July 2024 - Linux-stable-mirror

+ mm-hugetlb-fix-kernel-null-pointer-dereference-when-migrating-hugetlb-folio.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/hugetlb: fix kernel NULL pointer dereference when migrating hugetlb folio has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-hugetlb-fix-kernel-null-pointer-dereference-when-migrating-hugetlb-folio.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Miaohe Lin <linmiaohe(a)huawei.com> Subject: mm/hugetlb: fix kernel NULL pointer dereference when migrating hugetlb folio Date: Tue, 9 Jul 2024 20:04:33 +0800 A kernel crash was observed when migrating hugetlb folio: BUG: kernel NULL pointer dereference, address: 0000000000000008 PGD 0 P4D 0 Oops: Oops: 0002 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 3435 Comm: bash Not tainted 6.10.0-rc6-00450-g8578ca01f21f #66 RIP: 0010:__folio_undo_large_rmappable+0x70/0xb0 RSP: 0018:ffffb165c98a7b38 EFLAGS: 00000097 RAX: fffffbbc44528090 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffffa30e000a2800 RSI: 0000000000000246 RDI: ffffa3153ffffcc0 RBP: fffffbbc44528000 R08: 0000000000002371 R09: ffffffffbe4e5868 R10: 0000000000000001 R11: 0000000000000001 R12: ffffa3153ffffcc0 R13: fffffbbc44468000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f5b3a716740(0000) GS:ffffa3151fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 000000010959a000 CR4: 00000000000006f0 Call Trace: <TASK> __folio_migrate_mapping+0x59e/0x950 __migrate_folio.constprop.0+0x5f/0x120 move_to_new_folio+0xfd/0x250 migrate_pages+0x383/0xd70 soft_offline_page+0x2ab/0x7f0 soft_offline_page_store+0x52/0x90 kernfs_fop_write_iter+0x12c/0x1d0 vfs_write+0x380/0x540 ksys_write+0x64/0xe0 do_syscall_64+0xb9/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5b3a514887 RSP: 002b:00007ffe138fce68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f5b3a514887 RDX: 000000000000000c RSI: 0000556ab809ee10 RDI: 0000000000000001 RBP: 0000556ab809ee10 R08: 00007f5b3a5d1460 R09: 000000007fffffff R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c R13: 00007f5b3a61b780 R14: 00007f5b3a617600 R15: 00007f5b3a616a00 It's because hugetlb folio is passed to __folio_undo_large_rmappable() unexpectedly. large_rmappable flag is imperceptibly set to hugetlb folio since commit f6a8dd98a2ce ("hugetlb: convert alloc_buddy_hugetlb_folio to use a folio"). Then commit be9581ea8c05 ("mm: fix crashes from deferred split racing folio migration") makes folio_migrate_mapping() call folio_undo_large_rmappable() triggering the bug. Fix this issue by clearing large_rmappable flag for hugetlb folios. They don't need that flag set anyway. Link: https://lkml.kernel.org/r/20240709120433.4136700-1-linmiaohe@huawei.com Fixes: f6a8dd98a2ce ("hugetlb: convert alloc_buddy_hugetlb_folio to use a folio") Fixes: be9581ea8c05 ("mm: fix crashes from deferred split racing folio migration") Signed-off-by: Miaohe Lin <linmiaohe(a)huawei.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/hugetlb.c | 3 +++ 1 file changed, 3 insertions(+) --- a/mm/hugetlb.c~mm-hugetlb-fix-kernel-null-pointer-dereference-when-migrating-hugetlb-folio +++ a/mm/hugetlb.c @@ -2162,6 +2162,9 @@ static struct folio *alloc_buddy_hugetlb nid = numa_mem_id(); retry: folio = __folio_alloc(gfp_mask, order, nid, nmask); + /* Ensure hugetlb folio won't have large_rmappable flag set. */ + if (folio) + folio_clear_large_rmappable(folio); if (folio && !folio_ref_freeze(folio, 1)) { folio_put(folio); _ Patches currently in -mm which might be from linmiaohe(a)huawei.com are mm-hugetlb-fix-potential-race-in-__update_and_free_hugetlb_folio.patch mm-hugetlb-fix-kernel-null-pointer-dereference-when-migrating-hugetlb-folio.patch mm-memory-failure-remove-obsolete-mf_msg_different_compound.patch

