June 2025 - Linux-stable-mirror

[merged mm-stable] mm-fix-uprobe-pte-be-overwritten-when-expanding-vma.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: fix uprobe pte be overwritten when expanding vma has been removed from the -mm tree. Its filename was mm-fix-uprobe-pte-be-overwritten-when-expanding-vma.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Pu Lehui <pulehui(a)huawei.com> Subject: mm: fix uprobe pte be overwritten when expanding vma Date: Thu, 29 May 2025 15:56:47 +0000 Patch series "Fix uprobe pte be overwritten when expanding vma". This patch (of 4): We encountered a BUG alert triggered by Syzkaller as follows: BUG: Bad rss-counter state mm:00000000b4a60fca type:MM_ANONPAGES val:1 And we can reproduce it with the following steps: 1. register uprobe on file at zero offset 2. mmap the file at zero offset: addr1 = mmap(NULL, 2 * 4096, PROT_NONE, MAP_PRIVATE, fd, 0); 3. mremap part of vma1 to new vma2: addr2 = mremap(addr1, 4096, 2 * 4096, MREMAP_MAYMOVE); 4. mremap back to orig addr1: mremap(addr2, 4096, 4096, MREMAP_MAYMOVE | MREMAP_FIXED, addr1); In step 3, the vma1 range [addr1, addr1 + 4096] will be remap to new vma2 with range [addr2, addr2 + 8192], and remap uprobe anon page from the vma1 to vma2, then unmap the vma1 range [addr1, addr1 + 4096]. In step 4, the vma2 range [addr2, addr2 + 4096] will be remap back to the addr range [addr1, addr1 + 4096]. Since the addr range [addr1 + 4096, addr1 + 8192] still maps the file, it will take vma_merge_new_range to expand the range, and then do uprobe_mmap in vma_complete. Since the merged vma pgoff is also zero offset, it will install uprobe anon page to the merged vma. However, the upcomming move_page_tables step, which use set_pte_at to remap the vma2 uprobe pte to the merged vma, will overwrite the newly uprobe pte in the merged vma, and lead that pte to be orphan. Since the uprobe pte will be remapped to the merged vma, we can remove the unnecessary uprobe_mmap upon merged vma. This problem was first found in linux-6.6.y and also exists in the community syzkaller: https://lore.kernel.org/all/000000000000ada39605a5e71711@google.com/T/ Link: https://lkml.kernel.org/r/20250529155650.4017699-1-pulehui@huaweicloud.com Link: https://lkml.kernel.org/r/20250529155650.4017699-2-pulehui@huaweicloud.com Fixes: 2b1444983508 ("uprobes, mm, x86: Add the ability to install and remove uprobes breakpoints") Signed-off-by: Pu Lehui <pulehui(a)huawei.com> Suggested-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Jann Horn <jannh(a)google.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: "Masami Hiramatsu (Google)" <mhiramat(a)kernel.org> Cc: Oleg Nesterov <oleg(a)redhat.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vma.c | 20 +++++++++++++++++--- mm/vma.h | 7 +++++++ 2 files changed, 24 insertions(+), 3 deletions(-) --- a/mm/vma.c~mm-fix-uprobe-pte-be-overwritten-when-expanding-vma +++ a/mm/vma.c @@ -169,6 +169,9 @@ static void init_multi_vma_prep(struct v vp->file = vma->vm_file; if (vp->file) vp->mapping = vma->vm_file->f_mapping; + + if (vmg && vmg->skip_vma_uprobe) + vp->skip_vma_uprobe = true; } /* @@ -358,10 +361,13 @@ static void vma_complete(struct vma_prep if (vp->file) { i_mmap_unlock_write(vp->mapping); - uprobe_mmap(vp->vma); - if (vp->adj_next) - uprobe_mmap(vp->adj_next); + if (!vp->skip_vma_uprobe) { + uprobe_mmap(vp->vma); + + if (vp->adj_next) + uprobe_mmap(vp->adj_next); + } } if (vp->remove) { @@ -1823,6 +1829,14 @@ struct vm_area_struct *copy_vma(struct v faulted_in_anon_vma = false; } + /* + * If the VMA we are copying might contain a uprobe PTE, ensure + * that we do not establish one upon merge. Otherwise, when mremap() + * moves page tables, it will orphan the newly created PTE. + */ + if (vma->vm_file) + vmg.skip_vma_uprobe = true; + new_vma = find_vma_prev(mm, addr, &vmg.prev); if (new_vma && new_vma->vm_start < addr + len) return NULL; /* should never get here */ --- a/mm/vma.h~mm-fix-uprobe-pte-be-overwritten-when-expanding-vma +++ a/mm/vma.h @@ -19,6 +19,8 @@ struct vma_prepare { struct vm_area_struct *insert; struct vm_area_struct *remove; struct vm_area_struct *remove2; + + bool skip_vma_uprobe :1; }; struct unlink_vma_file_batch { @@ -120,6 +122,11 @@ struct vma_merge_struct { */ bool give_up_on_oom :1; + /* + * If set, skip uprobe_mmap upon merged vma. + */ + bool skip_vma_uprobe :1; + /* Internal flags set during merge process: */ /* _ Patches currently in -mm which might be from pulehui(a)huawei.com are

2 months, 2 weeks

1
0
0 0

[PATCH 0/3] (no cover subject)

by Bjorn Andersson

Signed-off-by: Bjorn Andersson <bjorn.andersson(a)oss.qualcomm.com> --- Bjorn Andersson (3): soc: qcom: mdt_loader: Ensure we don't read past the ELF header soc: qcom: mdt_loader: Rename mdt_phdr_valid() soc: qcom: mdt_loader: Actually use the e_phoff drivers/soc/qcom/mdt_loader.c | 57 +++++++++++++++++++++++++++++++++++-------- 1 file changed, 47 insertions(+), 10 deletions(-) --- base-commit: a0bea9e39035edc56a994630e6048c8a191a99d8 change-id: 20250604-mdt-loader-validation-and-fixes-5c3267f5b19f Best regards, -- Bjorn Andersson <bjorn.andersson(a)oss.qualcomm.com>

