udc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/usb/gadget/udc/aspeed_udc.c b/drivers/usb/gadget/udc/aspeed_udc.c index 01968e2167f9..7dc2457c7460 100644 --- a/drivers/usb/gadget/udc/aspeed_udc.c +++ b/drivers/usb/gadget/udc/aspeed_udc.c @@ -1516,6 +1516,10 @@ static int ast_udc_probe(struct platform_device *pdev) AST_UDC_EP_DMA_SIZE * AST_UDC_NUM_ENDPOINTS, &udc->ep0_buf_dma, GFP_KERNEL); + if (!udc->ep0_buf) { + rc = -ENOMEM; + goto err; + } udc->gadget.speed = USB_SPEED_UNKNOWN; udc->gadget.max_speed = USB_SPEED_HIGH; -- 2.25.1

2 years

Re: [PATCH] usb: gadget: aspeed_udc: Add check for dma_alloc_coherent

by Jiasheng Jiang

Thanks, I found my mistake and I will submit a v2. > And how did you find this potential problem? What tool did you use and > why did you not follow the documentation for properly describing the > tool? I used a tool I wrote myself to find it, which is unpublished. Therefore, I think it is okay to submit patches without description of the tools. Thanks, Jiang

2 years

[PATCH 1/1] crypto: ccp - Allocate TEE ring and cmd buffer using DMA APIs

by Rijo Thomas

For AMD Secure Processor (ASP) to map and access TEE ring buffer, the ring buffer address sent by host to ASP must be a real physical address and the pages must be physically contiguous. In a virtualized environment though, when the driver is running in a guest VM, the pages allocated by __get_free_pages() may not be contiguous in the host (or machine) physical address space. Guests will see a guest (or pseudo) physical address and not the actual host (or machine) physical address. The TEE running on ASP cannot decipher pseudo physical addresses. It needs host or machine physical address. To resolve this problem, use DMA APIs for allocating buffers that must be shared with TEE. This will ensure that the pages are contiguous in host (or machine) address space. If the DMA handle is an IOVA, translate it into a physical address before sending it to ASP. This patch also exports two APIs (one for buffer allocation and another to free the buffer). This API can be used by AMD-TEE driver to share buffers with TEE. Fixes: 33960acccfbd ("crypto: ccp - add TEE support for Raven Ridge") Cc: Tom Lendacky <thomas.lendacky(a)amd.com> Cc: stable(a)vger.kernel.org Signed-off-by: Rijo Thomas <Rijo-john.Thomas(a)amd.com> Co-developed-by: Jeshwanth <JESHWANTHKUMAR.NK(a)amd.com> Signed-off-by: Jeshwanth <JESHWANTHKUMAR.NK(a)amd.com> Reviewed-by: Devaraj Rangasamy <Devaraj.Rangasamy(a)amd.com> --- drivers/crypto/ccp/psp-dev.c | 6 +- drivers/crypto/ccp/tee-dev.c | 116 ++++++++++++++++++++++------------- drivers/crypto/ccp/tee-dev.h | 9 +-- include/linux/psp-tee.h | 47 ++++++++++++++ 4 files changed, 127 insertions(+), 51 deletions(-) diff --git a/drivers/crypto/ccp/psp-dev.c b/drivers/crypto/ccp/psp-dev.c index c9c741ac8442..2b86158d7435 100644 --- a/drivers/crypto/ccp/psp-dev.c +++ b/drivers/crypto/ccp/psp-dev.c @@ -161,13 +161,13 @@ int psp_dev_init(struct sp_device *sp) goto e_err; } + if (sp->set_psp_master_device) + sp->set_psp_master_device(sp); + ret = psp_init(psp); if (ret) goto e_irq; - if (sp->set_psp_master_device) - sp->set_psp_master_device(sp); - /* Enable interrupt */ iowrite32(-1, psp->io_regs + psp->vdata->inten_reg); diff --git a/drivers/crypto/ccp/tee-dev.c b/drivers/crypto/ccp/tee-dev.c index 5c9d47f3be37..1631d9851e54 100644 --- a/drivers/crypto/ccp/tee-dev.c +++ b/drivers/crypto/ccp/tee-dev.c @@ -12,8 +12,9 @@ #include <linux/mutex.h> #include <linux/delay.h> #include <linux/slab.h> +#include <linux/dma-direct.h> +#include <linux/iommu.h> #include <linux/gfp.h> -#include <linux/psp-sev.h> #include <linux/psp-tee.h> #include "psp-dev.h" @@ -21,25 +22,64 @@ static bool psp_dead; +struct dma_buffer *psp_tee_alloc_dmabuf(unsigned long size, gfp_t gfp) +{ + struct psp_device *psp = psp_get_master_device(); + struct dma_buffer *dma_buf; + struct iommu_domain *dom; + + if (!psp || !size) + return NULL; + + dma_buf = kzalloc(sizeof(*dma_buf), GFP_KERNEL); + if (!dma_buf) + return NULL; + + dma_buf->vaddr = dma_alloc_coherent(psp->dev, size, &dma_buf->dma, gfp); + if (!dma_buf->vaddr || !dma_buf->dma) { + kfree(dma_buf); + return NULL; + } + + dma_buf->size = size; + + dom = iommu_get_domain_for_dev(psp->dev); + if (dom) + dma_buf->paddr = iommu_iova_to_phys(dom, dma_buf->dma); + else + dma_buf->paddr = dma_buf->dma; + + return dma_buf; +} +EXPORT_SYMBOL(psp_tee_alloc_dmabuf); + +void psp_tee_free_dmabuf(struct dma_buffer *dma_buf) +{ + struct psp_device *psp = psp_get_master_device(); + + if (!psp || !dma_buf) + return; + + dma_free_coherent(psp->dev, dma_buf->size, + dma_buf->vaddr, dma_buf->dma); + + kfree(dma_buf); +} +EXPORT_SYMBOL(psp_tee_free_dmabuf); + static int tee_alloc_ring(struct psp_tee_device *tee, int ring_size) { struct ring_buf_manager *rb_mgr = &tee->rb_mgr; - void *start_addr; if (!ring_size) return -EINVAL; - /* We need actual physical address instead of DMA address, since - * Trusted OS running on AMD Secure Processor will map this region - */ - start_addr = (void *)__get_free_pages(GFP_KERNEL, get_order(ring_size)); - if (!start_addr) + rb_mgr->ring_buf = psp_tee_alloc_dmabuf(ring_size, + GFP_KERNEL | __GFP_ZERO); + if (!rb_mgr->ring_buf) { + dev_err(tee->dev, "ring allocation failed\n"); return -ENOMEM; - - memset(start_addr, 0x0, ring_size); - rb_mgr->ring_start = start_addr; - rb_mgr->ring_size = ring_size; - rb_mgr->ring_pa = __psp_pa(start_addr); + } mutex_init(&rb_mgr->mutex); return 0; @@ -49,15 +89,8 @@ static void tee_free_ring(struct psp_tee_device *tee) { struct ring_buf_manager *rb_mgr = &tee->rb_mgr; - if (!rb_mgr->ring_start) - return; + psp_tee_free_dmabuf(rb_mgr->ring_buf); - free_pages((unsigned long)rb_mgr->ring_start, - get_order(rb_mgr->ring_size)); - - rb_mgr->ring_start = NULL; - rb_mgr->ring_size = 0; - rb_mgr->ring_pa = 0; mutex_destroy(&rb_mgr->mutex); } @@ -81,35 +114,36 @@ static int tee_wait_cmd_poll(struct psp_tee_device *tee, unsigned int timeout, return -ETIMEDOUT; } -static -struct tee_init_ring_cmd *tee_alloc_cmd_buffer(struct psp_tee_device *tee) +struct dma_buffer *tee_alloc_cmd_buffer(struct psp_tee_device *tee) { struct tee_init_ring_cmd *cmd; + struct dma_buffer *cmd_buffer; - cmd = kzalloc(sizeof(*cmd), GFP_KERNEL); - if (!cmd) + cmd_buffer = psp_tee_alloc_dmabuf(sizeof(*cmd), + GFP_KERNEL | __GFP_ZERO); + if (!cmd_buffer) return NULL; - cmd->hi_addr = upper_32_bits(tee->rb_mgr.ring_pa); - cmd->low_addr = lower_32_bits(tee->rb_mgr.ring_pa); - cmd->size = tee->rb_mgr.ring_size; + cmd = (struct tee_init_ring_cmd *)cmd_buffer->vaddr; + cmd->hi_addr = upper_32_bits(tee->rb_mgr.ring_buf->paddr); + cmd->low_addr = lower_32_bits(tee->rb_mgr.ring_buf->paddr); + cmd->size = tee->rb_mgr.ring_buf->size; dev_dbg(tee->dev, "tee: ring address: high = 0x%x low = 0x%x size = %u\n", cmd->hi_addr, cmd->low_addr, cmd->size); - return cmd; + return cmd_buffer; } -static inline void tee_free_cmd_buffer(struct tee_init_ring_cmd *cmd) +static inline void tee_free_cmd_buffer(struct dma_buffer *cmd_buffer) { - kfree(cmd); + psp_tee_free_dmabuf(cmd_buffer); } static int tee_init_ring(struct psp_tee_device *tee) { int ring_size = MAX_RING_BUFFER_ENTRIES * sizeof(struct tee_ring_cmd); - struct tee_init_ring_cmd *cmd; - phys_addr_t cmd_buffer; + struct dma_buffer *cmd_buffer; unsigned int reg; int ret; @@ -123,21 +157,19 @@ static int tee_init_ring(struct psp_tee_device *tee) tee->rb_mgr.wptr = 0; - cmd = tee_alloc_cmd_buffer(tee); - if (!cmd) { + cmd_buffer = tee_alloc_cmd_buffer(tee); + if (!cmd_buffer) { tee_free_ring(tee); return -ENOMEM; } - cmd_buffer = __psp_pa((void *)cmd); - /* Send command buffer details to Trusted OS by writing to * CPU-PSP message registers */ - iowrite32(lower_32_bits(cmd_buffer), + iowrite32(lower_32_bits(cmd_buffer->paddr), tee->io_regs + tee->vdata->cmdbuff_addr_lo_reg); - iowrite32(upper_32_bits(cmd_buffer), + iowrite32(upper_32_bits(cmd_buffer->paddr), tee->io_regs + tee->vdata->cmdbuff_addr_hi_reg); iowrite32(TEE_RING_INIT_CMD, tee->io_regs + tee->vdata->cmdresp_reg); @@ -157,7 +189,7 @@ static int tee_init_ring(struct psp_tee_device *tee) } free_buf: - tee_free_cmd_buffer(cmd); + tee_free_cmd_buffer(cmd_buffer); return ret; } @@ -167,7 +199,7 @@ static void tee_destroy_ring(struct psp_tee_device *tee) unsigned int reg; int ret; - if (!tee->rb_mgr.ring_start) + if (!tee->rb_mgr.ring_buf->vaddr) return; if (psp_dead) @@ -256,7 +288,7 @@ static int tee_submit_cmd(struct psp_tee_device *tee, enum tee_cmd_id cmd_id, do { /* Get pointer to ring buffer command entry */ cmd = (struct tee_ring_cmd *) - (tee->rb_mgr.ring_start + tee->rb_mgr.wptr); + (tee->rb_mgr.ring_buf->vaddr + tee->rb_mgr.wptr); rptr = ioread32(tee->io_regs + tee->vdata->ring_rptr_reg); @@ -305,7 +337,7 @@ static int tee_submit_cmd(struct psp_tee_device *tee, enum tee_cmd_id cmd_id, /* Update local copy of write pointer */ tee->rb_mgr.wptr += sizeof(struct tee_ring_cmd); - if (tee->rb_mgr.wptr >= tee->rb_mgr.ring_size) + if (tee->rb_mgr.wptr >= tee->rb_mgr.ring_buf->size) tee->rb_mgr.wptr = 0; /* Trigger interrupt to Trusted OS */ diff --git