7 months, 3 weeks

1
0
0 0

[PATCH 0/2] drm/msm/dpu: two fixes targeting 6.11

by Dmitry Baryshkov

Leonard Lausen reported an issue with suspend/resume of the sc7180 devices. Fix the WB atomic check, which caused the issue. Also make sure that DPU debugging logs are always directed to the drm_debug / DRIVER so that usual drm.debug masks work in an expected way. Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> --- Dmitry Baryshkov (2): drm/msm/dpu1: don't choke on disabling the writeback connector drm/msm/dpu: don't play tricks with debug macros drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h | 14 ++------------ drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c | 14 +++++++------- 2 files changed, 9 insertions(+), 19 deletions(-) --- base-commit: 0b58e108042b0ed28a71cd7edf5175999955b233 change-id: 20240709-dpu-fix-wb-6cd57e3eb182 Best regards, -- Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org>

7 months, 4 weeks

2
2
0 0

[PATCH v3] net: ks8851: Fix deadlock with the SPI chip variant

by Ronald Wahl

From: Ronald Wahl <ronald.wahl(a)raritan.com> When SMP is enabled and spinlocks are actually functional then there is a deadlock with the 'statelock' spinlock between ks8851_start_xmit_spi and ks8851_irq: watchdog: BUG: soft lockup - CPU#0 stuck for 27s! call trace: queued_spin_lock_slowpath+0x100/0x284 do_raw_spin_lock+0x34/0x44 ks8851_start_xmit_spi+0x30/0xb8 ks8851_start_xmit+0x14/0x20 netdev_start_xmit+0x40/0x6c dev_hard_start_xmit+0x6c/0xbc sch_direct_xmit+0xa4/0x22c __qdisc_run+0x138/0x3fc qdisc_run+0x24/0x3c net_tx_action+0xf8/0x130 handle_softirqs+0x1ac/0x1f0 __do_softirq+0x14/0x20 ____do_softirq+0x10/0x1c call_on_irq_stack+0x3c/0x58 do_softirq_own_stack+0x1c/0x28 __irq_exit_rcu+0x54/0x9c irq_exit_rcu+0x10/0x1c el1_interrupt+0x38/0x50 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x64/0x68 __netif_schedule+0x6c/0x80 netif_tx_wake_queue+0x38/0x48 ks8851_irq+0xb8/0x2c8 irq_thread_fn+0x2c/0x74 irq_thread+0x10c/0x1b0 kthread+0xc8/0xd8 ret_from_fork+0x10/0x20 This issue has not been identified earlier because tests were done on a device with SMP disabled and so spinlocks were actually NOPs. Now use spin_(un)lock_bh for TX queue related locking to avoid execution of softirq work synchronously that would lead to a deadlock. Fixes: 3dc5d4454545 ("net: ks8851: Fix TX stall caused by TX buffer overrun") Cc: "David S. Miller" <davem(a)davemloft.net> Cc: Eric Dumazet <edumazet(a)google.com> Cc: Jakub Kicinski <kuba(a)kernel.org> Cc: Paolo Abeni <pabeni(a)redhat.com> Cc: Simon Horman <horms(a)kernel.org> Cc: netdev(a)vger.kernel.org Cc: stable(a)vger.kernel.org # 5.10+ Signed-off-by: Ronald Wahl <ronald.wahl(a)raritan.com> --- V2: - use spin_lock_bh instead of moving netif_wake_queue outside of locked region (doing the same in the start_xmit function) - add missing net: tag V3: - spin_lock_bh(ks->statelock) always except in xmit which is in BH already drivers/net/ethernet/micrel/ks8851_common.c | 8 ++++---- drivers/net/ethernet/micrel/ks8851_spi.c | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/net/ethernet/micrel/ks8851_common.c b/drivers/net/ethernet/micrel/ks8851_common.c index 6453c92f0fa7..13462811eaae 100644 --- a/drivers/net/ethernet/micrel/ks8851_common.c +++ b/drivers/net/ethernet/micrel/ks8851_common.c @@ -352,11 +352,11 @@ static irqreturn_t ks8851_irq(int irq, void *_ks) netif_dbg(ks, intr, ks->netdev, "%s: txspace %d\n", __func__, tx_space); - spin_lock(&ks->statelock); + spin_lock_bh(&ks->statelock); ks->tx_space = tx_space; if (netif_queue_stopped(ks->netdev)) netif_wake_queue(ks->netdev); - spin_unlock(&ks->statelock); + spin_unlock_bh(&ks->statelock); } if (status & IRQ_SPIBEI) { @@ -635,14 +635,14 @@ static void ks8851_set_rx_mode(struct net_device *dev) /* schedule work to do the actual set of the data if needed */ - spin_lock(&ks->statelock); + spin_lock_bh(&ks->statelock); if (memcmp(&rxctrl, &ks->rxctrl, sizeof(rxctrl)) != 0) { memcpy(&ks->rxctrl, &rxctrl, sizeof(ks->rxctrl)); schedule_work(&ks->rxctrl_work); } - spin_unlock(&ks->statelock); + spin_unlock_bh(&ks->statelock); } static int ks8851_set_mac_address(struct net_device *dev, void *addr) diff --git a/drivers/net/ethernet/micrel/ks8851_spi.c b/drivers/net/ethernet/micrel/ks8851_spi.c index 670c1de966db..3062cc0f9199 100644 --- a/drivers/net/ethernet/micrel/ks8851_spi.c +++ b/drivers/net/ethernet/micrel/ks8851_spi.c @@ -340,10 +340,10 @@ static void ks8851_tx_work(struct work_struct *work) tx_space = ks8851_rdreg16_spi(ks, KS_TXMIR); - spin_lock(&ks->statelock); + spin_lock_bh(&ks->statelock); ks->queued_len -= dequeued_len; ks->tx_space = tx_space; - spin_unlock(&ks->statelock); + spin_unlock_bh(&ks->statelock); ks8851_unlock_spi(ks, &flags); } -- 2.45.2