2 months, 2 weeks

4
4
0 0

[PATCH] media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()

by Gui-Dong Han

In the interrupt handler rain_interrupt(), the buffer full check on rain->buf_len is performed before acquiring rain->buf_lock. This creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as rain->buf_len is concurrently accessed and modified in the work handler rain_irq_work_handler() under the same lock. Multiple interrupt invocations can race, with each reading buf_len before it becomes full and then proceeding. This can lead to both interrupts attempting to write to the buffer, incrementing buf_len beyond its capacity (DATA_SIZE) and causing a buffer overflow. Fix this bug by moving the spin_lock() to before the buffer full check. This ensures that the check and the subsequent buffer modification are performed atomically, preventing the race condition. An corresponding spin_unlock() is added to the overflow path to correctly release the lock. This possible bug was found by an experimental static analysis tool developed by our team. Fixes: 0f314f6c2e77 ("[media] rainshadow-cec: new RainShadow Tech HDMI CEC driver") Cc: stable(a)vger.kernel.org Signed-off-by: Gui-Dong Han <hanguidong02(a)gmail.com> --- drivers/media/cec/usb/rainshadow/rainshadow-cec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/cec/usb/rainshadow/rainshadow-cec.c b/drivers/media/cec/usb/rainshadow/rainshadow-cec.c index ee870ea1a886..6f8d6797c614 100644 --- a/drivers/media/cec/usb/rainshadow/rainshadow-cec.c +++ b/drivers/media/cec/usb/rainshadow/rainshadow-cec.c @@ -171,11 +171,12 @@ static irqreturn_t rain_interrupt(struct serio *serio, unsigned char data, { struct rain *rain = serio_get_drvdata(serio); + spin_lock(&rain->buf_lock); if (rain->buf_len == DATA_SIZE) { + spin_unlock(&rain->buf_lock); dev_warn_once(rain->dev, "buffer overflow\n"); return IRQ_HANDLED; } - spin_lock(&rain->buf_lock); rain->buf_len++; rain->buf[rain->buf_wr_idx] = data; rain->buf_wr_idx = (rain->buf_wr_idx + 1) & 0xff; -- 2.25.1