a/drivers/crypto/ccp/tee-dev.h b/drivers/crypto/ccp/tee-dev.h index 49d26158b71e..9238487ee8bf 100644 --- a/drivers/crypto/ccp/tee-dev.h +++ b/drivers/crypto/ccp/tee-dev.h @@ -16,6 +16,7 @@ #include <linux/device.h> #include <linux/mutex.h> +#include <linux/psp-tee.h> #define TEE_DEFAULT_TIMEOUT 10 #define MAX_BUFFER_SIZE 988 @@ -48,17 +49,13 @@ struct tee_init_ring_cmd { /** * struct ring_buf_manager - Helper structure to manage ring buffer. - * @ring_start: starting address of ring buffer - * @ring_size: size of ring buffer in bytes - * @ring_pa: physical address of ring buffer * @wptr: index to the last written entry in ring buffer + * @ring_buf: ring buffer allocated using DMA api */ struct ring_buf_manager { struct mutex mutex; /* synchronizes access to ring buffer */ - void *ring_start; - u32 ring_size; - phys_addr_t ring_pa; u32 wptr; + struct dma_buffer *ring_buf; }; struct psp_tee_device { diff --git a/include/linux/psp-tee.h b/include/linux/psp-tee.h index cb0c95d6d76b..c0fa922f24d4 100644 --- a/include/linux/psp-tee.h +++ b/include/linux/psp-tee.h @@ -13,6 +13,7 @@ #include <linux/types.h> #include <linux/errno.h> +#include <linux/dma-mapping.h> /* This file defines the Trusted Execution Environment (TEE) interface commands * and the API exported by AMD Secure Processor driver to communicate with @@ -40,6 +41,20 @@ enum tee_cmd_id { TEE_CMD_ID_UNMAP_SHARED_MEM, }; +/** + * struct dma_buffer - Structure for a DMA buffer. + * @dma: DMA buffer address + * @paddr: Physical address of DMA buffer + * @vaddr: CPU virtual address of DMA buffer + * @size: Size of DMA buffer in bytes + */ +struct dma_buffer { + dma_addr_t dma; + phys_addr_t paddr; + void *vaddr; + unsigned long size; +}; + #ifdef CONFIG_CRYPTO_DEV_SP_PSP /** * psp_tee_process_cmd() - Process command in Trusted Execution Environment @@ -75,6 +90,28 @@ int psp_tee_process_cmd(enum tee_cmd_id cmd_id, void *buf, size_t len, */ int psp_check_tee_status(void); +/** + * psp_tee_alloc_dmabuf() - Allocates memory of requested size and flags using + * dma_alloc_coherent() API. + * + * This function can be used to allocate a shared memory region between the + * host and PSP TEE. + * + * Returns: + * non-NULL a valid pointer to struct dma_buffer + * NULL on failure + */ +struct dma_buffer *psp_tee_alloc_dmabuf(unsigned long size, gfp_t gfp); + +/** + * psp_tee_free_dmabuf() - Deallocates memory using dma_free_coherent() API. + * + * This function can be used to release shared memory region between host + * and PSP TEE. + * + */ +void psp_tee_free_dmabuf(struct dma_buffer *dma_buffer); + #else /* !CONFIG_CRYPTO_DEV_SP_PSP */ static inline int psp_tee_process_cmd(enum tee_cmd_id cmd_id, void *buf, @@ -87,5 +124,15 @@ static inline int psp_check_tee_status(void) { return -ENODEV; } + +static inline +struct dma_buffer *psp_tee_alloc_dmabuf(unsigned long size, gfp_t gfp) +{ + return NULL; +} + +static inline void psp_tee_free_dmabuf(struct dma_buffer *dma_buffer) +{ +} #endif /* CONFIG_CRYPTO_DEV_SP_PSP */ #endif /* __PSP_TEE_H_ */ -- 2.25.1