7 months, 4 weeks

3
2
0 0

[PATCH v3] drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes

by Ma Ke

In cdv_intel_lvds_get_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. Cc: stable(a)vger.kernel.org Fixes: 6a227d5fd6c4 ("gma500: Add support for Cedarview") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v3: - added the recipient's email address, due to the prolonged absence of a response from the recipients. Changes in v2: - modified the patch according to suggestions from other patchs; - added Fixes line; - added Cc stable; - Link: https://lore.kernel.org/lkml/20240622072514.1867582-1-make24@iscas.ac.cn/T/ --- drivers/gpu/drm/gma500/cdv_intel_lvds.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/gma500/cdv_intel_lvds.c b/drivers/gpu/drm/gma500/cdv_intel_lvds.c index f08a6803dc18..3adc2c9ab72d 100644 --- a/drivers/gpu/drm/gma500/cdv_intel_lvds.c +++ b/drivers/gpu/drm/gma500/cdv_intel_lvds.c @@ -311,6 +311,9 @@ static int cdv_intel_lvds_get_modes(struct drm_connector *connector) if (mode_dev->panel_fixed_mode != NULL) { struct drm_display_mode *mode = drm_mode_duplicate(dev, mode_dev->panel_fixed_mode); + if (!mode) + return 0; + drm_mode_probed_add(connector, mode); return 1; } -- 2.25.1

7 months, 4 weeks

3
2
0 0

[PATCH -next v3] scsi: sd: Fix an incorrect type in 'sd_spinup_disk()'

