Linaro-mm-sig October 2023

linaro-mm-sig@lists.linaro.org

24 participants
18 discussions

[PATCH v2 00/11] Add mediate-drm secure flow for SVP

by Jason-JH.Lin

The patch series provides drm driver support for enabling secure video path (SVP) playback on MediaiTek hardware in the Linux kernel. Memory Definitions: secure memory - Memory allocated in the TEE (Trusted Execution Environment) which is inaccessible in the REE (Rich Execution Environment, i.e. linux kernel/userspace). secure handle - Integer value which acts as reference to 'secure memory'. Used in communication between TEE and REE to reference 'secure memory'. secure buffer - 'secure memory' that is used to store decrypted, compressed video or for other general purposes in the TEE. secure surface - 'secure memory' that is used to store graphic buffers. Memory Usage in SVP: The overall flow of SVP starts with encrypted video coming in from an outside source into the REE. The REE will then allocate a 'secure buffer' and send the corresponding 'secure handle' along with the encrypted, compressed video data to the TEE. The TEE will then decrypt the video and store the result in the 'secure buffer'. The REE will then allocate a 'secure surface'. The REE will pass the 'secure handles' for both the 'secure buffer' and 'secure surface' into the TEE for video decoding. The video decoder HW will then decode the contents of the 'secure buffer' and place the result in the 'secure surface'. The REE will then attach the 'secure surface' to the overlay plane for rendering of the video. Everything relating to ensuring security of the actual contents of the 'secure buffer' and 'secure surface' is out of scope for the REE and is the responsibility of the TEE. DRM driver handles allocation of gem objects that are backed by a 'secure surface' and for displaying a 'secure surface' on the overlay plane. This introduces a new flag for object creation called DRM_MTK_GEM_CREATE_ENCRYPTED which indicates it should be a 'secure surface'. All changes here are in MediaTek specific code. --- Based on 3 series and 1 patch: [1] dma-buf: heaps: Add MediaTek secure heap - https://patchwork.kernel.org/project/linux-mediatek/list/?series=782776 [2] add driver to support secure video decoder - https://patchwork.kernel.org/project/linux-mediatek/list/?series=782922 [3] soc: mediatek: Add register definitions for GCE - https://patchwork.kernel.org/project/linux-mediatek/patch/20231017064717.21… [4] Add CMDQ secure driver for SVP - https://patchwork.kernel.org/project/linux-mediatek/list/?series=795502 --- Change in v2: 1. remove the DRIVER_RDNDER flag for mtk_drm_ioctl 2. move cmdq_insert_backup_cookie into client driver 3. move secure gce node define from mt8195-cherry.dtsi to mt8195.dtsi --- CK Hu (1): drm/mediatek: Add interface to allocate MediaTek GEM buffer. Jason-JH.Lin (10): drm/mediatek/uapi: Add DRM_MTK_GEM_CREATED_ENCRYPTTED flag drm/mediatek: Add secure buffer control flow to mtk_drm_gem drm/mediatek: Add secure identify flag and funcution to mtk_drm_plane drm/mediatek: Add mtk_ddp_sec_write to config secure buffer info drm/mediatek: Add get_sec_port interface to mtk_ddp_comp drm/mediatek: Add secure layer config support for ovl drm/mediatek: Add secure layer config support for ovl_adaptor drm/mediatek: Add secure flow support to mediatek-drm drm/mediatek: Add cmdq_insert_backup_cookie before secure pkt finalize arm64: dts: mt8195: Add secure mbox settings for vdosys arch/arm64/boot/dts/mediatek/mt8195.dtsi | 6 +- drivers/gpu/drm/mediatek/mtk_disp_drv.h | 3 + drivers/gpu/drm/mediatek/mtk_disp_ovl.c | 31 +- .../gpu/drm/mediatek/mtk_disp_ovl_adaptor.c | 15 + drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 274 +++++++++++++++++- drivers/gpu/drm/mediatek/mtk_drm_crtc.h | 1 + drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.c | 14 + drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.h | 13 + drivers/gpu/drm/mediatek/mtk_drm_drv.c | 13 + drivers/gpu/drm/mediatek/mtk_drm_gem.c | 121 ++++++++ drivers/gpu/drm/mediatek/mtk_drm_gem.h | 16 + drivers/gpu/drm/mediatek/mtk_drm_plane.c | 7 + drivers/gpu/drm/mediatek/mtk_drm_plane.h | 2 + drivers/gpu/drm/mediatek/mtk_mdp_rdma.c | 11 +- drivers/gpu/drm/mediatek/mtk_mdp_rdma.h | 2 + include/uapi/drm/mediatek_drm.h | 59 ++++ 16 files changed, 570 insertions(+), 18 deletions(-) create mode 100644 include/uapi/drm/mediatek_drm.h -- 2.18.0