2 months, 2 weeks

1
0
0 0

[PATCH 6.12 1/1] PCI/ASPM: Disable L1 before disabling L1 PM Substates

by Macpaul Lin

From: Ajay Agarwal <ajayagarwal(a)google.com> [ Upstream commit 7447990137bf06b2aeecad9c6081e01a9f47f2aa ] PCIe r6.2, sec 5.5.4, requires that: If setting either or both of the enable bits for ASPM L1 PM Substates, both ports must be configured as described in this section while ASPM L1 is disabled. Previously, pcie_config_aspm_l1ss() assumed that "setting enable bits" meant "setting them to 1", and it configured L1SS as follows: - Clear L1SS enable bits - Disable L1 - Configure L1SS enable bits as required - Enable L1 if required With this sequence, when disabling L1SS on an ARM A-core with a Synopsys DesignWare PCIe core, the CPU occasionally hangs when reading PCI_L1SS_CTL1, leading to a reboot when the CPU watchdog expires. Move the L1 disable to the caller (pcie_config_aspm_link(), where L1 was already enabled) so L1 is always disabled while updating the L1SS bits: - Disable L1 - Clear L1SS enable bits - Configure L1SS enable bits as required - Enable L1 if required Change pcie_aspm_cap_init() similarly. Link: https://lore.kernel.org/r/20241007032917.872262-1-ajayagarwal@google.com Signed-off-by: Ajay Agarwal <ajayagarwal(a)google.com> [bhelgaas: comments, commit log, compute L1SS setting before config access] Signed-off-by: Bjorn Helgaas <bhelgaas(a)google.com> Tested-by: Johnny-CC Chang <Johnny-CC.Chang(a)mediatek.com> Signed-off-by: Macpaul Lin <macpaul.lin(a)mediatek.com> --- drivers/pci/pcie/aspm.c | 92 ++++++++++++++++++++++------------------- 1 file changed, 50 insertions(+), 42 deletions(-) diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c index cee2365e54b8..e943691bc931 100644 --- a/drivers/pci/pcie/aspm.c +++ b/drivers/pci/pcie/aspm.c @@ -805,6 +805,15 @@ static void pcie_aspm_cap_init(struct pcie_link_state *link, int blacklist) pcie_capability_read_word(parent, PCI_EXP_LNKCTL, &parent_lnkctl); pcie_capability_read_word(child, PCI_EXP_LNKCTL, &child_lnkctl); + /* Disable L0s/L1 before updating L1SS config */ + if (FIELD_GET(PCI_EXP_LNKCTL_ASPMC, child_lnkctl) || + FIELD_GET(PCI_EXP_LNKCTL_ASPMC, parent_lnkctl)) { + pcie_capability_write_word(child, PCI_EXP_LNKCTL, + child_lnkctl & ~PCI_EXP_LNKCTL_ASPMC); + pcie_capability_write_word(parent, PCI_EXP_LNKCTL, + parent_lnkctl & ~PCI_EXP_LNKCTL_ASPMC); + } + /* * Setup L0s state * @@ -829,6 +838,13 @@ static void pcie_aspm_cap_init(struct pcie_link_state *link, int blacklist) aspm_l1ss_init(link); + /* Restore L0s/L1 if they were enabled */ + if (FIELD_GET(PCI_EXP_LNKCTL_ASPMC, child_lnkctl) || + FIELD_GET(PCI_EXP_LNKCTL_ASPMC, parent_lnkctl)) { + pcie_capability_write_word(parent, PCI_EXP_LNKCTL, parent_lnkctl); + pcie_capability_write_word(child, PCI_EXP_LNKCTL, child_lnkctl); + } + /* Save default state */ link->aspm_default = link->aspm_enabled; @@ -845,25 +861,28 @@ static void pcie_aspm_cap_init(struct pcie_link_state *link, int blacklist) } } -/* Configure the ASPM L1 substates */ +/* Configure the ASPM L1 substates. Caller must disable L1 first. */ static void pcie_config_aspm_l1ss(struct pcie_link_state *link, u32 state) { - u32 val, enable_req; + u32 val; struct pci_dev *child = link->downstream, *parent = link->pdev; - enable_req = (link->aspm_enabled ^ state) & state; + val = 0; + if (state & PCIE_LINK_STATE_L1_1) + val |= PCI_L1SS_CTL1_ASPM_L1_1; + if (state & PCIE_LINK_STATE_L1_2) + val |= PCI_L1SS_CTL1_ASPM_L1_2; + if (state & PCIE_LINK_STATE_L1_1_PCIPM) + val |= PCI_L1SS_CTL1_PCIPM_L1_1; + if (state & PCIE_LINK_STATE_L1_2_PCIPM) + val |= PCI_L1SS_CTL1_PCIPM_L1_2; /* - * Here are the rules specified in the PCIe spec for enabling L1SS: - * - When enabling L1.x, enable bit at parent first, then at child - * - When disabling L1.x, disable bit at child first, then at parent - * - When enabling ASPM L1.x, need to disable L1 - * (at child followed by parent). - * - The ASPM/PCIPM L1.2 must be disabled while programming timing + * PCIe r6.2, sec 5.5.4, rules for enabling L1 PM Substates: + * - Clear L1.x enable bits at child first, then at parent + * - Set L1.x enable bits at parent first, then at child + * - ASPM/PCIPM L1.2 must be disabled while programming timing * parameters - * - * To keep it simple, disable all L1SS bits first, and later enable - * what is needed. */ /* Disable all L1 substates */ @@ -871,26 +890,6 @@ static void pcie_config_aspm_l1ss(struct pcie_link_state *link, u32 state) PCI_L1SS_CTL1_L1SS_MASK, 0); pci_clear_and_set_config_dword(parent, parent->l1ss + PCI_L1SS_CTL1, PCI_L1SS_CTL1_L1SS_MASK, 0); - /* - * If needed, disable L1, and it gets enabled later - * in pcie_config_aspm_link(). - */ - if (enable_req & (PCIE_LINK_STATE_L1_1 | PCIE_LINK_STATE_L1_2)) { - pcie_capability_clear_word(child, PCI_EXP_LNKCTL, - PCI_EXP_LNKCTL_ASPM_L1); - pcie_capability_clear_word(parent, PCI_EXP_LNKCTL, - PCI_EXP_LNKCTL_ASPM_L1); - } - - val = 0; - if (state & PCIE_LINK_STATE_L1_1) - val |= PCI_L1SS_CTL1_ASPM_L1_1; - if (state & PCIE_LINK_STATE_L1_2) - val |= PCI_L1SS_CTL1_ASPM_L1_2; - if (state & PCIE_LINK_STATE_L1_1_PCIPM) - val |= PCI_L1SS_CTL1_PCIPM_L1_1; - if (state & PCIE_LINK_STATE_L1_2_PCIPM) - val |= PCI_L1SS_CTL1_PCIPM_L1_2; /* Enable what we need to enable */ pci_clear_and_set_config_dword(parent, parent->l1ss + PCI_L1SS_CTL1, @@ -937,21 +936,30 @@ static void pcie_config_aspm_link(struct pcie_link_state *link, u32 state) dwstream |= PCI_EXP_LNKCTL_ASPM_L1; } + /* + * Per PCIe r6.2, sec 5.5.4, setting either or both of the enable + * bits for ASPM L1 PM Substates must be done while ASPM L1 is + * disabled. Disable L1 here and apply new configuration after L1SS + * configuration has been completed. + * + * Per sec 7.5.3.7, when disabling ASPM L1, software must disable + * it in the Downstream component prior to disabling it in the + * Upstream component, and ASPM L1 must be enabled in the Upstream + * component prior to enabling it in the Downstream component. + * + * Sec 7.5.3.7 also recommends programming the same ASPM Control + * value for all functions of a multi-function device. + */ + list_for_each_entry(child, &linkbus->devices, bus_list) + pcie_config_aspm_dev(child, 0); + pcie_config_aspm_dev(parent, 0); + if (link->aspm_capable & PCIE_LINK_STATE_L1SS) pcie_config_aspm_l1ss(link, state); - /* - * Spec 2.0 suggests all functions should be configured the - * same setting for ASPM. Enabling ASPM L1 should be done in - * upstream component first and then downstream, and vice - * versa for disabling ASPM L1. Spec doesn't mention L0S. - */ - if (state & PCIE_LINK_STATE_L1) - pcie_config_aspm_dev(parent, upstream); + pcie_config_aspm_dev(parent, upstream); list_for_each_entry(child, &linkbus->devices, bus_list) pcie_config_aspm_dev(child, dwstream); - if (!(state & PCIE_LINK_STATE_L1)) - pcie_config_aspm_dev(parent, upstream); link->aspm_enabled = state; -- 2.45.2