by Jiapeng Chong

The return value from the call to scsi_execute_cmd() is int. In the 'else if' branch of the function scsi_execute_cmd, it will return -EINVAL. But the type of "the_result" is "unsigned int", causing the error code to reverse. Modify the type of "the_result" to solve this problem. The code featuring the_result as the return value of the function scsi_execute_cmd is as follows: the_result = scsi_execute_cmd(sdkp->device, cmd, REQ_OP_DRV_IN, NULL, 0, SD_TIMEOUT, sdkp->max_retries, &exec_args); if (the_result > 0) { ... } ./drivers/scsi/sd.c:2333:6-16: WARNING: Unsigned expression compared with zero: the_result > 0. Fixes: c1acf38cd11e ("scsi: sd: Have midlayer retry sd_spinup_disk() errors") Cc: stable(a)vger.kernel.org Reported-by: Abaci Robot <abaci(a)linux.alibaba.com> Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=9463 Signed-off-by: Jiapeng Chong <jiapeng.chong(a)linux.alibaba.com> --- Changes in v3: -Amend the commit message, Add "Fixes:" and "Cc: stable" tags. drivers/scsi/sd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 979795dad62b..ade8c6cca295 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -2396,7 +2396,7 @@ sd_spinup_disk(struct scsi_disk *sdkp) static const u8 cmd[10] = { TEST_UNIT_READY }; unsigned long spintime_expire = 0; int spintime, sense_valid = 0; - unsigned int the_result; + int the_result; struct scsi_sense_hdr sshdr; struct scsi_failure failure_defs[] = { /* Do not retry Medium Not Present */ -- 2.20.1.7.g153144c

7 months, 4 weeks

2
1
0 0

[PATCH AUTOSEL 5.10 01/14] Input: elantech - fix touchpad state on resume for Lenovo N24

by Sasha Levin

From: Jonathan Denose <jdenose(a)google.com> [ Upstream commit a69ce592cbe0417664bc5a075205aa75c2ec1273 ] The Lenovo N24 on resume becomes stuck in a state where it sends incorrect packets, causing elantech_packet_check_v4 to fail. The only way for the device to resume sending the correct packets is for it to be disabled and then re-enabled. This change adds a dmi check to trigger this behavior on resume. Signed-off-by: Jonathan Denose <jdenose(a)google.com> Link: https://lore.kernel.org/r/20240503155020.v2.1.Ifa0e25ebf968d8f307f58d678036… Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/input/mouse/elantech.c | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c index 400281feb4e8d..8246662fa60b7 100644 --- a/drivers/input/mouse/elantech.c +++ b/drivers/input/mouse/elantech.c @@ -1476,16 +1476,47 @@ static void elantech_disconnect(struct psmouse *psmouse) psmouse->private = NULL; } +/* + * Some hw_version 4 models fail to properly activate absolute mode on + * resume without going through disable/enable cycle. + */ +static const struct dmi_system_id elantech_needs_reenable[] = { +#if defined(CONFIG_DMI) && defined(CONFIG_X86) + { + /* Lenovo N24 */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "81AF"), + }, + }, +#endif + { } +}; + /* * Put the touchpad back into absolute mode when reconnecting */ static int elantech_reconnect(struct psmouse *psmouse) { + int err; + psmouse_reset(psmouse); if (elantech_detect(psmouse, 0)) return -1; + if (dmi_check_system(elantech_needs_reenable)) { + err = ps2_command(&psmouse->ps2dev, NULL, PSMOUSE_CMD_DISABLE); + if (err) + psmouse_warn(psmouse, "failed to deactivate mouse on %s: %d\n", + psmouse->ps2dev.serio->phys, err); + + err = ps2_command(&psmouse->ps2dev, NULL, PSMOUSE_CMD_ENABLE); + if (err) + psmouse_warn(psmouse, "failed to reactivate mouse on %s: %d\n", + psmouse->ps2dev.serio->phys, err); + } + if (elantech_set_absolute_mode(psmouse)) { psmouse_err(psmouse, "failed to put touchpad back into absolute mode.\n"); -- 2.43.0

7 months, 4 weeks

2
15
0 0

[PATCH 08/12] drm/v3d: Validate passed in drm syncobj handles in the performance extension

