Linaro-mm-sig

linaro-mm-sig@lists.linaro.org

15 participants
3026 discussions

[PATCH] dma-buf: Fix SET_NAME ioctl uapi

by Daniel Vetter

The uapi is the same on 32 and 64 bit, but the number isnt. Everyone who botched this please re-read: https://www.kernel.org/doc/html/v5.4-preprc-cpu/ioctl/botching-up-ioctls.ht… Also, the type argument for the ioctl macros is for the type the void __user *arg pointer points at, which in this case would be the variable-sized char[] of a 0 terminated string. So this was botched in more than just the usual ways. Cc: Sumit Semwal <sumit.semwal(a)linaro.org> Cc: Chenbo Feng <fengc(a)google.com> Cc: Greg Hackmann <ghackmann(a)google.com> Cc: Daniel Vetter <daniel.vetter(a)ffwll.ch> Cc: linux-media(a)vger.kernel.org Cc: linaro-mm-sig(a)lists.linaro.org Cc: minchan(a)kernel.org Cc: surenb(a)google.com Cc: jenhaochen(a)google.com Cc: Martin Liu <liumartin(a)google.com> Signed-off-by: Daniel Vetter <daniel.vetter(a)intel.com> --- drivers/dma-buf/dma-buf.c | 3 ++- include/uapi/linux/dma-buf.h | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c index 570c923023e6..1d923b8e4c59 100644 --- a/drivers/dma-buf/dma-buf.c +++ b/drivers/dma-buf/dma-buf.c @@ -388,7 +388,8 @@ static long dma_buf_ioctl(struct file *file, return ret; - case DMA_BUF_SET_NAME: + case DMA_BUF_SET_NAME_A: + case DMA_BUF_SET_NAME_B: return dma_buf_set_name(dmabuf, (const char __user *)arg); default: diff --git a/include/uapi/linux/dma-buf.h b/include/uapi/linux/dma-buf.h index dbc7092e04b5..21dfac815dc0 100644 --- a/include/uapi/linux/dma-buf.h +++ b/include/uapi/linux/dma-buf.h @@ -39,6 +39,10 @@ struct dma_buf_sync { #define DMA_BUF_BASE 'b' #define DMA_BUF_IOCTL_SYNC _IOW(DMA_BUF_BASE, 0, struct dma_buf_sync) +/* 32/64bitness of this uapi was botched in android, there's no difference + * between them in actual uapi, they're just different numbers. */ #define DMA_BUF_SET_NAME _IOW(DMA_BUF_BASE, 1, const char *) +#define DMA_BUF_SET_NAME_A _IOW(DMA_BUF_BASE, 1, u32) +#define DMA_BUF_SET_NAME_B _IOW(DMA_BUF_BASE, 1, u64) #endif -- 2.25.1

5 years, 4 months

Re: [Linaro-mm-sig] [PATCH] drm/amdgpu: remove conversion to bool in amdgpu_device.c

by Christian König

Am 27.04.20 um 08:36 schrieb Jason Yan: > The '>' expression itself is bool, no need to convert it to bool again. > This fixes the following coccicheck warning: > > drivers/gpu/drm/amd/amdgpu/amdgpu_device.c:3004:68-73: WARNING: > conversion to bool not needed here > > Signed-off-by: Jason Yan <yanaijie(a)huawei.com> Reviewed-by: Christian König <christian.koenig(a)amd.com> > --- > drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c > index 3d601d5dd5af..ad94de3632d8 100644 > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c > @@ -3000,7 +3000,7 @@ int amdgpu_device_init(struct amdgpu_device *adev, > INIT_WORK(&adev->xgmi_reset_work, amdgpu_device_xgmi_reset_func); > > adev->gfx.gfx_off_req_count = 1; > - adev->pm.ac_power = power_supply_is_system_supplied() > 0 ? true : false; > + adev->pm.ac_power = power_supply_is_system_supplied() > 0; > > /* Registers mapping */ > /* TODO: block userspace mapping of io register */