2 years

[PATCH] usb: gadget: aspeed_udc: Add check for dma_alloc_coherent

by Jiasheng Jiang

Add the check for the return value of dma_alloc_coherent in order to avoid NULL pointer dereference. Fixes: 055276c13205 ("usb: gadget: add Aspeed ast2600 udc driver") Signed-off-by: Jiasheng Jiang <jiasheng(a)iscas.ac.cn> --- drivers/usb/gadget/udc/aspeed_udc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/gadget/udc/aspeed_udc.c b/drivers/usb/gadget/udc/aspeed_udc.c index 01968e2167f9..6cf46562bb25 100644 --- a/drivers/usb/gadget/udc/aspeed_udc.c +++ b/drivers/usb/gadget/udc/aspeed_udc.c @@ -1516,6 +1516,8 @@ static int ast_udc_probe(struct platform_device *pdev) AST_UDC_EP_DMA_SIZE * AST_UDC_NUM_ENDPOINTS, &udc->ep0_buf_dma, GFP_KERNEL); + if (!udc->ep0_buf) + return -ENOMEM; udc->gadget.speed = USB_SPEED_UNKNOWN; udc->gadget.max_speed = USB_SPEED_HIGH; -- 2.25.1

2 years

[PATCH] net: ksz884x: Remove the unused function port_cfg_force_flow_ctrl()

by Jiapeng Chong

The function port_cfg_force_flow_ctrl() is defined in the ksz884x.c file, but not called elsewhere, so remove this unused function. drivers/net/ethernet/micrel/ksz884x.c:2212:20: warning: unused function 'port_cfg_force_flow_ctrl'. Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=3418 Reported-by: Abaci Robot <abaci(a)linux.alibaba.com> Signed-off-by: Jiapeng Chong <jiapeng.chong(a)linux.alibaba.com> --- drivers/net/ethernet/micrel/ksz884x.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/drivers/net/ethernet/micrel/ksz884x.c b/drivers/net/ethernet/micrel/ksz884x.c index e6acd1e7b263..46f1fbf58b5a 100644 --- a/drivers/net/ethernet/micrel/ksz884x.c +++ b/drivers/net/ethernet/micrel/ksz884x.c @@ -2209,12 +2209,6 @@ static inline void port_cfg_back_pressure(struct ksz_hw *hw, int p, int set) KS8842_PORT_CTRL_2_OFFSET, PORT_BACK_PRESSURE, set); } -static inline void port_cfg_force_flow_ctrl(struct ksz_hw *hw, int p, int set) -{ - port_cfg(hw, p, - KS8842_PORT_CTRL_2_OFFSET, PORT_FORCE_FLOW_CTRL, set); -} - static inline int port_chk_back_pressure(struct ksz_hw *hw, int p) { return port_chk(hw, p, -- 2.20.1.7.g153144c