6 months, 2 weeks

Re: [PATCH] drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL

by Alex Deucher

Applied. Thanks! Alex On Mon, Oct 23, 2023 at 9:06 AM <qu.huang(a)linux.dev> wrote: > > In certain types of chips, such as VEGA20, reading the amdgpu_regs_smc file could result in an abnormal null pointer access when the smc_rreg pointer is NULL. Below are the steps to reproduce this issue and the corresponding exception log: > > 1. Navigate to the directory: /sys/kernel/debug/dri/0 > 2. Execute command: cat amdgpu_regs_smc > 3. Exception Log:: > [4005007.702554] BUG: kernel NULL pointer dereference, address: 0000000000000000 > [4005007.702562] #PF: supervisor instruction fetch in kernel mode > [4005007.702567] #PF: error_code(0x0010) - not-present page > [4005007.702570] PGD 0 P4D 0 > [4005007.702576] Oops: 0010 [#1] SMP NOPTI > [4005007.702581] CPU: 4 PID: 62563 Comm: cat Tainted: G OE 5.15.0-43-generic #46-Ubunt u > [4005007.702590] RIP: 0010:0x0 > [4005007.702598] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. > [4005007.702600] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206 > [4005007.702605] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68 > [4005007.702609] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000 > [4005007.702612] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980 > [4005007.702615] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000 > [4005007.702618] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000 > [4005007.702622] FS: 00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000 > [4005007.702626] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [4005007.702629] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0 > [4005007.702633] Call Trace: > [4005007.702636] <TASK> > [4005007.702640] amdgpu_debugfs_regs_smc_read+0xb0/0x120 [amdgpu] > [4005007.703002] full_proxy_read+0x5c/0x80 > [4005007.703011] vfs_read+0x9f/0x1a0 > [4005007.703019] ksys_read+0x67/0xe0 > [4005007.703023] __x64_sys_read+0x19/0x20 > [4005007.703028] do_syscall_64+0x5c/0xc0 > [4005007.703034] ? do_user_addr_fault+0x1e3/0x670 > [4005007.703040] ? exit_to_user_mode_prepare+0x37/0xb0 > [4005007.703047] ? irqentry_exit_to_user_mode+0x9/0x20 > [4005007.703052] ? irqentry_exit+0x19/0x30 > [4005007.703057] ? exc_page_fault+0x89/0x160 > [4005007.703062] ? asm_exc_page_fault+0x8/0x30 > [4005007.703068] entry_SYSCALL_64_after_hwframe+0x44/0xae > [4005007.703075] RIP: 0033:0x7f5e07672992 > [4005007.703079] Code: c0 e9 b2 fe ff ff 50 48 8d 3d fa b2 0c 00 e8 c5 1d 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 e c 28 48 89 54 24 > [4005007.703083] RSP: 002b:00007ffe03097898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 > [4005007.703088] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5e07672992 > [4005007.703091] RDX: 0000000000020000 RSI: 00007f5e06753000 RDI: 0000000000000003 > [4005007.703094] RBP: 00007f5e06753000 R08: 00007f5e06752010 R09: 00007f5e06752010 > [4005007.703096] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000022000 > [4005007.703099] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000 > [4005007.703105] </TASK> > [4005007.703107] Modules linked in: nf_tables libcrc32c nfnetlink algif_hash af_alg binfmt_misc nls_ iso8859_1 ipmi_ssif ast intel_rapl_msr intel_rapl_common drm_vram_helper drm_ttm_helper amd64_edac t tm edac_mce_amd kvm_amd ccp mac_hid k10temp kvm acpi_ipmi ipmi_si rapl sch_fq_codel ipmi_devintf ipm i_msghandler msr parport_pc ppdev lp parport mtd pstore_blk efi_pstore ramoops pstore_zone reed_solo mon ip_tables x_tables autofs4 ib_uverbs ib_core amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) iommu_v 2 amd_sched(OE) amdkcl(OE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec rc_core drm igb ahci xhci_pci libahci i2c_piix4 i2c_algo_bit xhci_pci_renesas dca > [4005007.703184] CR2: 0000000000000000 > [4005007.703188] ---[ end trace ac65a538d240da39 ]--- > [4005007.800865] RIP: 0010:0x0 > [4005007.800871] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. > [4005007.800874] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206 > [4005007.800878] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68 > [4005007.800881] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000 > [4005007.800883] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980 > [4005007.800886] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000 > [4005007.800888] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000 > [4005007.800891] FS: 00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000 > [4005007.800895] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [4005007.800898] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0 > > Signed-off-by: Qu Huang <qu.huang(a)linux.dev> > --- > drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c > index a4faea4..05405da 100644 > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c > @@ -748,6 +748,9 @@ static ssize_t amdgpu_debugfs_regs_smc_read(struct file *f, char __user *buf, > ssize_t result = 0; > int r; > > + if (!adev->smc_rreg) > + return -EPERM; > + > if (size & 0x3 || *pos & 0x3) > return -EINVAL; > > @@ -804,6 +807,9 @@ static ssize_t amdgpu_debugfs_regs_smc_write(struct file *f, const char __user * > ssize_t result = 0; > int r; > > + if (!adev->smc_wreg) > + return -EPERM; > + > if (size & 0x3 || *pos & 0x3) > return -EINVAL; > > -- > 1.8.3.1