5 years, 4 months

Re: [Linaro-mm-sig] KASAN: use-after-free Read in vkms_dumb_create

by Hillf Danton

Sun, 26 Apr 2020 20:48:12 -0700 > syzbot found the following crash on: > > HEAD commit: c578ddb3 Merge tag 'linux-kselftest-5.7-rc3' of git://git... > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=10fbf0d8100000 > kernel config: https://syzkaller.appspot.com/x/.config?x=b7a70e992f2f9b68 > dashboard link: https://syzkaller.appspot.com/bug?extid=e3372a2afe1e7ef04bc7 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15438330100000 > > Bisection is inconclusive: the first bad commit could be any of: > > 85b5bafb drm/cma-helper: Remove drm_fb_cma_fbdev_init_with_funcs() > dff1c703 drm/tinydrm: Use drm_fbdev_generic_setup() > 23167fa9 drm/panel: simple: Add support for Rocktech RK070ER9427 LCD panel > 9060d7f4 drm/fb-helper: Finish the generic fbdev emulation > 2230ca12 dt-bindings: display: Document the EDT et* displays in one file. > e896c132 drm/debugfs: Add internal client debugfs file > 894a677f drm/cma-helper: Use the generic fbdev emulation > aa7e6455 drm/panel: Add support for the EDT ETM0700G0BDH6 > 244007ec drm/pl111: Set .gem_prime_vmap and .gem_prime_mmap > aad34de2 drm/panel: Add support for the EDT ETM0700G0EDH6 > 7a6aca49 dt-bindings: Add vendor prefix for DLC Display Co., Ltd. > d536540f drm/fb-helper: Add generic fbdev emulation .fb_probe function > 0ca0c827 drm/panel: simple: Add DLC DLC0700YZG-1 panel > c76f0f7c drm: Begin an API for in-kernel clients > 5ba57bab drm: vkms: select DRM_KMS_HELPER > 5fa8e4a2 drm/panel: Make of_drm_find_panel() return an ERR_PTR() instead of NULL > 008095e0 drm/vc4: Add support for the transposer block > c59eb3cf drm/panel: Let of_drm_find_panel() return -ENODEV when the panel is disabled > 1ebe99a7 drm/vc4: Call drm_atomic_helper_fake_vblank() in the commit path > 2e64a174 drm/of: Make drm_of_find_panel_or_bridge() fail when the device is disabled > 1b9883ea drm/vc4: Support the case where the DSI device is disabled > 6fb42b66 drm/atomic: Call fake_vblank() from the generic commit_tail() helpers > b0b7aa40 dt-bindings: display: Add DT bindings for BOE HV070WSA-100 panel > b25c60af drm/crtc: Add a generic infrastructure to fake VBLANK events > 184d3cf4 drm/vc4: Use wait_for_flip_done() instead of wait_for_vblanks() > ae8cf41b drm/panel: simple: Add support for BOE HV070WSA-100 panel to simple-panel > 814bde99 drm/connector: Make ->atomic_commit() optional > 955f60db drm: Add support for extracting sync signal drive edge from videomode > 3b39ad7a drm/panel: simple: Add newhaven, nhd-4.3-480272ef-atxl LCD > 425132fd drm/connector: Pass a drm_connector_state to ->atomic_commit() > a5d2ade6 drm/panel: simple: Add support for Innolux G070Y2-L01 > b82c1f8f drm/atomic: Avoid connector to writeback_connector casts > 03fa9aa3 dt-bindings: Add DataImage, Inc. vendor prefix > 73915b2b drm/writeback: Fix the "overview" section of the doc > 97ceb1fb drm/panel: simple: Add support for DataImage SCF0700C48GGU18 > e22e9531 Merge drm-upstream/drm-next into drm-misc-next > 3d5664f9 drm/panel: ili9881c: Fix missing assignment to error return ret > a0120245 drm/crc: Only report a single overflow when a CRC fd is opened > 7ad4e463 drm/panel: p079zca: Refactor panel driver to support multiple panels > 8adbbb2e drm/stm: ltdc: rework reset sequence > 48bd379a drm/panel: p079zca: Add variable unprepare_delay properties > 7868e507 drm/stm: ltdc: filter mode pixel clock vs pad constraint > 731edd4c dt-bindings: Add Innolux P097PFG panel bindings > f8878bb2 drm: print plane state normalized zpos value > ca52bea9 drm/atomic-helper: Use bitwise or for filling a bitmask > de04a462 drm/panel: p079zca: Support Innolux P097PFG panel > 2bb7a39c dt-bindings: Add vendor prefix for kingdisplay > a65020d0 drm/v3d: Fix a grammar nit in