2 months, 2 weeks

1
0
0 0

[PATCH 6.12.y] block: fix adding folio to bio

by alvalan9＠foxmail.com

From: Ming Lei <ming.lei(a)redhat.com> [ Upstream commit 26064d3e2b4d9a14df1072980e558c636fb023ea ] >4GB folio is possible on some ARCHs, such as aarch64, 16GB hugepage is supported, then 'offset' of folio can't be held in 'unsigned int', cause warning in bio_add_folio_nofail() and IO failure. Fix it by adjusting 'page' & trimming 'offset' so that `->bi_offset` won't be overflow, and folio can be added to bio successfully. Fixes: ed9832bc08db ("block: introduce folio awareness and add a bigger size from folio") Cc: Kundan Kumar <kundan.kumar(a)samsung.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Christoph Hellwig <hch(a)lst.de> Cc: Luis Chamberlain <mcgrof(a)kernel.org> Cc: Gavin Shan <gshan(a)redhat.com> Signed-off-by: Ming Lei <ming.lei(a)redhat.com> Reviewed-by: Matthew Wilcox (Oracle) <willy(a)infradead.org> Link: https://lore.kernel.org/r/20250312145136.2891229-1-ming.lei@redhat.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Alva Lan <alvalan9(a)foxmail.com> --- The follow-up fix fbecd731de05 ("xfs: fix zoned GC data corruption due to wrong bv_offset") addresses issues in the file fs/xfs/xfs_zone_gc.c. This file was first introduced in version v6.15-rc1. So don't backport the follow up fix to 6.12.y. --- block/bio.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/block/bio.c b/block/bio.c index 20c74696bf23..094a5adf79d2 100644 --- a/block/bio.c +++ b/block/bio.c @@ -1156,9 +1156,10 @@ EXPORT_SYMBOL(bio_add_page); void bio_add_folio_nofail(struct bio *bio, struct folio *folio, size_t len, size_t off) { + unsigned long nr = off / PAGE_SIZE; + WARN_ON_ONCE(len > UINT_MAX); - WARN_ON_ONCE(off > UINT_MAX); - __bio_add_page(bio, &folio->page, len, off); + __bio_add_page(bio, folio_page(folio, nr), len, off % PAGE_SIZE); } EXPORT_SYMBOL_GPL(bio_add_folio_nofail); @@ -1179,9 +1180,11 @@ EXPORT_SYMBOL_GPL(bio_add_folio_nofail); bool bio_add_folio(struct bio *bio, struct folio *folio, size_t len, size_t off) { - if (len > UINT_MAX || off > UINT_MAX) + unsigned long nr = off / PAGE_SIZE; + + if (len > UINT_MAX) return false; - return bio_add_page(bio, &folio->page, len, off) > 0; + return bio_add_page(bio, folio_page(folio, nr), len, off % PAGE_SIZE) > 0; } EXPORT_SYMBOL(bio_add_folio); -- 2.34.1

2 months, 2 weeks

1
0
0 0

[PATCH v2 1/2] drm/nouveau/instmem/gk20a: fix overflow in IOVA calculation for iommu_map/unmap

by Alexey Nepomnyashih

Fix possible overflow in the address expression used as the second argument to iommu_map() and iommu_unmap(). Without an explicit cast, this expression may overflow when 'r->offset' or 'i' are large. Cast the result to unsigned long before shifting to ensure correct IOVA computation and prevent unintended wraparound. Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: stable(a)vger.kernel.org # v4.4+ Signed-off-by: Alexey Nepomnyashih <sdl(a)nppct.ru> --- drivers/gpu/drm/nouveau/nvkm/subdev/instmem/gk20a.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/instmem/gk20a.c b/drivers/gpu/drm/nouveau/nvkm/subdev/instmem/gk20a.c index 201022ae9214..17a0e1a46211 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/instmem/gk20a.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/instmem/gk20a.c @@ -334,7 +334,7 @@ gk20a_instobj_dtor_iommu(struct nvkm_memory *memory) /* Unmap pages from GPU address space and free them */ for (i = 0; i < node->base.mn->length; i++) { iommu_unmap(imem->domain, - (r->offset + i) << imem->iommu_pgshift, PAGE_SIZE); + ((unsigned long)r->offset + i) << imem->iommu_pgshift, PAGE_SIZE); dma_unmap_page(dev, node->dma_addrs[i], PAGE_SIZE, DMA_BIDIRECTIONAL); __free_page(node->pages[i]); @@ -472,7 +472,7 @@ gk20a_instobj_ctor_iommu(struct gk20a_instmem *imem, u32 npages, u32 align, /* Map into GPU address space */ for (i = 0; i < npages; i++) { - u32 offset = (r->offset + i) << imem->iommu_pgshift; + unsigned long offset = ((unsigned long)r->offset + i) << imem->iommu_pgshift; ret = iommu_map(imem->domain, offset, node->dma_addrs[i], PAGE_SIZE, IOMMU_READ | IOMMU_WRITE, -- 2.43.0