2 years

[PATCH v3 00/20] drm: Introduce Kunit Tests to VC4

by Maxime Ripard

Hi, This series introduce Kunit tests to the vc4 KMS driver, but unlike what we have been doing so far in KMS, it actually tests the atomic modesetting code. In order to do so, I've had to improve a fair bit on the Kunit helpers already found in the tree in order to register a full blown and somewhat functional KMS driver. It's of course relying on a mock so that we can test it anywhere. The mocking approach created a number of issues, the main one being that we need to create a decent mock in the first place, see patch 22. The basic idea is that I created some structures to provide a decent approximation of the actual hardware, and that would support both major architectures supported by vc4. This is of course meant to evolve over time and support more tests, but I've focused on testing the HVS FIFO assignment code which is fairly tricky (and the tests have actually revealed one more bug with our current implementation). I used to have a userspace implementation of those tests, where I would copy and paste the kernel code and run the tests on a regular basis. It's was obviously fairly suboptimal, so it seemed like the perfect testbed for that series. It can be run using: ./tools/testing/kunit/kunit.py run \ --kunitconfig=drivers/gpu/drm/vc4/tests/.kunitconfig \ --cross_compile aarch64-linux-gnu- --arch arm64 Let me know what you think, Maxime To: David Airlie <airlied(a)gmail.com> To: Daniel Vetter <daniel(a)ffwll.ch> To: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> To: Maxime Ripard <mripard(a)kernel.org> To: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: Dave Stevenson <dave.stevenson(a)raspberrypi.com> Cc: Javier Martinez Canillas <javierm(a)redhat.com> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: Maíra Canal <mairacanal(a)riseup.net> Cc: Brendan Higgins <brendan.higgins(a)linux.dev> Cc: David Gow <davidgow(a)google.com> Cc: linux-kselftest(a)vger.kernel.org Cc: kunit-dev(a)googlegroups.com Cc: dri-devel(a)lists.freedesktop.org Cc: linux-kernel(a)vger.kernel.org Cc: linux-media(a)vger.kernel.org Cc: linaro-mm-sig(a)lists.linaro.org Signed-off-by: Maxime Ripard <maxime(a)cerno.tech> --- Changes in v3: - Add a Kconfig option for the KUnit helpers - Switch to EXPORT_SYMBOL_GPL for the helpers - Add some documentation on how to run the tests - Add some documentation for __vc4_crtc_init - Fix KUnit casing - Link to v2: https://lore.kernel.org/r/20221123-rpi-kunit-tests-v2-0-efe5ed518b63@cerno.… Changes in v2: - Added some documentation for public functions - Removed the fake device probe/remove workqueue - Made sure the tests could be compiled as modules - Moved the vc4 tests in the vc4 module - Applied some of the preliminary patches - Rebased on top of current drm-misc-next branch - Fixed checkpatch issues - Introduced BCM2835 (Pi0-3) tests for muxing - Introduced tests to cover past bugs we had - Link to v1: https://lore.kernel.org/r/20221123-rpi-kunit-tests-v1-0-051a0bb60a16@cerno.… --- Maxime Ripard (20): drm/tests: helpers: Move the helper header to include/drm drm/tests: Introduce a config option for the KUnit helpers drm/tests: helpers: Document drm_kunit_device_init() drm/tests: helpers: Switch to EXPORT_SYMBOL_GPL drm/tests: helpers: Rename the device init helper drm/tests: helpers: Remove the name parameter drm/tests: helpers: Create the device in another function drm/tests: helpers: Switch to a platform_device drm/tests: helpers: Make sure the device is bound drm/tests: helpers: Allow for a custom device struct to be allocated drm/tests: helpers: Allow to pass a custom drm_driver drm/tests: Add a test for DRM managed actions drm/vc4: Move HVS state to main header drm/vc4: crtc: Introduce a lower-level crtc init helper drm/vc4: crtc: Make encoder lookup helper public drm/vc4: hvs: Provide a function to initialize the HVS structure drm/vc4: tests: Introduce a mocking infrastructure drm/vc4: tests: Fail the current test if we access a register drm/vc4: tests: Add unit test suite for the PV muxing Documentation: gpu: vc4: Add KUnit Tests Section Documentation/gpu/vc4.rst | 16 + drivers/gpu/drm/Kconfig | 7 + drivers/gpu/drm/Makefile | 2 +- drivers/gpu/drm/tests/Makefile | 5 +- drivers/gpu/drm/tests/drm_client_modeset_test.c | 19 +- drivers/gpu/drm/tests/drm_kunit_helpers.c | 106 ++- drivers/gpu/drm/tests/drm_kunit_helpers.h | 11 - drivers/gpu/drm/tests/drm_managed_test.c | 71 ++ drivers/gpu/drm/tests/drm_modes_test.c | 19 +- drivers/gpu/drm/tests/drm_probe_helper_test.c | 20 +- drivers/gpu/drm/vc4/Kconfig | 16 + drivers/gpu/drm/vc4/Makefile | 7 + drivers/gpu/drm/vc4/tests/.kunitconfig | 13 + drivers/gpu/drm/vc4/tests/vc4_mock.c | 200 +++++ drivers/gpu/drm/vc4/tests/vc4_mock.h | 63 ++ drivers/gpu/drm/vc4/tests/vc4_mock_crtc.c | 41 + drivers/gpu/drm/vc4/tests/vc4_mock_output.c | 138 +++ drivers/gpu/drm/vc4/tests/vc4_mock_plane.c | 47 + drivers/gpu/drm/vc4/tests/vc4_test_pv_muxing.c | 1039 +++++++++++++++++++++++ drivers/gpu/drm/vc4/vc4_crtc.c | 120 ++- drivers/gpu/drm/vc4/vc4_dpi.c | 13 +- drivers/gpu/drm/vc4/vc4_drv.c | 4 +- drivers/gpu/drm/vc4/vc4_drv.h | 91 +- drivers/gpu/drm/vc4/vc4_dsi.c | 9 +- drivers/gpu/drm/vc4/vc4_hdmi_regs.h | 4 + drivers/gpu/drm/vc4/vc4_hvs.c | 81 +- drivers/gpu/drm/vc4/vc4_kms.c | 25 +- drivers/gpu/drm/vc4/vc4_txp.c | 15 +- drivers/gpu/drm/vc4/vc4_vec.c | 13 +- include/drm/drm_kunit_helpers.h | 91 ++ 30 files changed, 2132 insertions(+), 174 deletions(-) --- base-commit: 199557fab92548f8e9d5207e385097213abe0cab change-id: 20221123-rpi-kunit-tests-87a388492a73 Best regards, -- Maxime Ripard <maxime(a)cerno.tech>