the scheduler docs. > 2dd4f211 drm/v3d: Add missing v3d documentation structure. > ebc950fd dt-bindings: Add KINGDISPLAY KD097D04 panel bindings > cd0e0ca6 drm/panel: type promotion bug in s6e8aa0_read_mtp_id() > e0d01811 drm/v3d: Remove unnecessary dma_fence_ops. > 624bb0c0 drm/v3d: Delay the scheduler timeout if we're still making progress. > b6d83fcc drm/panel: p079zca: Use of_device_get_match_data() > 408633d2 drm/v3d: use new return type vm_fault_t in v3d_gem_fault > decac6b0 dt-bindings: display: sun4i-drm: Add R40 display engine compatible > 0b7510d1 drm/tilcdc: Use drm_connector_has_possible_encoder() > d978a94b drm/sun4i: Add R40 display engine compatible > af11942e drm/sun4i: tcon-top: Cleanup clock handling > f8222409 drm/msm: Use drm_connector_has_possible_encoder() > 38cb8d96 drm: Add drm_connector_has_possible_encoder() > da82107e drm/sun4i: tcon: Release node when traversing of graph > 7a667775 dt-bindings: display: sun4i-drm: Add R40 TV TCON description > 7b71ca24 drm/radeon: Use drm_connector_for_each_possible_encoder() > 4a068c5c drm/sun4i: DW HDMI: Release nodes if error happens during CRTC search > ddba766d drm/nouveau: Use drm_connector_for_each_possible_encoder() > 98c0e348 drm/amdgpu: Use drm_connector_for_each_possible_encoder() > e0f56782 drm/sun4i: mixer: Order includes alphabetically > 05db311a drm/sun4i: tcon-top: Add helpers for mux switching > 83aefbb8 drm: Add drm_connector_for_each_possible_encoder() > 20431c05 drm/i915: Nuke intel_mst_best_encoder() > 5e496566 drm/sun4i: tcon-top: Remove mux configuration at probe time > 0d998891 drm/fb-helper: Eliminate the .best_encoder() usage > ac1fe132 dt-bindings: display: sun4i-drm: Fix order of DW HDMI PHY compatibles > 03e3ec9a drm/panel: simple: Add Sharp LQ035Q7DB03 panel support > c91b007e drm/vkms: Add extra information about vkms > 5685ca0c drm/tinydrm: Fix doc build warnings > 854502fa drm/vkms: Add basic CRTC initialization > ae61f61f drm/client: Fix: drm_client_new: Don't require DRM to be registered > c04372ea drm/vkms: Add mode_config initialization > 41111ce1 drm/vkms: vkms_driver can be static > 559e50fd drm/vkms: Add dumb operations > 1c7c5fd9 drm/vkms: Introduce basic VKMS driver > 657cd71e drm: gma500: Changed __attribute__((packed)) to __packed > d1648930 drm/vkms: Add connectors helpers > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17b65cdfe00000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+e3372a2afe1e7ef04bc7(a)syzkaller.appspotmail.com > > ================================================================== > BUG: KASAN: use-after-free in vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142 > Read of size 8 at addr ffff88809e537110 by task syz-executor.0/9558 > > CPU: 0 PID: 9558 Comm: syz-executor.0 Not tainted 5.7.0-rc2-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x188/0x20d lib/dump_stack.c:118 > print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:382 > __kasan_report.cold+0x35/0x4d mm/kasan/report.c:511 > kasan_report+0x33/0x50 mm/kasan/common.c:625 > vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142 > drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94 > drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787 > drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887 > vfs_ioctl fs/ioctl.c:47 [inline] > ksys_ioctl+0x11a/0x180 fs/ioctl.c:763 > __do_sys_ioctl fs/ioctl.c:772 [inline] > __se_sys_ioctl fs/ioctl.c:770 [inline] > __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770 > do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 > entry_SYSCALL_64_after_hwframe+0x49/0xb3 > RIP: 0033:0x45c829 > Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:00007f19a3e30c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 > RAX: ffffffffffffffda RBX: 00000000004e2d80 RCX: 000000000045c829 > RDX: 