2 months, 2 weeks

1
1
0 0

[PATCH 1/2] drm/nouveau/instmem/gk20a: fix overflow in IOVA calculation for iommu_map/unmap

by Alexey Nepomnyashih

Fix possible overflow in the address expression used as the second argument to iommu_map() and iommu_unmap(). Without an explicit cast, this expression may overflow when 'r->offset' or 'i' are large. Cast the result to unsigned long before shifting to ensure correct IOVA computation and prevent unintended wraparound. Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: stable(a)vger.kernel.org # v4.4+ Signed-off-by: Alexey Nepomnyashih <sdl(a)nppct.ru> --- drivers/gpu/drm/nouveau/nvkm/subdev/instmem/gk20a.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/instmem/gk20a.c b/drivers/gpu/drm/nouveau/nvkm/subdev/instmem/gk20a.c index 201022ae9214..17a0e1a46211 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/instmem/gk20a.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/instmem/gk20a.c @@ -334,7 +334,7 @@ gk20a_instobj_dtor_iommu(struct nvkm_memory *memory) /* Unmap pages from GPU address space and free them */ for (i = 0; i < node->base.mn->length; i++) { iommu_unmap(imem->domain, - (r->offset + i) << imem->iommu_pgshift, PAGE_SIZE); + ((unsigned long)r->offset + i) << imem->iommu_pgshift, PAGE_SIZE); dma_unmap_page(dev, node->dma_addrs[i], PAGE_SIZE, DMA_BIDIRECTIONAL); __free_page(node->pages[i]); @@ -472,7 +472,7 @@ gk20a_instobj_ctor_iommu(struct gk20a_instmem *imem, u32 npages, u32 align, /* Map into GPU address space */ for (i = 0; i < npages; i++) { - u32 offset = (r->offset + i) << imem->iommu_pgshift; + unsigned long offset = ((unsigned long)r->offset + i) << imem->iommu_pgshift; ret = iommu_map(imem->domain, offset, node->dma_addrs[i], PAGE_SIZE, IOMMU_READ | IOMMU_WRITE, -- 2.43.0

2 months, 2 weeks

1
1
0 0

[PATCH v3 02/11] platform/x86/intel/pmt: crashlog binary file endpoint

by Michael J. Ruhl

Usage of the intel_pmt_read() for binary sysfs, requires an allocated endpoint struct. The crashlog driver does not allocate the endpoint. Without the ep, the crashlog usage causes the following NULL pointer exception: BUG: kernel NULL pointer dereference, address: 0000000000000000 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:intel_pmt_read+0x3b/0x70 [pmt_class] Code: Call Trace: <TASK> ? sysfs_kf_bin_read+0xc0/0xe0 kernfs_fop_read_iter+0xac/0x1a0 vfs_read+0x26d/0x350 ksys_read+0x6b/0xe0 __x64_sys_read+0x1d/0x30 x64_sys_call+0x1bc8/0x1d70 do_syscall_64+0x6d/0x110 Add the endpoint information to the crashlog driver to avoid the NULL pointer exception. Fixes: 416eeb2e1fc7 ("platform/x86/intel/pmt: telemetry: Export API to read telemetry") Cc: <stable(a)vger.kernel.org> Signed-off-by: Michael J. Ruhl <michael.j.ruhl(a)intel.com> --- drivers/platform/x86/intel/pmt/crashlog.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/platform/x86/intel/pmt/crashlog.c b/drivers/platform/x86/intel/pmt/crashlog.c index 6a9eb3c4b313..74ce199e59f0 100644 --- a/drivers/platform/x86/intel/pmt/crashlog.c +++ b/drivers/platform/x86/intel/pmt/crashlog.c @@ -252,6 +252,7 @@ static struct intel_pmt_namespace pmt_crashlog_ns = { .xa = &crashlog_array, .attr_grp = &pmt_crashlog_group, .pmt_header_decode = pmt_crashlog_header_decode, + .pmt_add_endpoint = intel_pmt_add_endpoint, }; /* @@ -262,8 +263,12 @@ static void pmt_crashlog_remove(struct auxiliary_device *auxdev) struct pmt_crashlog_priv *priv = auxiliary_get_drvdata(auxdev); int i; - for (i = 0; i < priv->num_entries; i++) - intel_pmt_dev_destroy(&priv->entry[i].entry, &pmt_crashlog_ns); + for (i = 0; i < priv->num_entries; i++) { + struct intel_pmt_entry *entry = &priv->entry[i].entry; + + intel_pmt_release_endpoint(entry->ep); + intel_pmt_dev_destroy(entry, &pmt_crashlog_ns); + } } static int pmt_crashlog_probe(struct auxiliary_device *auxdev, -- 2.49.0