6 months, 2 weeks

[syzbot] [dri?] WARNING in drm_prime_fd_to_handle_ioctl

by syzbot

Hello, syzbot found the following issue on: HEAD commit: 1c8b86a3799f Merge tag 'xsa441-6.6-tag' of git://git.kerne.. git tree: upstream console+strace: https://syzkaller.appspot.com/x/log.txt?x=13005e31680000 kernel config: https://syzkaller.appspot.com/x/.config?x=32d0b9b42ceb8b10 dashboard link: https://syzkaller.appspot.com/bug?extid=0da81ccba2345eeb7f48 compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13c48345680000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=101b3679680000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/45e9377886e9/disk-1c8b86a3.raw… vmlinux: https://storage.googleapis.com/syzbot-assets/9511a41a6d1e/vmlinux-1c8b86a3.… kernel image: https://storage.googleapis.com/syzbot-assets/fac07e1c3c1a/bzImage-1c8b86a3.… The issue was bisected to: commit 85e26dd5100a182bf8448050427539c0a66ab793 Author: Christian König <christian.koenig(a)amd.com> Date: Thu Jan 26 09:24:26 2023 +0000 drm/client: fix circular reference counting issue bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14cf17f1680000 final oops: https://syzkaller.appspot.com/x/report.txt?x=16cf17f1680000 console output: https://syzkaller.appspot.com/x/log.txt?x=12cf17f1680000 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+0da81ccba2345eeb7f48(a)syzkaller.appspotmail.com Fixes: 85e26dd5100a ("drm/client: fix circular reference counting issue") ------------[ cut here ]------------ WARNING: CPU: 0 PID: 5040 at drivers/gpu/drm/drm_prime.c:326 drm_gem_prime_fd_to_handle drivers/gpu/drm/drm_prime.c:326 [inline] WARNING: CPU: 0 PID: 5040 at drivers/gpu/drm/drm_prime.c:326 drm_prime_fd_to_handle_ioctl+0x555/0x600 drivers/gpu/drm/drm_prime.c:374 Modules linked in: CPU: 0 PID: 5040 Comm: syz-executor405 Not tainted 6.6.0-rc5-syzkaller-00055-g1c8b86a3799f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023 RIP: 0010:drm_gem_prime_fd_to_handle drivers/gpu/drm/drm_prime.c:326 [inline] RIP: 0010:drm_prime_fd_to_handle_ioctl+0x555/0x600 drivers/gpu/drm/drm_prime.c:374 Code: 89 df e8 0e 9b 26 fd f0 48 ff 03 e9 7e fd ff ff e8 b0 dc d0 fc 4c 89 f7 44 89 eb e8 75 73 8b 05 e9 da fe ff ff e8 9b dc d0 fc <0f> 0b e9 5d fd ff ff e8 3f 94 26 fd e9 3a fc ff ff 48 8b 7c 24 08 RSP: 0018:ffffc90003a5fc70 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff888018f14c00 RCX: 0000000000000000 RDX: ffff88801d691dc0 RSI: ffffffff84b6ea15 RDI: ffff8881476f3928 RBP: ffff88801fac5400 R08: 0000000000000007 R09: fffffffffffff000 R10: ffff8881476f3800 R11: 0000000000000000 R12: ffffc90003a5fe10 R13: ffff8881476f3800 R14: ffff88801c590c10 R15: 0000000000000000 FS: 00005555555d6380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555db75f4058 CR3: 0000000072209000 CR4: 0000000000350ef0 Call Trace: <TASK> drm_ioctl_kernel+0x280/0x4c0 drivers/gpu/drm/drm_ioctl.c:789 drm_ioctl+0x5cb/0xbf0 drivers/gpu/drm/drm_ioctl.c:892 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl fs/ioctl.c:857 [inline] __x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f0c8214be69 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff6f4156f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0c8214be69 RDX: 0000000020000000 RSI: 00000000c00c642e RDI: 0000000000000003 RBP: 0000000000000000 R08: 00000000000000a0 R09: 00000000000000a0 R10: 00000000000000a0 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f0c821c3820 R14: 00007fff6f415720 R15: 00007fff6f415710 </TASK> --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller(a)googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. For information about bisection process see: https://goo.gl/tpsmEJ#bisection If the bug is already fixed, let syzbot know by replying with: #syz fix: exact-commit-title If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. If you want to overwrite bug's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the bug is a duplicate of another bug, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup

6 months, 3 weeks

[PATCH][next] dma-buf: Fix NULL pointer dereference in dma_fence_enable_sw_signaling()