0000000020000080 RSI: 00000000c02064b2 RDI: 0000000000000003 > RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff > R13: 000000000000028b R14: 00000000004d3188 R15: 00007f19a3e316d4 > > Allocated by task 9558: > save_stack+0x1b/0x40 mm/kasan/common.c:49 > set_track mm/kasan/common.c:57 [inline] > __kasan_kmalloc mm/kasan/common.c:495 [inline] > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468 > kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551 > __vkms_gem_create+0x44/0xf0 include/linux/slab.h:555 > vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:111 [inline] > vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline] > vkms_dumb_create+0x110/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138 > drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94 > drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787 > drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887 > vfs_ioctl fs/ioctl.c:47 [inline] > ksys_ioctl+0x11a/0x180 fs/ioctl.c:763 > __do_sys_ioctl fs/ioctl.c:772 [inline] > __se_sys_ioctl fs/ioctl.c:770 [inline] > __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770 > do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 > entry_SYSCALL_64_after_hwframe+0x49/0xb3 > > Freed by task 9558: > save_stack+0x1b/0x40 mm/kasan/common.c:49 > set_track mm/kasan/common.c:57 [inline] > kasan_set_free_info mm/kasan/common.c:317 [inline] > __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456 > __cache_free mm/slab.c:3426 [inline] > kfree+0x109/0x2b0 mm/slab.c:3757 > drm_gem_object_free+0xf0/0x1f0 drivers/gpu/drm/drm_gem.c:983 > kref_put include/linux/kref.h:65 [inline] > drm_gem_object_put_unlocked drivers/gpu/drm/drm_gem.c:1017 [inline] > drm_gem_object_put_unlocked+0x190/0x1c0 drivers/gpu/drm/drm_gem.c:1002 > vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:116 [inline] > vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline] > vkms_dumb_create+0x14d/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138 > drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94 > drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787 > drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887 > vfs_ioctl fs/ioctl.c:47 [inline] > ksys_ioctl+0x11a/0x180 fs/ioctl.c:763 > __do_sys_ioctl fs/ioctl.c:772 [inline] > __se_sys_ioctl fs/ioctl.c:770 [inline] > __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770 > do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 > entry_SYSCALL_64_after_hwframe+0x49/0xb3 > > The buggy address belongs to the object at ffff88809e537000 > which belongs to the cache kmalloc-1k of size 1024 > The buggy address is located 272 bytes inside of > 1024-byte region [ffff88809e537000, ffff88809e537400) > The buggy address belongs to the page: > page:ffffea0002794dc0 refcount:1 mapcount:0 mapping:00000000e8234a18 index:0x0 > flags: 0xfffe0000000200(slab) > raw: 00fffe0000000200 ffffea00027a3608 ffffea0002749008 ffff8880aa000c40 > raw: 0000000000000000 ffff88809e537000 0000000100000002 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffff88809e537000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff88809e537080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > >ffff88809e537100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ^ > ffff88809e537180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff88809e537200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ================================================================== Nothing to do if we're allowed to do nothing in the error case. --- a/drivers/gpu/drm/vkms/vkms_gem.c +++ b/drivers/gpu/drm/vkms/vkms_gem.c @@ -113,7 +113,6 @@ struct drm_gem_object *vkms_gem_create(s return ERR_CAST(obj); ret = drm_gem_handle_create(file, &obj->gem, handle); - drm_gem_object_put_unlocked(&obj->gem); if (ret) return ERR_PTR(ret);