2 months, 2 weeks

1
0
0 0

[PATCH v3 01/11] platform/x86/intel: refactor endpoint usage

by Michael J. Ruhl

The use of an endpoint has introduced a dependency in all class/pmt drivers to have an endpoint allocated. The telemetry driver has this allocation, the crashlog does not. The current usage is very telemetry focused, but should be common code. With this in mind: rename the struct telemetry_endpoint to struct class_endpoint, refactor the common endpoint code to be in the class.c module Fixes: 416eeb2e1fc7 ("platform/x86/intel/pmt: telemetry: Export API to read telemetry") Cc: <stable(a)vger.kernel.org> Signed-off-by: Michael J. Ruhl <michael.j.ruhl(a)intel.com> --- drivers/platform/x86/intel/pmc/core.c | 3 +- drivers/platform/x86/intel/pmc/core.h | 4 +- drivers/platform/x86/intel/pmc/core_ssram.c | 2 +- drivers/platform/x86/intel/pmt/class.c | 45 ++++++++++++++++++ drivers/platform/x86/intel/pmt/class.h | 21 +++++++-- drivers/platform/x86/intel/pmt/telemetry.c | 51 ++++----------------- drivers/platform/x86/intel/pmt/telemetry.h | 23 ++++------ 7 files changed, 84 insertions(+), 65 deletions(-) diff --git a/drivers/platform/x86/intel/pmc/core.c b/drivers/platform/x86/intel/pmc/core.c index 7a1d11f2914f..805f56665d1d 100644 --- a/drivers/platform/x86/intel/pmc/core.c +++ b/drivers/platform/x86/intel/pmc/core.c @@ -29,6 +29,7 @@ #include <asm/tsc.h> #include "core.h" +#include "../pmt/class.h" #include "../pmt/telemetry.h" /* Maximum number of modes supported by platfoms that has low power mode capability */ @@ -1198,7 +1199,7 @@ int get_primary_reg_base(struct pmc *pmc) void pmc_core_punit_pmt_init(struct pmc_dev *pmcdev, u32 guid) { - struct telem_endpoint *ep; + struct class_endpoint *ep; struct pci_dev *pcidev; pcidev = pci_get_domain_bus_and_slot(0, 0, PCI_DEVFN(10, 0)); diff --git a/drivers/platform/x86/intel/pmc/core.h b/drivers/platform/x86/intel/pmc/core.h index 945a1c440cca..1c12ea7c3ce3 100644 --- a/drivers/platform/x86/intel/pmc/core.h +++ b/drivers/platform/x86/intel/pmc/core.h @@ -16,7 +16,7 @@ #include <linux/bits.h> #include <linux/platform_device.h> -struct telem_endpoint; +struct class_endpoint; #define SLP_S0_RES_COUNTER_MASK GENMASK(31, 0) @@ -432,7 +432,7 @@ struct pmc_dev { bool has_die_c6; u32 die_c6_offset; - struct telem_endpoint *punit_ep; + struct class_endpoint *punit_ep; struct pmc_info *regmap_list; }; diff --git a/drivers/platform/x86/intel/pmc/core_ssram.c b/drivers/platform/x86/intel/pmc/core_ssram.c index 739569803017..3e670fc380a5 100644 --- a/drivers/platform/x86/intel/pmc/core_ssram.c +++ b/drivers/platform/x86/intel/pmc/core_ssram.c @@ -42,7 +42,7 @@ static u32 pmc_core_find_guid(struct pmc_info *list, const struct pmc_reg_map *m static int pmc_core_get_lpm_req(struct pmc_dev *pmcdev, struct pmc *pmc) { - struct telem_endpoint *ep; + struct class_endpoint *ep; const u8 *lpm_indices; int num_maps, mode_offset = 0; int ret, mode; diff --git a/drivers/platform/x86/intel/pmt/class.c b/drivers/platform/x86/intel/pmt/class.c index 7233b654bbad..bba552131bc2 100644 --- a/drivers/platform/x86/intel/pmt/class.c +++ b/drivers/platform/x86/intel/pmt/class.c @@ -76,6 +76,47 @@ int pmt_telem_read_mmio(struct pci_dev *pdev, struct pmt_callbacks *cb, u32 guid } EXPORT_SYMBOL_NS_GPL(pmt_telem_read_mmio, "INTEL_PMT"); +/* Called when all users unregister and the device is removed */ +static void pmt_class_ep_release(struct kref *kref) +{ + struct class_endpoint *ep; + + ep = container_of(kref, struct class_endpoint, kref); + kfree(ep); +} + +void intel_pmt_release_endpoint(struct class_endpoint *ep) +{ + kref_put(&ep->kref, pmt_class_ep_release); +} +EXPORT_SYMBOL_NS_GPL(intel_pmt_release_endpoint, "INTEL_PMT"); + +int intel_pmt_add_endpoint(struct intel_vsec_device *ivdev, + struct intel_pmt_entry *entry) +{ + struct class_endpoint *ep; + + ep = kzalloc(sizeof(*ep), GFP_KERNEL); + if (!ep) + return -ENOMEM; + + ep->pcidev = ivdev->pcidev; + ep->header.access_type = entry->header.access_type; + ep->header.guid = entry->header.guid; + ep->header.base_offset = entry->header.base_offset; + ep->header.size = entry->header.size; + ep->base = entry->base; + ep->present = true; + ep->cb = ivdev->priv_data; + + /* Endpoint lifetimes are managed by kref, not devres */ + kref_init(&ep->kref); + + entry->ep = ep; + + return 0; +} +EXPORT_SYMBOL_NS_GPL(intel_pmt_add_endpoint, "INTEL_PMT"); /* * sysfs */ @@ -97,6 +138,10 @@ intel_pmt_read(struct file *filp, struct kobject *kobj, if (count > entry->size - off) count = entry->size - off; + /* verify endpoint is available */ + if (!entry->ep) + return -ENODEV; + count = pmt_telem_read_mmio(entry->ep->pcidev, entry->cb, entry->header.guid, buf, entry->base, off, count); diff --git a/drivers/platform/x86/intel/pmt/class.h b/drivers/platform/x86/intel/pmt/class.h index b2006d57779d..d2d8f9e31c9d 100644 --- a/drivers/platform/x86/intel/pmt/class.h +++ b/drivers/platform/x86/intel/pmt/class.h @@ -9,8 +9,6 @@ #include <linux/err.h> #include <linux/io.h> -#include "telemetry.h" - /* PMT access types */ #define ACCESS_BARID 2 #define ACCESS_LOCAL 3 @@ -19,11 +17,19 @@ #define GET_BIR(v) ((v) & GENMASK(2, 0)) #define GET_ADDRESS(v) ((v) & GENMASK(31, 3)) +struct kref; struct pci_dev; -struct telem_endpoint { +struct class_header { + u8 access_type; + u16 size; + u32 guid; + u32 base_offset; +}; + +struct class_endpoint { struct pci_dev *pcidev; - struct telem_header header; + struct class_header header; struct pmt_callbacks *cb; void __iomem *base; bool present; @@ -38,7 +44,7 @@ struct intel_pmt_header { }; struct intel_pmt_entry { - struct telem_endpoint *ep; + struct class_endpoint *ep; struct intel_pmt_header header; struct bin_attribute pmt_bin_attr; struct kobject *kobj; @@ -69,4 +75,9 @@ int intel_pmt_dev_create(struct intel_pmt_entry *entry, struct intel_vsec_device *dev, int idx); void intel_pmt_dev_destroy(struct intel_pmt_entry *entry, struct intel_pmt_namespace *ns); + +int intel_pmt_add_endpoint(struct intel_vsec_device *ivdev, + struct intel_pmt_entry *entry); +void intel_pmt_release_endpoint(struct class_endpoint *ep); + #endif diff --git a/drivers/platform/x86/intel/pmt/telemetry.c b/drivers/platform/x86/intel/pmt/telemetry.c index ac3a9bdf5601..27d09867e6a3 100644 --- a/drivers/platform/x86/intel/pmt/telemetry.c +++ b/drivers/platform/x86/intel/pmt/telemetry.c @@ -18,6 +18,7 @@ #include <linux/overflow.h> #include "class.h" +#include "telemetry.h" #define TELEM_SIZE_OFFSET 0x0 #define TELEM_GUID_OFFSET 0x4 @@ -93,48 +94,14 @@ static int pmt_telem_header_decode(struct intel_pmt_entry *entry, return 0; } -static int pmt_telem_add_endpoint(struct intel_vsec_device *ivdev, - struct intel_pmt_entry *entry) -{ - struct telem_endpoint *ep; - - /* Endpoint lifetimes are managed by kref, not devres */ - entry->ep = kzalloc(sizeof(*(entry->ep)), GFP_KERNEL); - if (!entry->ep) - return -ENOMEM; - - ep = entry->ep; - ep->pcidev = ivdev->pcidev; - ep->header.access_type = entry->header.access_type; - ep->header.guid = entry->header.guid; - ep->header.base_offset = entry->header.base_offset; - ep->header.size = entry->header.size; - ep->base = entry->base; - ep->present = true; - ep->cb = ivdev->priv_data; - - kref_init(&ep->kref); - - return 0; -} - static DEFINE_XARRAY_ALLOC(telem_array); static struct intel_pmt_namespace pmt_telem_ns = { .name = "telem", .xa = &telem_array, .pmt_header_decode = pmt_telem_header_decode, - .pmt_add_endpoint = pmt_telem_add_endpoint, + .pmt_add_endpoint = intel_pmt_add_endpoint, }; -/* Called when all users unregister and the device is removed */ -static void pmt_telem_ep_release(struct kref *kref) -{ - struct telem_endpoint *ep; - - ep = container_of(kref, struct telem_endpoint, kref); - kfree(ep); -} - unsigned long pmt_telem_get_next_endpoint(unsigned long start) { struct intel_pmt_entry *entry; @@ -155,7 +122,7 @@ unsigned long pmt_telem_get_next_endpoint(unsigned long start) } EXPORT_SYMBOL_NS_GPL(pmt_telem_get_next_endpoint, "INTEL_PMT_TELEMETRY"); -struct telem_endpoint *pmt_telem_register_endpoint(int devid) +struct class_endpoint *pmt_telem_register_endpoint(int devid) { struct intel_pmt_entry *entry; unsigned long index = devid; @@ -174,9 +141,9 @@ struct telem_endpoint *pmt_telem_register_endpoint(int devid) } EXPORT_SYMBOL_NS_GPL(pmt_telem_register_endpoint, "INTEL_PMT_TELEMETRY"); -void pmt_telem_unregister_endpoint(struct telem_endpoint *ep) +void pmt_telem_unregister_endpoint(struct class_endpoint *ep) { - kref_put(&ep->kref, pmt_telem_ep_release); + intel_pmt_release_endpoint(ep); } EXPORT_SYMBOL_NS_GPL(pmt_telem_unregister_endpoint, "INTEL_PMT_TELEMETRY"); @@ -206,7 +173,7 @@ int pmt_telem_get_endpoint_info(int devid, struct telem_endpoint_info *info) } EXPORT_SYMBOL_NS_GPL(pmt_telem_get_endpoint_info, "INTEL_PMT_TELEMETRY"); -int pmt_telem_read(struct telem_endpoint *ep, u32 id, u64 *data, u32 count) +int pmt_telem_read(struct class_endpoint *ep, u32 id, u64 *data, u32 count) { u32 offset, size; @@ -226,7 +193,7 @@ int pmt_telem_read(struct telem_endpoint *ep, u32 id, u64 *data, u32 count) } EXPORT_SYMBOL_NS_GPL(pmt_telem_read, "INTEL_PMT_TELEMETRY"); -int pmt_telem_read32(struct telem_endpoint *ep, u32 id, u32 *data, u32 count) +int pmt_telem_read32(struct class_endpoint *ep, u32 id, u32 *data, u32 count) { u32 offset, size; @@ -245,7 +212,7 @@ int pmt_telem_read32(struct telem_endpoint *ep, u32 id, u32 *data, u32 count) } EXPORT_SYMBOL_NS_GPL(pmt_telem_read32, "INTEL_PMT_TELEMETRY"); -struct telem_endpoint * +struct class_endpoint * pmt_telem_find_and_register_endpoint(struct pci_dev *pcidev, u32 guid, u16 pos) { int devid = 0; @@ -279,7 +246,7 @@ static void pmt_telem_remove(struct auxiliary_device *auxdev) for (i = 0; i < priv->num_entries; i++) { struct intel_pmt_entry *entry = &priv->entry[i]; - kref_put(&entry->ep->kref, pmt_telem_ep_release); + pmt_telem_unregister_endpoint(entry->ep); intel_pmt_dev_destroy(entry, &pmt_telem_ns); } mutex_unlock(&ep_lock); diff --git a/drivers/platform/x86/intel/pmt/telemetry.h b/drivers/platform/x86/intel/pmt/telemetry.h index d45af5512b4e..e987dd32a58a 100644 --- a/drivers/platform/x86/intel/pmt/telemetry.h +++ b/drivers/platform/x86/intel/pmt/telemetry.h @@ -2,6 +2,8 @@ #ifndef _TELEMETRY_H #define _TELEMETRY_H +#include "class.h" + /* Telemetry types */ #define PMT_TELEM_TELEMETRY 0 #define PMT_TELEM_CRASHLOG 1 @@ -9,16 +11,9 @@ struct telem_endpoint; struct pci_dev; -struct telem_header { - u8 access_type; - u16 size; - u32 guid; - u32 base_offset; -}; - struct telem_endpoint_info { struct pci_dev *pdev; - struct telem_header header; + struct class_header header; }; /** @@ -47,7 +42,7 @@ unsigned long pmt_telem_get_next_endpoint(unsigned long start); * * endpoint - On success returns pointer to the telemetry endpoint * * -ENXIO - telemetry endpoint not found */ -struct telem_endpoint *pmt_telem_register_endpoint(int devid); +struct class_endpoint *pmt_telem_register_endpoint(int devid); /** * pmt_telem_unregister_endpoint() - Unregister a telemetry endpoint @@ -55,7 +50,7 @@ struct telem_endpoint *pmt_telem_register_endpoint(int devid); * * Decrements the kref usage counter for the endpoint. */ -void pmt_telem_unregister_endpoint(struct telem_endpoint *ep); +void pmt_telem_unregister_endpoint(struct class_endpoint *ep); /** * pmt_telem_get_endpoint_info() - Get info for an endpoint from its devid @@ -80,8 +75,8 @@ int pmt_telem_get_endpoint_info(int devid, struct telem_endpoint_info *info); * * endpoint - On success returns pointer to the telemetry endpoint * * -ENXIO - telemetry endpoint not found */ -struct telem_endpoint *pmt_telem_find_and_register_endpoint(struct pci_dev *pcidev, - u32 guid, u16 pos); +struct class_endpoint *pmt_telem_find_and_register_endpoint(struct pci_dev *pcidev, + u32 guid, u16 pos); /** * pmt_telem_read() - Read qwords from counter sram using sample id @@ -101,7 +96,7 @@ struct telem_endpoint *pmt_telem_find_and_register_endpoint(struct pci_dev *pcid * * -EPIPE - The device was removed during the read. Data written * but should be considered invalid. */ -int pmt_telem_read(struct telem_endpoint *ep, u32 id, u64 *data, u32 count); +int pmt_telem_read(struct class_endpoint *ep, u32 id, u64 *data, u32 count); /** * pmt_telem_read32() - Read qwords from counter sram using sample id @@ -121,6 +116,6 @@ int pmt_telem_read(struct telem_endpoint *ep, u32 id, u64 *data, u32 count); * * -EPIPE - The device was removed during the read. Data written * but should be considered invalid. */ -int pmt_telem_read32(struct telem_endpoint *ep, u32 id, u32 *data, u32 count); +int pmt_telem_read32(struct class_endpoint *ep, u32 id, u32 *data, u32 count); #endif -- 2.49.0