by Tvrtko Ursulin

From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> If userspace provides an unknown or invalid handle anywhere in the handle array the rest of the driver will not handle that well. Fix it by checking handle was looked up successfuly or otherwise fail the extension by jumping into the existing unwind. Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Fixes: bae7cb5d6800 ("drm/v3d: Create a CPU job extension for the reset performance query job" Cc: Maíra Canal <mcanal(a)igalia.com> Cc: Iago Toral Quiroga <itoral(a)igalia.com> Cc: <stable(a)vger.kernel.org> # v6.8+ --- drivers/gpu/drm/v3d/v3d_submit.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/gpu/drm/v3d/v3d_submit.c b/drivers/gpu/drm/v3d/v3d_submit.c index a408db3d3e32..2c4bb39c9ac6 100644 --- a/drivers/gpu/drm/v3d/v3d_submit.c +++ b/drivers/gpu/drm/v3d/v3d_submit.c @@ -714,6 +714,10 @@ v3d_get_cpu_reset_performance_params(struct drm_file *file_priv, } qinfo->queries[i].syncobj = drm_syncobj_find(file_priv, sync); + if (!qinfo->queries[i].syncobj) { + err = -ENOENT; + goto error; + } } qinfo->count = reset.count; qinfo->nperfmons = reset.nperfmons; @@ -795,6 +799,10 @@ v3d_get_cpu_copy_performance_query_params(struct drm_file *file_priv, } qinfo->queries[i].syncobj = drm_syncobj_find(file_priv, sync); + if (!qinfo->queries[i].syncobj) { + err = -ENOENT; + goto error; + } } qinfo->count = copy.count; qinfo->nperfmons = copy.nperfmons; -- 2.44.0

7 months, 4 weeks

1
0
0 0

[PATCH 07/12] drm/v3d: Validate passed in drm syncobj handles in the timestamp extension

by Tvrtko Ursulin

From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> If userspace provides an unknown or invalid handle anywhere in the handle array the rest of the driver will not handle that well. Fix it by checking handle was looked up successfuly or otherwise fail the extension by jumping into the existing unwind. Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Fixes: 9ba0ff3e083f ("drm/v3d: Create a CPU job extension for the timestamp query job") Cc: Maíra Canal <mcanal(a)igalia.com> Cc: Iago Toral Quiroga <itoral(a)igalia.com> Cc: <stable(a)vger.kernel.org> # v6.8+ --- drivers/gpu/drm/v3d/v3d_submit.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/gpu/drm/v3d/v3d_submit.c b/drivers/gpu/drm/v3d/v3d_submit.c index 81afcfccc6bb..a408db3d3e32 100644 --- a/drivers/gpu/drm/v3d/v3d_submit.c +++ b/drivers/gpu/drm/v3d/v3d_submit.c @@ -499,6 +499,10 @@ v3d_get_cpu_timestamp_query_params(struct drm_file *file_priv, } qinfo->queries[i].syncobj = drm_syncobj_find(file_priv, sync); + if (!qinfo->queries[i].syncobj) { + err = -ENOENT; + goto error; + } } qinfo->count = timestamp.count; @@ -554,6 +558,10 @@ v3d_get_cpu_reset_timestamp_params(struct drm_file *file_priv, } qinfo->queries[i].syncobj = drm_syncobj_find(file_priv, sync); + if (!qinfo->queries[i].syncobj) { + err = -ENOENT; + goto error; + } } qinfo->count = reset.count; @@ -619,6 +627,10 @@ v3d_get_cpu_copy_query_results_params(struct drm_file *file_priv, } qinfo->queries[i].syncobj = drm_syncobj_find(file_priv, sync); + if (!qinfo->queries[i].syncobj) { + err = -ENOENT; + goto error; + } } qinfo->count = copy.count; -- 2.44.0