2 years

[PATCH] dma-buf: fix dma_buf_export init order

by Christian König

The init order and resulting error handling in dma_buf_export was pretty messy. Subordinate objects like the file and the sysfs kernel objects were initializing and wiring itself up with the object in the wrong order resulting not only in complicating and partially incorrect error handling, but also in publishing only halve initialized DMA-buf objects. Clean this up thoughtfully by allocating the file independent of the DMA-buf object. Then allocate and initialize the DMA-buf object itself, before publishing it through sysfs. If everything works as expected the file is then connected with the DMA-buf object and publish it through debugfs. Also adds the missing dma_resv_fini() into the error handling. Signed-off-by: Christian König <christian.koenig(a)amd.com> --- drivers/dma-buf/dma-buf-sysfs-stats.c | 7 +-- drivers/dma-buf/dma-buf-sysfs-stats.h | 4 +- drivers/dma-buf/dma-buf.c | 65 +++++++++++++-------------- 3 files changed, 34 insertions(+), 42 deletions(-) diff --git a/drivers/dma-buf/dma-buf-sysfs-stats.c b/drivers/dma-buf/dma-buf-sysfs-stats.c index 2bba0babcb62..4b680e10c15a 100644 --- a/drivers/dma-buf/dma-buf-sysfs-stats.c +++ b/drivers/dma-buf/dma-buf-sysfs-stats.c @@ -168,14 +168,11 @@ void dma_buf_uninit_sysfs_statistics(void) kset_unregister(dma_buf_stats_kset); } -int dma_buf_stats_setup(struct dma_buf *dmabuf) +int dma_buf_stats_setup(struct dma_buf *dmabuf, struct file *file) { struct dma_buf_sysfs_entry *sysfs_entry; int ret; - if (!dmabuf || !dmabuf->file) - return -EINVAL; - if (!dmabuf->exp_name) { pr_err("exporter name must not be empty if stats needed\n"); return -EINVAL; @@ -192,7 +189,7 @@ int dma_buf_stats_setup(struct dma_buf *dmabuf) /* create the directory for buffer stats */ ret = kobject_init_and_add(&sysfs_entry->kobj, &dma_buf_ktype, NULL, - "%lu", file_inode(dmabuf->file)->i_ino); + "%lu", file_inode(file)->i_ino); if (ret) goto err_sysfs_dmabuf; diff --git a/drivers/dma-buf/dma-buf-sysfs-stats.h b/drivers/dma-buf/dma-buf-sysfs-stats.h index a49c6e2650cc..7a8a995b75ba 100644 --- a/drivers/dma-buf/dma-buf-sysfs-stats.h +++ b/drivers/dma-buf/dma-buf-sysfs-stats.h @@ -13,7 +13,7 @@ int dma_buf_init_sysfs_statistics(void); void dma_buf_uninit_sysfs_statistics(void); -int dma_buf_stats_setup(struct dma_buf *dmabuf); +int dma_buf_stats_setup(struct dma_buf *dmabuf, struct file *file); void dma_buf_stats_teardown(struct dma_buf *dmabuf); #else @@ -25,7 +25,7 @@ static inline int dma_buf_init_sysfs_statistics(void) static inline void dma_buf_uninit_sysfs_statistics(void) {} -static inline int dma_buf_stats_setup(struct dma_buf *dmabuf) +static inline int dma_buf_stats_setup(struct dma_buf *dmabuf, struct file *file) { return 0; } diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c index e6f36c014c4c..ea08049b70ae 100644 --- a/drivers/dma-buf/dma-buf.c +++ b/drivers/dma-buf/dma-buf.c @@ -614,19 +614,11 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info) size_t alloc_size = sizeof(struct dma_buf); int ret; - if (!exp_info->resv) - alloc_size += sizeof(struct dma_resv); - else - /* prevent &dma_buf[1] == dma_buf->resv */ - alloc_size += 1; - - if (WARN_ON(!exp_info->priv - || !exp_info->ops - || !exp_info->ops->map_dma_buf - || !exp_info->ops->unmap_dma_buf - || !exp_info->ops->release)) { + if (WARN_ON(!exp_info->priv || !exp_info->ops + || !exp_info->ops->map_dma_buf + || !exp_info->ops->unmap_dma_buf + || !exp_info->ops->release)) return ERR_PTR(-EINVAL); - } if (WARN_ON(exp_info->ops->cache_sgt_mapping && (exp_info->ops->pin || exp_info->ops->unpin))) @@ -638,10 +630,21 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info) if (!try_module_get(exp_info->owner)) return ERR_PTR(-ENOENT); + file = dma_buf_getfile(exp_info->size, exp_info->flags); + if (IS_ERR(file)) { + ret = PTR_ERR(file); + goto err_module; + } + + if (!exp_info->resv) + alloc_size += sizeof(struct dma_resv); + else + /* prevent &dma_buf[1] == dma_buf->resv */ + alloc_size += 1; dmabuf = kzalloc(alloc_size, GFP_KERNEL); if (!dmabuf) { ret = -ENOMEM; - goto err_module; + goto err_file; } dmabuf->priv = exp_info->priv; @@ -653,44 +656,36 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info) init_waitqueue_head(&dmabuf->poll); dmabuf->cb_in.poll = dmabuf->cb_out.poll = &dmabuf->poll; dmabuf->cb_in.active = dmabuf->cb_out.active = 0; + mutex_init(&dmabuf->lock); + INIT_LIST_HEAD(&dmabuf->attachments); if (!resv) { - resv = (struct dma_resv *)&dmabuf[1]; - dma_resv_init(resv); + dmabuf->resv = (struct dma_resv *)&dmabuf[1]; + dma_resv_init(dmabuf->resv); + } else { + dmabuf->resv = resv; } - dmabuf->resv = resv; - file = dma_buf_getfile(dmabuf, exp_info->flags); - if (IS_ERR(file)) { - ret = PTR_ERR(file); + ret = dma_buf_stats_setup(dmabuf, file); + if (ret) goto err_dmabuf; - } + file->private_data = dmabuf; + file->f_path.dentry->d_fsdata = dmabuf; dmabuf->file = file; - mutex_init(&dmabuf->lock); - INIT_LIST_HEAD(&dmabuf->attachments); - mutex_lock(&db_list.lock); list_add(&dmabuf->list_node, &db_list.head); mutex_unlock(&db_list.lock); - ret = dma_buf_stats_setup(dmabuf); - if (ret) - goto err_sysfs; - return dmabuf; -err_sysfs: - /* - * Set file->f_path.dentry->d_fsdata to NULL so that when - * dma_buf_release() gets invoked by dentry_ops, it exits - * early before calling the release() dma_buf op. - */ - file->f_path.dentry->d_fsdata = NULL; - fput(file); err_dmabuf: + if (!resv) + dma_resv_fini(dmabuf->resv); kfree(dmabuf); +err_file: + fput(file); err_module: module_put(exp_info->owner); return ERR_PTR(ret); -- 2.34.1