5 years, 4 months

Re: [Linaro-mm-sig] [PATCH] misc: sram: Add dma-heap-export reserved SRAM area type

by John Stultz

On Fri, Apr 24, 2020 at 3:27 PM Andrew F. Davis <afd(a)ti.com> wrote: > This new export type exposes to userspace the SRAM area as a DMA-Heap, > this allows for allocations as DMA-BUFs that can be consumed by various > DMA-BUF supporting devices. > > Signed-off-by: Andrew F. Davis <afd(a)ti.com> Nice! Very excited to have the first new heap (that didn't come with the initial patchset)! Overall looks good! I don't have any comment on the SRAM side of things, but a few minor questions/nits below. > diff --git a/drivers/misc/sram-dma-heap.c b/drivers/misc/sram-dma-heap.c > new file mode 100644 > index 000000000000..38df0397f294 > --- /dev/null > +++ b/drivers/misc/sram-dma-heap.c > @@ -0,0 +1,243 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * SRAM DMA-Heap userspace exporter > + * > + * Copyright (C) 2019 Texas Instruments Incorporated - http://www.ti.com/ > + * Andrew F. Davis <afd(a)ti.com> > + */ > + > +#include <linux/dma-mapping.h> > +#include <linux/err.h> > +#include <linux/genalloc.h> > +#include <linux/io.h> > +#include <linux/mm.h> > +#include <linux/scatterlist.h> > +#include <linux/slab.h> > +#include <linux/dma-buf.h> > +#include <linux/dma-heap.h> > + > +#include "sram.h" > + > +struct sram_dma_heap { > + struct dma_heap *heap; > + struct gen_pool *pool; > +}; > + > +struct sram_dma_heap_buffer { > + struct gen_pool *pool; > + struct list_head attachments; > + struct mutex attachments_lock; > + unsigned long len; > + void *vaddr; > + phys_addr_t paddr; > +}; > + > +struct dma_heap_attachment { > + struct device *dev; > + struct sg_table *table; > + struct list_head list; > +}; > + > +static int dma_heap_attach(struct dma_buf *dmabuf, > + struct dma_buf_attachment *attachment) > +{ > + struct sram_dma_heap_buffer *buffer = dmabuf->priv; > + struct dma_heap_attachment *a; > + struct sg_table *table; > + > + a = kzalloc(sizeof(*a), GFP_KERNEL); > + if (!a) > + return -ENOMEM; > + > + table = kmalloc(sizeof(*table), GFP_KERNEL); > + if (!table) { > + kfree(a); > + return -ENOMEM; > + } > + if (sg_alloc_table(table, 1, GFP_KERNEL)) { > + kfree(table); > + kfree(a); > + return -ENOMEM; > + } > + sg_set_page(table->sgl, pfn_to_page(PFN_DOWN(buffer->paddr)), buffer->len, 0); > + > + a->table = table; > + a->dev = attachment->dev; > + INIT_LIST_HEAD(&a->list); > + > + attachment->priv = a; > + > + mutex_lock(&buffer->attachments_lock); > + list_add(&a->list, &buffer->attachments); > + mutex_unlock(&buffer->attachments_lock); > + > + return 0; > +} > + > +static void dma_heap_detatch(struct dma_buf *dmabuf, > + struct dma_buf_attachment *attachment) > +{ > + struct sram_dma_heap_buffer *buffer = dmabuf->priv; > + struct dma_heap_attachment *a = attachment->priv; > + > + mutex_lock(&buffer->attachments_lock); > + list_del(&a->list); > + mutex_unlock(&buffer->attachments_lock); > + > + sg_free_table(a->table); > + kfree(a->table); > + kfree(a); > +} > + > +static struct sg_table *dma_heap_map_dma_buf(struct dma_buf_attachment *attachment, > + enum dma_data_direction direction) > +{ > + struct dma_heap_attachment *a = attachment->priv; > + struct sg_table *table = a->table; > + > + if (!dma_map_sg_attrs(attachment->dev, table->sgl, table->nents, > + direction, DMA_ATTR_SKIP_CPU_SYNC)) Might be nice to have a comment as to why you're using SKIP_CPU_SYNC and why it's safe. > + return ERR_PTR(-ENOMEM); > + > + return table; > +} > + > +static void dma_heap_unmap_dma_buf(struct dma_buf_attachment *attachment, > + struct sg_table *table, > + enum dma_data_direction direction) > +{ > + dma_unmap_sg_attrs(attachment->dev, table->sgl, table->nents, > + direction, DMA_ATTR_SKIP_CPU_SYNC); > +} > + > +static void dma_heap_dma_buf_release(struct dma_buf *dmabuf) > +{ > + struct sram_dma_heap_buffer *buffer = dmabuf->priv; > + > + gen_pool_free(buffer->pool, (unsigned long)buffer->vaddr, buffer->len); > + kfree(buffer); > +} > + > +static int dma_heap_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma) > +{ > + struct sram_dma_heap_buffer *buffer = dmabuf->priv; > + int ret; > + > + /* SRAM mappings are not cached */ > + vma->vm_page_prot = pgprot_writecombine(vma->vm_page_prot); > + > + ret = vm_iomap_memory(vma, buffer->paddr, buffer->len); > + if (ret) > + pr_err("Could not map buffer to userspace\n"); > + > + return ret; > +} > + > +static void *dma_heap_vmap(struct dma_buf *dmabuf) > +{ > + struct sram_dma_heap_buffer *buffer = dmabuf->priv; > + > + return buffer->vaddr; > +} > + > +const struct dma_buf_ops sram_dma_heap_buf_ops = { > + .attach = dma_heap_attach, > + .detach = dma_heap_detatch, > + .map_dma_buf = dma_heap_map_dma_buf, > + .unmap_dma_buf = dma_heap_unmap_dma_buf, > + .release = dma_heap_dma_buf_release, > + .mmap = dma_heap_mmap, > + .vmap = dma_heap_vmap, > +}; No begin/end_cpu_access functions here? I'm guessing it's because you're always using SKIP_CPU_SYNC so it wouldn't do anything? A small comment in the code might help. > + > +static int sram_dma_heap_allocate(struct dma_heap *heap, > + unsigned long len, > + unsigned long fd_flags, > + unsigned long heap_flags) > +{ > + struct sram_dma_heap *sram_dma_heap = dma_heap_get_drvdata(heap); > + struct sram_dma_heap_buffer *buffer; > + > + DEFINE_DMA_BUF_EXPORT_INFO(exp_info); > + struct dma_buf *dmabuf; > + int ret; > + > + buffer = kzalloc(sizeof(*buffer), GFP_KERNEL); > + if (!buffer) > + return -ENOMEM; > + buffer->pool = sram_dma_heap->pool; > + INIT_LIST_HEAD(&buffer->attachments); > + mutex_init(&buffer->attachments_lock); > + buffer->len = len; > + > + buffer->vaddr = (void *)gen_pool_alloc(buffer->pool, buffer->len); > + if (!buffer->vaddr) { > + ret = -ENOMEM; > + goto free_buffer; > + } > + > + buffer->paddr = gen_pool_virt_to_phys(buffer->pool, (unsigned long)buffer->vaddr); > + if (buffer->paddr == -1) { > + ret = -ENOMEM; > + goto free_pool; > + } > + > + /* create the dmabuf */ > + exp_info.ops = &sram_dma_heap_buf_ops; > + exp_info.size = buffer->len; > + exp_info.flags = fd_flags; > + exp_info.priv = buffer; > + dmabuf = dma_buf_export(&exp_info); > + if (IS_ERR(dmabuf)) { > + ret = PTR_ERR(dmabuf); > + goto free_pool; > + } > + > + ret = dma_buf_fd(dmabuf, fd_flags); > + if (ret < 0) { > + dma_buf_put(dmabuf); > + /* just return, as put will call release and that will free */ > + return ret; > + } > + > + return ret; > + > +free_pool: > + gen_pool_free(buffer->pool, (unsigned long)buffer->vaddr, buffer->len); > +free_buffer: > + kfree(buffer); > + > + return ret; > +} > + > +static struct dma_heap_ops sram_dma_heap_ops = { > + .allocate = sram_dma_heap_allocate, > +}; > + > +int sram_dma_heap_export(struct sram_dev *sram, This is totally a bikeshed thing (feel free to ignore), but maybe sram_dma_heap_create() or _add() would be a better name to avoid folks mixing it up with the dmabuf exporter? > + struct sram_reserve *block, > + phys_addr_t start, > + struct sram_partition *part) > +{ > + struct sram_dma_heap *sram_dma_heap; > + struct dma_heap_export_info exp_info; > + > + dev_info(sram->dev, "Exporting SRAM pool '%s'\n", block->label); Again, shed issue: but for terminology consistency (at least in the dmabuf heaps space), maybe heap instead of pool? Thanks so much again for submitting this! -john