7 months, 4 weeks

1
0
0 0

[PATCH 06/12] drm/v3d: Fix potential memory leak in the performance extension

by Tvrtko Ursulin

From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> If fetching of userspace memory fails during the main loop, all drm sync objs looked up until that point will be leaked because of the missing drm_syncobj_put. Fix it by exporting and using a common cleanup helper. Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Fixes: bae7cb5d6800 ("drm/v3d: Create a CPU job extension for the reset performance query job" Cc: Maíra Canal <mcanal(a)igalia.com> Cc: Iago Toral Quiroga <itoral(a)igalia.com> Cc: <stable(a)vger.kernel.org> # v6.8+ --- drivers/gpu/drm/v3d/v3d_drv.h | 2 ++ drivers/gpu/drm/v3d/v3d_sched.c | 22 ++++++++++++----- drivers/gpu/drm/v3d/v3d_submit.c | 42 ++++++++++++++++++++------------ 3 files changed, 44 insertions(+), 22 deletions(-) diff --git a/drivers/gpu/drm/v3d/v3d_drv.h b/drivers/gpu/drm/v3d/v3d_drv.h index 95651c3c926f..38c80168da51 100644 --- a/drivers/gpu/drm/v3d/v3d_drv.h +++ b/drivers/gpu/drm/v3d/v3d_drv.h @@ -565,6 +565,8 @@ void v3d_mmu_remove_ptes(struct v3d_bo *bo); /* v3d_sched.c */ void __v3d_timestamp_query_info_free(struct v3d_timestamp_query_info *qinfo, unsigned int count); +void __v3d_performance_query_info_free(struct v3d_performance_query_info *qinfo, + unsigned int count); void v3d_job_update_stats(struct v3d_job *job, enum v3d_queue queue); int v3d_sched_init(struct v3d_dev *v3d); void v3d_sched_fini(struct v3d_dev *v3d); diff --git a/drivers/gpu/drm/v3d/v3d_sched.c b/drivers/gpu/drm/v3d/v3d_sched.c index e45d3ddc6f82..173801aa54ee 100644 --- a/drivers/gpu/drm/v3d/v3d_sched.c +++ b/drivers/gpu/drm/v3d/v3d_sched.c @@ -87,20 +87,30 @@ __v3d_timestamp_query_info_free(struct v3d_timestamp_query_info *qinfo, } } +void +__v3d_performance_query_info_free(struct v3d_performance_query_info *qinfo, + unsigned int count) +{ + if (qinfo->queries) { + unsigned int i; + + for (i = 0; i < count; i++) + drm_syncobj_put(qinfo->queries[i].syncobj); + + kvfree(qinfo->queries); + } +} + static void v3d_cpu_job_free(struct drm_sched_job *sched_job) { struct v3d_cpu_job *job = to_cpu_job(sched_job); - struct v3d_performance_query_info *performance_query = &job->performance_query; __v3d_timestamp_query_info_free(&job->timestamp_query, job->timestamp_query.count); - if (performance_query->queries) { - for (int i = 0; i < performance_query->count; i++) - drm_syncobj_put(performance_query->queries[i].syncobj); - kvfree(performance_query->queries); - } + __v3d_performance_query_info_free(&job->performance_query, + job->performance_query.count); v3d_job_cleanup(&job->base); } diff --git a/drivers/gpu/drm/v3d/v3d_submit.c b/drivers/gpu/drm/v3d/v3d_submit.c index 0f1c900c7d35..81afcfccc6bb 100644 --- a/drivers/gpu/drm/v3d/v3d_submit.c +++ b/drivers/gpu/drm/v3d/v3d_submit.c @@ -645,6 +645,7 @@ v3d_get_cpu_reset_performance_params(struct drm_file *file_priv, struct drm_v3d_reset_performance_query reset; struct v3d_performance_query_info *qinfo = &job->performance_query; unsigned int i, j; + int err; if (!job) { DRM_DEBUG("CPU job extension was attached to a GPU job.\n"); @@ -680,32 +681,36 @@ v3d_get_cpu_reset_performance_params(struct drm_file *file_priv, u32 id; if (get_user(sync, syncs++)) { - kvfree(qinfo->queries); - return -EFAULT; + err = -EFAULT; + goto error; } - qinfo->queries[i].syncobj = drm_syncobj_find(file_priv, sync); - if (get_user(ids, kperfmon_ids++)) { - kvfree(qinfo->queries); - return -EFAULT; + err = -EFAULT; + goto error; } ids_pointer = u64_to_user_ptr(ids); for (j = 0; j < reset.nperfmons; j++) { if (get_user(id, ids_pointer++)) { - kvfree(qinfo->queries); - return -EFAULT; + err = -EFAULT; + goto error; } qinfo->queries[i].kperfmon_ids[j] = id; } + + qinfo->queries[i].syncobj = drm_syncobj_find(file_priv, sync); } qinfo->count = reset.count; qinfo->nperfmons = reset.nperfmons; return 0; + +error: + __v3d_performance_query_info_free(qinfo, i); + return err; } static int @@ -718,6 +723,7 @@ v3d_get_cpu_copy_performance_query_params(struct drm_file *file_priv, struct drm_v3d_copy_performance_query copy; struct v3d_performance_query_info *qinfo = &job->performance_query; unsigned int i, j; + int err; if (!job) { DRM_DEBUG("CPU job extension was attached to a GPU job.\n"); @@ -756,27 +762,27 @@ v3d_get_cpu_copy_performance_query_params(struct drm_file *file_priv, u32 id; if (get_user(sync, syncs++)) { - kvfree(qinfo->queries); - return -EFAULT; + err = -EFAULT; + goto error; } - qinfo->queries[i].syncobj = drm_syncobj_find(file_priv, sync); - if (get_user(ids, kperfmon_ids++)) { - kvfree(qinfo->queries); - return -EFAULT; + err = -EFAULT; + goto error; } ids_pointer = u64_to_user_ptr(ids); for (j = 0; j < copy.nperfmons; j++) { if (get_user(id, ids_pointer++)) { - kvfree(qinfo->queries); - return -EFAULT; + err = -EFAULT; + goto error; } qinfo->queries[i].kperfmon_ids[j] = id; } + + qinfo->queries[i].syncobj = drm_syncobj_find(file_priv, sync); } qinfo->count = copy.count; qinfo->nperfmons = copy.nperfmons; @@ -789,6 +795,10 @@ v3d_get_cpu_copy_performance_query_params(struct drm_file *file_priv, job->copy.stride = copy.stride; return 0; + +error: + __v3d_performance_query_info_free(qinfo, i); + return err; } /* Whenever userspace sets ioctl extensions, v3d_get_extensions parses data -- 2.44.0