2 months, 2 weeks

1
0
0 0

[PATCH v3 02/11] platform/x86/intel/pmt: crashlog binary file endpoint

by Michael J. Ruhl

Usage of the intel_pmt_read() for binary sysfs, requires an allocated endpoint struct. The crashlog driver does not allocate the endpoint. Without the ep, the crashlog usage causes the following NULL pointer exception: BUG: kernel NULL pointer dereference, address: 0000000000000000 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:intel_pmt_read+0x3b/0x70 [pmt_class] Code: Call Trace: <TASK> ? sysfs_kf_bin_read+0xc0/0xe0 kernfs_fop_read_iter+0xac/0x1a0 vfs_read+0x26d/0x350 ksys_read+0x6b/0xe0 __x64_sys_read+0x1d/0x30 x64_sys_call+0x1bc8/0x1d70 do_syscall_64+0x6d/0x110 Add the endpoint information to the crashlog driver to avoid the NULL pointer exception. Fixes: 416eeb2e1fc7 ("platform/x86/intel/pmt: telemetry: Export API to read telemetry") Cc: <stable(a)vger.kernel.org> Signed-off-by: Michael J. Ruhl <michael.j.ruhl(a)intel.com> --- drivers/platform/x86/intel/pmt/crashlog.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/platform/x86/intel/pmt/crashlog.c b/drivers/platform/x86/intel/pmt/crashlog.c index 6a9eb3c4b313..74ce199e59f0 100644 --- a/drivers/platform/x86/intel/pmt/crashlog.c +++ b/drivers/platform/x86/intel/pmt/crashlog.c @@ -252,6 +252,7 @@ static struct intel_pmt_namespace pmt_crashlog_ns = { .xa = &crashlog_array, .attr_grp = &pmt_crashlog_group, .pmt_header_decode = pmt_crashlog_header_decode, + .pmt_add_endpoint = intel_pmt_add_endpoint, }; /* @@ -262,8 +263,12 @@ static void pmt_crashlog_remove(struct auxiliary_device *auxdev) struct pmt_crashlog_priv *priv = auxiliary_get_drvdata(auxdev); int i; - for (i = 0; i < priv->num_entries; i++) - intel_pmt_dev_destroy(&priv->entry[i].entry, &pmt_crashlog_ns); + for (i = 0; i < priv->num_entries; i++) { + struct intel_pmt_entry *entry = &priv->entry[i].entry; + + intel_pmt_release_endpoint(entry->ep); + intel_pmt_dev_destroy(entry, &pmt_crashlog_ns); + } } static int pmt_crashlog_probe(struct auxiliary_device *auxdev, -- 2.49.0

2 months, 2 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror June 2025