5 years, 4 months

Re: [Linaro-mm-sig] [PATCH] dma-buf: heaps: Initialize during core instead of subsys

by John Stultz

On Fri, Apr 24, 2020 at 3:18 PM Andrew F. Davis <afd(a)ti.com> wrote: > > Some clients of DMA-Heaps probe earlier than subsys_initcall(), this > can cause issues when these clients call dma_heap_add() before the > core DMA-Heaps framework has initialized. DMA-Heaps should initialize > during core startup to get ahead of all users. > > Signed-off-by: Andrew F. Davis <afd(a)ti.com> No objection from me right off. Acked-by: John Stultz <john.stultz(a)linaro.org> thanks -john

5 years, 4 months

decruft the vmalloc API v2

by Christoph Hellwig

Hi all, Peter noticed that with some dumb luck you can toast the kernel address space with exported vmalloc symbols. I used this as an opportunity to decruft the vmalloc.c API and make it much more systematic. This also removes any chance to create vmalloc mappings outside the designated areas or using executable permissions from modules. Besides that it removes more than 300 lines of code. A git tree is also available here: git://git.infradead.org/users/hch/misc.git sanitize-vmalloc-api.2 Gitweb: http://git.infradead.org/users/hch/misc.git/shortlog/refs/heads/sanitize-vm… Changes since v1: - implement pgprot_nx for arm64 (Mark Rutland) - fix a patch description - properly pass pgprot to vmap in ion - add a new patch to fix vmap() API misuse - fix a vmap argument in x86 - two more vmalloc cleanups - cleanup use of the unmap_kernel_range API - rename ioremap_pbh to ioremap_phb

5 years, 4 months

[PATCH] staging: android: ion: Skip sync if not mapped

by Ørjan Eide

Only sync the sg-list of an Ion dma-buf attachment when the attachment is actually mapped on the device. dma-bufs may be synced at any time. It can be reached from user space via DMA_BUF_IOCTL_SYNC, so there are no guarantees from callers on when syncs may be attempted, and dma_buf_end_cpu_access() and dma_buf_begin_cpu_access() may not be paired. Since the sg_list's dma_address isn't set up until the buffer is used on the device, and dma_map_sg() is called on it, the dma_address will be NULL if sync is attempted on the dma-buf before it's mapped on a device. Before v5.0 (commit 55897af63091 ("dma-direct: merge swiotlb_dma_ops into the dma_direct code")) this was a problem as the dma-api (at least the swiotlb_dma_ops on arm64) would use the potentially invalid dma_address. How that failed depended on how the device handled physical address 0. If 0 was a valid address to physical ram, that page would get flushed a lot, while the actual pages in the buffer would not get synced correctly. While if 0 is an invalid physical address it may cause a fault and trigger a crash. In v5.0 this was incidentally fixed by commit 55897af63091 ("dma-direct: merge swiotlb_dma_ops into the dma_direct code"), as this moved the dma-api to use the page pointer in the sg_list, and (for Ion buffers at least) this will always be valid if the sg_list exists at all. But, this issue is re-introduced in v5.3 with commit 449fa54d6815 ("dma-direct: correct the physical addr in dma_direct_sync_sg_for_cpu/device") moves the dma-api back to the old behaviour and picks the dma_address that may be invalid. dma-buf core doesn't ensure that the buffer is mapped on the device, and thus have a valid sg_list, before calling the exporter's begin_cpu_access. Signed-off-by: Ørjan Eide <orjan.eide(a)arm.com> --- drivers/staging/android/ion/ion.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) This seems to be part of a bigger issue where dma-buf exporters assume that their dma-buf begin_cpu_access and end_cpu_access callbacks have a certain guaranteed behavior, which isn't ensured by dma-buf core. This patch fixes this in ion only, but it also needs to be fixed for other exporters, either handled like this in each exporter, or in dma-buf core before calling into the exporters. diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c index 38b51eace4f9..7b752ba0cb6d 100644 --- a/drivers/staging/android/ion/ion.c +++ b/drivers/staging/android/ion/ion.c @@ -173,6 +173,7 @@ struct ion_dma_buf_attachment { struct device *dev; struct sg_table *table; struct list_head list; + bool mapped:1; }; static int ion_dma_buf_attach(struct dma_buf *dmabuf, @@ -195,6 +196,7 @@ static int ion_dma_buf_attach(struct dma_buf *dmabuf, a->table = table; a->dev = attachment->dev; INIT_LIST_HEAD(&a->list); + a->mapped = false; attachment->priv = a; @@ -231,6 +233,8 @@ static struct sg_table *ion_map_dma_buf(struct dma_buf_attachment *attachment, direction)) return ERR_PTR(-ENOMEM); + a->mapped = true; + return table; } @@ -238,6 +242,10 @@ static void ion_unmap_dma_buf(struct dma_buf_attachment *attachment, struct sg_table *table, enum dma_data_direction direction) { + struct ion_dma_buf_attachment *a = attachment->priv; + + a->mapped = false; + dma_unmap_sg(attachment->dev, table->sgl, table->nents, direction); } @@ -297,6 +305,8 @@ static int ion_dma_buf_begin_cpu_access(struct dma_buf *dmabuf, mutex_lock(&buffer->lock); list_for_each_entry(a, &buffer->attachments, list) { + if (!a->mapped) + continue; dma_sync_sg_for_cpu(a->dev, a->table->sgl, a->table->nents, direction); } @@ -320,6 +330,8 @@ static int ion_dma_buf_end_cpu_access(struct dma_buf *dmabuf, mutex_lock(&buffer->lock); list_for_each_entry(a, &buffer->attachments, list) { + if (!a->mapped) + continue; dma_sync_sg_for_device(a->dev, a->table->sgl, a->table->nents, direction); } -- 2.17.1 IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