7 months, 4 weeks

1
0
0 0

[PATCH 05/12] drm/v3d: Fix potential memory leak in the timestamp extension

by Tvrtko Ursulin

From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> If fetching of userspace memory fails during the main loop, all drm sync objs looked up until that point will be leaked because of the missing drm_syncobj_put. Fix it by exporting and using a common cleanup helper. Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Fixes: 9ba0ff3e083f ("drm/v3d: Create a CPU job extension for the timestamp query job") Cc: Maíra Canal <mcanal(a)igalia.com> Cc: Iago Toral Quiroga <itoral(a)igalia.com> Cc: <stable(a)vger.kernel.org> # v6.8+ --- drivers/gpu/drm/v3d/v3d_drv.h | 2 ++ drivers/gpu/drm/v3d/v3d_sched.c | 22 ++++++++++++++------ drivers/gpu/drm/v3d/v3d_submit.c | 35 +++++++++++++++++++++++--------- 3 files changed, 43 insertions(+), 16 deletions(-) diff --git a/drivers/gpu/drm/v3d/v3d_drv.h b/drivers/gpu/drm/v3d/v3d_drv.h index 099b962bdfde..95651c3c926f 100644 --- a/drivers/gpu/drm/v3d/v3d_drv.h +++ b/drivers/gpu/drm/v3d/v3d_drv.h @@ -563,6 +563,8 @@ void v3d_mmu_insert_ptes(struct v3d_bo *bo); void v3d_mmu_remove_ptes(struct v3d_bo *bo); /* v3d_sched.c */ +void __v3d_timestamp_query_info_free(struct v3d_timestamp_query_info *qinfo, + unsigned int count); void v3d_job_update_stats(struct v3d_job *job, enum v3d_queue queue); int v3d_sched_init(struct v3d_dev *v3d); void v3d_sched_fini(struct v3d_dev *v3d); diff --git a/drivers/gpu/drm/v3d/v3d_sched.c b/drivers/gpu/drm/v3d/v3d_sched.c index 03df37a3acf5..e45d3ddc6f82 100644 --- a/drivers/gpu/drm/v3d/v3d_sched.c +++ b/drivers/gpu/drm/v3d/v3d_sched.c @@ -73,18 +73,28 @@ v3d_sched_job_free(struct drm_sched_job *sched_job) v3d_job_cleanup(job); } +void +__v3d_timestamp_query_info_free(struct v3d_timestamp_query_info *qinfo, + unsigned int count) +{ + if (qinfo->queries) { + unsigned int i; + + for (i = 0; i < count; i++) + drm_syncobj_put(qinfo->queries[i].syncobj); + + kvfree(qinfo->queries); + } +} + static void v3d_cpu_job_free(struct drm_sched_job *sched_job) { struct v3d_cpu_job *job = to_cpu_job(sched_job); - struct v3d_timestamp_query_info *timestamp_query = &job->timestamp_query; struct v3d_performance_query_info *performance_query = &job->performance_query; - if (timestamp_query->queries) { - for (int i = 0; i < timestamp_query->count; i++) - drm_syncobj_put(timestamp_query->queries[i].syncobj); - kvfree(timestamp_query->queries); - } + __v3d_timestamp_query_info_free(&job->timestamp_query, + job->timestamp_query.count); if (performance_query->queries) { for (int i = 0; i < performance_query->count; i++) diff --git a/drivers/gpu/drm/v3d/v3d_submit.c b/drivers/gpu/drm/v3d/v3d_submit.c index c960bc6ca32d..0f1c900c7d35 100644 --- a/drivers/gpu/drm/v3d/v3d_submit.c +++ b/drivers/gpu/drm/v3d/v3d_submit.c @@ -454,6 +454,7 @@ v3d_get_cpu_timestamp_query_params(struct drm_file *file_priv, struct drm_v3d_timestamp_query timestamp; struct v3d_timestamp_query_info *qinfo = &job->timestamp_query; unsigned int i; + int err; if (!job) { DRM_DEBUG("CPU job extension was attached to a GPU job.