by Gustavo A. R. Silva

Currently, a NULL pointer dereference will happen in function `dma_fence_enable_sw_signaling()` (at line 615), in case `chain` is not allocated in `mock_chain()` and this function returns `NULL` (at line 86). See below: drivers/dma-buf/st-dma-fence-chain.c: 86 chain = mock_chain(NULL, f, 1); 87 if (!chain) 88 err = -ENOMEM; 89 90 dma_fence_enable_sw_signaling(chain); drivers/dma-buf/dma-fence.c: 611 void dma_fence_enable_sw_signaling(struct dma_fence *fence) 612 { 613 unsigned long flags; 614 615 spin_lock_irqsave(fence->lock, flags); ^^^^^^^^^^^ | NULL pointer reference if fence == NULL 616 __dma_fence_enable_signaling(fence); 617 spin_unlock_irqrestore(fence->lock, flags); 618 } Fix this by adding a NULL check before dereferencing `fence` in `dma_fence_enable_sw_signaling()`. This will prevent any other NULL pointer dereference when the `fence` passed as an argument is `NULL`. Addresses-Coverity: ("Dereference after null check") Fixes: d62c43a953ce ("dma-buf: Enable signaling on fence for selftests") Cc: stable(a)vger.kernel.org Signed-off-by: Gustavo A. R. Silva <gustavoars(a)kernel.org> --- drivers/dma-buf/dma-fence.c | 9 ++++++++- include/linux/dma-fence.h | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/dma-buf/dma-fence.c b/drivers/dma-buf/dma-fence.c index 8aa8f8cb7071..4d2f13560d0f 100644 --- a/drivers/dma-buf/dma-fence.c +++ b/drivers/dma-buf/dma-fence.c @@ -607,14 +607,21 @@ static bool __dma_fence_enable_signaling(struct dma_fence *fence) * This will request for sw signaling to be enabled, to make the fence * complete as soon as possible. This calls &dma_fence_ops.enable_signaling * internally. + * + * Returns 0 on success and a negative error value when @fence is NULL. */ -void dma_fence_enable_sw_signaling(struct dma_fence *fence) +int dma_fence_enable_sw_signaling(struct dma_fence *fence) { unsigned long flags; + if (!fence) + return -EINVAL; + spin_lock_irqsave(fence->lock, flags); __dma_fence_enable_signaling(fence); spin_unlock_irqrestore(fence->lock, flags); + + return 0; } EXPORT_SYMBOL(dma_fence_enable_sw_signaling); diff --git a/include/linux/dma-fence.h b/include/linux/dma-fence.h index ebe78bd3d121..1e4025e925e6 100644 --- a/include/linux/dma-fence.h +++ b/include/linux/dma-fence.h @@ -399,7 +399,7 @@ int dma_fence_add_callback(struct dma_fence *fence, dma_fence_func_t func); bool dma_fence_remove_callback(struct dma_fence *fence, struct dma_fence_cb *cb); -void dma_fence_enable_sw_signaling(struct dma_fence *fence); +int dma_fence_enable_sw_signaling(struct dma_fence *fence); /** * dma_fence_is_signaled_locked - Return an indication if the fence -- 2.34.1

7 months

[PATCH] dma-buf: Fix NULL pointer dereference in sanitycheck()

by Pavel Sakharov

If mock_chain() returns NULL, NULL pointer is dereferenced in dma_fence_enable_sw_signaling(). Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Pavel Sakharov <p.sakharov(a)ispras.ru> Fixes: d62c43a953ce ("dma-buf: Enable signaling on fence for selftests") --- drivers/dma-buf/st-dma-fence-chain.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/dma-buf/st-dma-fence-chain.c b/drivers/dma-buf/st-dma-fence-chain.c index c0979c8049b5..661de4add4c7 100644 --- a/drivers/dma-buf/st-dma-fence-chain.c +++ b/drivers/dma-buf/st-dma-fence-chain.c @@ -84,11 +84,11 @@ static int sanitycheck(void *arg) return -ENOMEM; chain = mock_chain(NULL, f, 1); - if (!chain) + if (chain) + dma_fence_enable_sw_signaling(chain); + else err = -ENOMEM; - dma_fence_enable_sw_signaling(chain); - dma_fence_signal(f); dma_fence_put(f); -- 2.42.0