5 years, 4 months

Re: [Linaro-mm-sig] [PATCH 10/28] mm: only allow page table mappings for built-in zsmalloc

by Minchan Kim

Hi Sergey, On Fri, Apr 10, 2020 at 11:38:45AM +0900, Sergey Senozhatsky wrote: > On (20/04/09 10:08), Minchan Kim wrote: > > > > Even though I don't know how many usecase we have using zsmalloc as > > > > module(I heard only once by dumb reason), it could affect existing > > > > users. Thus, please include concrete explanation in the patch to > > > > justify when the complain occurs. > > > > > > The justification is 'we can unexport functions that have no sane reason > > > of being exported in the first place'. > > > > > > The Changelog pretty much says that. > > > > Okay, I hope there is no affected user since this patch. > > If there are someone, they need to provide sane reason why they want > > to have zsmalloc as module. > > I'm one of those who use zsmalloc as a module - mainly because I use zram > as a compressing general purpose block device, not as a swap device. > I create zram0, mkfs, mount, checkout and compile code, once done - > umount, rmmod. This reduces the number of writes to SSD. Some people use > tmpfs, but zram device(-s) can be much larger in size. That's a niche use > case and I'm not against the patch. It doesn't mean we couldn't use zsmalloc as module any longer. It means we couldn't use zsmalloc as module with pgtable mapping whcih was little bit faster on microbenchmark in some architecutre(However, I usually temped to remove it since it had several problems). However, we could still use zsmalloc as module as copy way instead of pgtable mapping. Thus, if someone really want to rollback the feature, they should provide reasonable reason why it doesn't work for them. "A little fast" wouldn't be enough to exports deep internal to the module. Thanks.

5 years, 5 months

decruft the vmalloc API

by Christoph Hellwig

5 years, 5 months

[PATCH v2] staging: android: ion: use macro DEFINE_DEBUGFS_ATTRIBUTE to define debugfs fops

by R Veera Kumar

It is more clear to use DEFINE_DEBUGFS_ATTRIBUTE to define debugfs file operation rather than DEFINE_SIMPLE_ATTRIBUTE. Found using coccinelle. Signed-off-by: R Veera Kumar <vkor(a)vkten.in> --- Changes in v2: - Give correct explanation for patch - Adjust git commit tag and msg accordingly --- drivers/staging/android/ion/ion.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c index 38b51eace4f9..dbe4018a6f83 100644 --- a/drivers/staging/android/ion/ion.c +++ b/drivers/staging/android/ion/ion.c @@ -554,8 +554,8 @@ static int debug_shrink_get(void *data, u64 *val) return 0; } -DEFINE_SIMPLE_ATTRIBUTE(debug_shrink_fops, debug_shrink_get, - debug_shrink_set, "%llu\n"); +DEFINE_DEBUGFS_ATTRIBUTE(debug_shrink_fops, debug_shrink_get, + debug_shrink_set, "%llu\n"); void ion_device_add_heap(struct ion_heap *heap) { -- 2.20.1

5 years, 5 months

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Linaro-mm-sig