2 years

[PATCH] dma-buf: Fix possible UAF in dma_buf_export

by Gaosheng Cui

Smatch report warning as follows: drivers/dma-buf/dma-buf.c:681 dma_buf_export() warn: '&dmabuf->list_node' not removed from list If dma_buf_stats_setup() fails in dma_buf_export(), goto err_sysfs and dmabuf will be freed, but dmabuf->list_node will not be removed from db_list.head, then list traversal may cause UAF. Fix by removeing it from db_list.head before free(). Fixes: ef3a6b70507a ("dma-buf: call dma_buf_stats_setup after dmabuf is in valid list") Signed-off-by: Gaosheng Cui <cuigaosheng1(a)huawei.com> --- drivers/dma-buf/dma-buf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c index b809513b03fe..6848f50226d5 100644 --- a/drivers/dma-buf/dma-buf.c +++ b/drivers/dma-buf/dma-buf.c @@ -675,6 +675,9 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info) return dmabuf; err_sysfs: + mutex_lock(&db_list.lock); + list_del(&dmabuf->list_node); + mutex_unlock(&db_list.lock); /* * Set file->f_path.dentry->d_fsdata to NULL so that when * dma_buf_release() gets invoked by dentry_ops, it exits -- 2.25.1

2 years

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Linaro-mm-sig December 2022