7 months

[REGRESSION] BUG: KFENCE: memory corruption in drm_gem_put_pages+0x186/0x250

by Oleksandr Natalenko

Hello. I've got a VM from a cloud provider, and since v6.5 I observe the following kfence splat in dmesg during boot: ``` BUG: KFENCE: memory corruption in drm_gem_put_pages+0x186/0x250 Corrupted memory at 0x00000000e173a294 [ ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ] (in kfence-#108): drm_gem_put_pages+0x186/0x250 drm_gem_shmem_put_pages_locked+0x43/0xc0 drm_gem_shmem_object_vunmap+0x83/0xe0 drm_gem_vunmap_unlocked+0x46/0xb0 drm_fbdev_generic_helper_fb_dirty+0x1dc/0x310 drm_fb_helper_damage_work+0x96/0x170 process_one_work+0x254/0x470 worker_thread+0x55/0x4f0 kthread+0xe8/0x120 ret_from_fork+0x34/0x50 ret_from_fork_asm+0x1b/0x30 kfence-#108: 0x00000000cda343af-0x00000000aec2c095, size=3072, cache=kmalloc-4k allocated by task 51 on cpu 0 at 14.668667s: drm_gem_get_pages+0x94/0x2b0 drm_gem_shmem_get_pages+0x5d/0x110 drm_gem_shmem_object_vmap+0xc4/0x1e0 drm_gem_vmap_unlocked+0x3c/0x70 drm_client_buffer_vmap+0x23/0x50 drm_fbdev_generic_helper_fb_dirty+0xae/0x310 drm_fb_helper_damage_work+0x96/0x170 process_one_work+0x254/0x470 worker_thread+0x55/0x4f0 kthread+0xe8/0x120 ret_from_fork+0x34/0x50 ret_from_fork_asm+0x1b/0x30 freed by task 51 on cpu 0 at 14.668697s: drm_gem_put_pages+0x186/0x250 drm_gem_shmem_put_pages_locked+0x43/0xc0 drm_gem_shmem_object_vunmap+0x83/0xe0 drm_gem_vunmap_unlocked+0x46/0xb0 drm_fbdev_generic_helper_fb_dirty+0x1dc/0x310 drm_fb_helper_damage_work+0x96/0x170 process_one_work+0x254/0x470 worker_thread+0x55/0x4f0 kthread+0xe8/0x120 ret_from_fork+0x34/0x50 ret_from_fork_asm+0x1b/0x30 CPU: 0 PID: 51 Comm: kworker/0:2 Not tainted 6.5.0-pf4 #1 8b557a4173114d86eef7240f7a080080cfc4617e Hardware name: Red Hat KVM, BIOS 1.11.0-2.el7 04/01/2014 Workqueue: events drm_fb_helper_damage_work ``` This repeats a couple of times and then stops. Currently, I'm running v6.5.5. So far, there's no impact on how VM functions for me. The VGA adapter is as follows: 00:02.0 VGA compatible controller: Cirrus Logic GD 5446 Please check. Thanks. -- Oleksandr Natalenko (post-factum)

7 months

Re: [PATCH 01/10] drm/mediatek: Add interface to allocate MediaTek GEM buffer.

by Jeffrey Kardatzke

You can remove the DRIVER_RENDER flag from this patchset. That should not be upstreamed. The IOCTLs are still needed though because of the flag for allocating a secure surface that is in the next patch. If that flag wasn't needed, then dumb buffer allocations could be used instead. Thanks, Jeff Kardatzke

7 months, 1 week

[PATCH] dma-buf: heaps: Fix off by one in cma_heap_vm_fault()

by Dan Carpenter

The buffer->pages[] has "buffer->pagecount" elements so this > comparison has to be changed to >= to avoid reading beyond the end of the array. The buffer->pages[] array is allocated in cma_heap_allocate(). Fixes: a5d2d29e24be ("dma-buf: heaps: Move heap-helper logic into the cma_heap implementation") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> --- drivers/dma-buf/heaps/cma_heap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma-buf/heaps/cma_heap.c b/drivers/dma-buf/heaps/cma_heap.c index ee899f8e6721..bea7e574f916 100644 --- a/drivers/dma-buf/heaps/cma_heap.c +++ b/drivers/dma-buf/heaps/cma_heap.c @@ -165,7 +165,7 @@ static vm_fault_t cma_heap_vm_fault(struct vm_fault *vmf) struct vm_area_struct *vma = vmf->vma; struct cma_heap_buffer *buffer = vma->vm_private_data; - if (vmf->pgoff > buffer->pagecount) + if (vmf->pgoff >= buffer->pagecount) return VM_FAULT_SIGBUS; vmf->page = buffer->pages[vmf->pgoff]; -- 2.39.2

7 months, 1 week

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Linaro-mm-sig October 2023