\n"); @@ -486,15 +487,15 @@ v3d_get_cpu_timestamp_query_params(struct drm_file *file_priv, u32 offset, sync; if (get_user(offset, offsets++)) { - kvfree(qinfo->queries); - return -EFAULT; + err = -EFAULT; + goto error; } qinfo->queries[i].offset = offset; if (get_user(sync, syncs++)) { - kvfree(qinfo->queries); - return -EFAULT; + err = -EFAULT; + goto error; } qinfo->queries[i].syncobj = drm_syncobj_find(file_priv, sync); @@ -502,6 +503,10 @@ v3d_get_cpu_timestamp_query_params(struct drm_file *file_priv, qinfo->count = timestamp.count; return 0; + +error: + __v3d_timestamp_query_info_free(qinfo, i); + return err; } static int @@ -513,6 +518,7 @@ v3d_get_cpu_reset_timestamp_params(struct drm_file *file_priv, struct drm_v3d_reset_timestamp_query reset; struct v3d_timestamp_query_info *qinfo = &job->timestamp_query; unsigned int i; + int err; if (!job) { DRM_DEBUG("CPU job extension was attached to a GPU job.\n"); @@ -543,8 +549,8 @@ v3d_get_cpu_reset_timestamp_params(struct drm_file *file_priv, qinfo->queries[i].offset = reset.offset + 8 * i; if (get_user(sync, syncs++)) { - kvfree(qinfo->queries); - return -EFAULT; + err = -EFAULT; + goto error; } qinfo->queries[i].syncobj = drm_syncobj_find(file_priv, sync); @@ -552,6 +558,10 @@ v3d_get_cpu_reset_timestamp_params(struct drm_file *file_priv, qinfo->count = reset.count; return 0; + +error: + __v3d_timestamp_query_info_free(qinfo, i); + return err; } /* Get data for the copy timestamp query results job submission. */ @@ -564,6 +574,7 @@ v3d_get_cpu_copy_query_results_params(struct drm_file *file_priv, struct drm_v3d_copy_timestamp_query copy; struct v3d_timestamp_query_info *qinfo = &job->timestamp_query; unsigned int i; + int err; if (!job) { DRM_DEBUG("CPU job extension was attached to a GPU job.\n"); @@ -596,15 +607,15 @@ v3d_get_cpu_copy_query_results_params(struct drm_file *file_priv, u32 offset, sync; if (get_user(offset, offsets++)) { - kvfree(qinfo->queries); - return -EFAULT; + err = -EFAULT; + goto error; } qinfo->queries[i].offset = offset; if (get_user(sync, syncs++)) { - kvfree(qinfo->queries); - return -EFAULT; + err = -EFAULT; + goto error; } qinfo->queries[i].syncobj = drm_syncobj_find(file_priv, sync); @@ -618,6 +629,10 @@ v3d_get_cpu_copy_query_results_params(struct drm_file *file_priv, job->copy.stride = copy.stride; return 0; + +error: + __v3d_timestamp_query_info_free(qinfo, i); + return err; } static int -- 2.44.0

7 months, 4 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror July 2024