- Linux-stable-mirror - lists.linaro.org

[PATCH 2/8] drm/sched: Always wake up correct scheduler in drm_sched_entity_push_job

by Tvrtko Ursulin

From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Since drm_sched_entity_modify_sched() can modify the entities run queue, lets make sure to only dereference the pointer once so both adding and waking up are guaranteed to be consistent. Alternative of moving the spin_unlock to after the wake up would for now be more problematic since the same lock is taken inside drm_sched_rq_update_fifo(). v2: * Improve commit message. (Philipp) * Cache the scheduler pointer directly. (Christian) Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Fixes: b37aced31eb0 ("drm/scheduler: implement a function to modify sched list") Cc: Christian König <christian.koenig(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: Luben Tuikov <ltuikov89(a)gmail.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: David Airlie <airlied(a)gmail.com> Cc: Daniel Vetter <daniel(a)ffwll.ch> Cc: Philipp Stanner <pstanner(a)redhat.com> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v5.7+ Reviewed-by: Christian König <christian.koenig(a)amd.com> --- drivers/gpu/drm/scheduler/sched_entity.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c index 0e002c17fcb6..a75eede8bf8d 100644 --- a/drivers/gpu/drm/scheduler/sched_entity.c +++ b/drivers/gpu/drm/scheduler/sched_entity.c @@ -599,6 +599,9 @@ void drm_sched_entity_push_job(struct drm_sched_job *sched_job) /* first job wakes up scheduler */ if (first) { + struct drm_gpu_scheduler *sched; + struct drm_sched_rq *rq; + /* Add the entity to the run queue */ spin_lock(&entity->rq_lock); if (entity->stopped) { @@ -608,13 +611,16 @@ void drm_sched_entity_push_job(struct drm_sched_job *sched_job) return; } - drm_sched_rq_add_entity(entity->rq, entity); + rq = entity->rq; + sched = rq->sched; + + drm_sched_rq_add_entity(rq, entity); spin_unlock(&entity->rq_lock); if (drm_sched_policy == DRM_SCHED_POLICY_FIFO) drm_sched_rq_update_fifo(entity, submit_ts); - drm_sched_wakeup(entity->rq->sched); + drm_sched_wakeup(sched); } } EXPORT_SYMBOL(drm_sched_entity_push_job); -- 2.46.0

11 months, 3 weeks

3
4
0 0

[PATCH] firmware/sysfb: Disable sysfb for firmware buffers with unknown parent

by Thomas Zimmermann

The sysfb framebuffer handling only operates on graphics devices that provide the system's firmware framebuffer. If that device is not known, assume that any graphics device has been initialized by firmware. Fixes a problem on i915 where sysfb does not release the firmware framebuffer after the native graphics driver loaded. Reported-by: Borah, Chaitanya Kumar <chaitanya.kumar.borah(a)intel.com> Closes: https://lore.kernel.org/dri-devel/SJ1PR11MB6129EFB8CE63D1EF6D932F94B96F2@SJ… Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/12160 Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Fixes: b49420d6a1ae ("video/aperture: optionally match the device in sysfb_disable()") Cc: Javier Martinez Canillas <javierm(a)redhat.com> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: Helge Deller <deller(a)gmx.de> Cc: Sam Ravnborg <sam(a)ravnborg.org> Cc: Daniel Vetter <daniel.vetter(a)ffwll.ch> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: dri-devel(a)lists.freedesktop.org Cc: Linux regression tracking (Thorsten Leemhuis) <regressions(a)leemhuis.info> Cc: <stable(a)vger.kernel.org> # v6.11+ --- drivers/firmware/sysfb.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/firmware/sysfb.c b/drivers/firmware/sysfb.c index 02a07d3d0d40..a3df782fa687 100644 --- a/drivers/firmware/sysfb.c +++ b/drivers/firmware/sysfb.c @@ -67,9 +67,11 @@ static bool sysfb_unregister(void) void sysfb_disable(struct device *dev) { struct screen_info *si = &screen_info; + struct device *parent; mutex_lock(&disable_lock); - if (!dev || dev == sysfb_parent_dev(si)) { + parent = sysfb_parent_dev(si); + if (!dev || !parent || dev == parent) { sysfb_unregister(); disabled = true; } -- 2.46.0

11 months, 3 weeks

3
2
0 0

[PATCH] drm: Add check for encoder in intel_get_crtc_new_encoder()

by George Rurikov

If the video card driver could not find the connector assigned to the current video controller, or if the hardware status has changed so that a pre-existing connector is no longer active, none of the state connectors will meet the assignment criteria for the current crtc video controller. In the drm_WARN function, encoder->base.dev is called, so '&encoder->base.dev' will be dereferenced since encoder will still be initialized NULL. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: e12d6218fda2 ("drm/i915: Reduce bigjoiner special casing") Cc: stable(a)vger.kernel.org Signed-off-by: George Rurikov <g.ryurikov(a)securitycode.ru> --- drivers/gpu/drm/i915/display/intel_display.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/display/intel_display.c b/drivers/gpu/drm/i915/display/intel_display.c index b4ef4d59da1a..1f25b12e5f67 100644 --- a/drivers/gpu/drm/i915/display/intel_display.c +++ b/drivers/gpu/drm/i915/display/intel_display.c @@ -819,9 +819,11 @@ intel_get_crtc_new_encoder(const struct intel_atomic_state *state, num_encoders++; } - drm_WARN(state->base.dev, num_encoders != 1, + if (encoder) { + drm_WARN(state->base.dev, num_encoders != 1, "%d encoders for pipe %c\n", num_encoders, pipe_name(primary_crtc->pipe)); + } return encoder; } -- 2.34.1 Заявление о конфиденциальности Данное электронное письмо и любые приложения к нему являются конфиденциальными и предназначены исключительно для адресата. Если Вы не являетесь адресатом данного письма, пожалуйста, уведомите немедленно отправителя, не раскрывайте содержание другим лицам, не используйте его в каких-либо целях, не храните и не копируйте информацию любым способом.

11 months, 3 weeks

2
2
0 0

[PATCH 6.1 0/1] f2fs: convert to MAX_SBI_FLAG instead of 32 in stat_show()

by Nikita Zhandarovich

This patch addresses an open issue of buffer overflow in f2fs function stat_show(). On the off chance that si->sbi->s_flag had one of its bits (on the higher end) set to 1, for_each_set_bit() will loop more than s_flag[] can afford, leading in turn to erroneous array access. The issue in question has been fixed in commit 5bb9c111cd98 ("f2fs: convert to MAX_SBI_FLAG instead of 32 in stat_show()") and cherry-picked for 6.1 stable branch. Modified patch can now be cleanly applied to linux-6.1.y. All of the changes made to the patch in order to adapt it are described at the end of commit message in [PATCH 6.1 1/1] f2fs: convert to MAX_SBI_FLAG instead of 32 in stat_show().

11 months, 3 weeks

1
1
0 0

[PATCH] drm/vc4: Fix atomicity violation in vc4_crtc_send_vblank()

by Qiu-ji Chen

Atomicity violation occurs when the vc4_crtc_send_vblank function is executed simultaneously with modifications to crtc->state or crtc->state->event. Consider a scenario where both crtc->state and crtc->state->event are non-null. They can pass the validity check, but at the same time, crtc->state or crtc->state->event could be set to null. In this case, the validity check in vc4_crtc_send_vblank might act on the old crtc->state and crtc->state->event (before locking), allowing invalid values to pass the validity check, leading to null pointer dereference. To address this issue, it is recommended to include the validity check of crtc->state and crtc->state->event within the locking section of the function. This modification ensures that the values of crtc->state->event and crtc->state do not change during the validation process, maintaining their valid conditions. This possible bug is found by an experimental static analysis tool developed by our team. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. Fixes: 68e4a69aec4d ("drm/vc4: crtc: Create vblank reporting function") Cc: stable(a)vger.kernel.org Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> --- drivers/gpu/drm/vc4/vc4_crtc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/vc4/vc4_crtc.c b/drivers/gpu/drm/vc4/vc4_crtc.c index 8b5a7e5eb146..98885f519827 100644 --- a/drivers/gpu/drm/vc4/vc4_crtc.c +++ b/drivers/gpu/drm/vc4/vc4_crtc.c @@ -575,10 +575,12 @@ void vc4_crtc_send_vblank(struct drm_crtc *crtc) struct drm_device *dev = crtc->dev; unsigned long flags; - if (!crtc->state || !crtc->state->event) + spin_lock_irqsave(&dev->event_lock, flags); + if (!crtc->state || !crtc->state->event) { + spin_unlock_irqrestore(&dev->event_lock, flags); return; + } - spin_lock_irqsave(&dev->event_lock, flags); drm_crtc_send_vblank_event(crtc, crtc->state->event); crtc->state->event = NULL; spin_unlock_irqrestore(&dev->event_lock, flags); -- 2.34.1

11 months, 3 weeks

2
2
0 0

[PATCH] nvme: rdma: Add check for queue in nvmet_rdma_cm_handler()

by George Rurikov

After having been assigned to a NULL value at rdma.c:1758, pointer 'queue' is passed as 1st parameter in call to function 'nvmet_rdma_queue_established' at rdma.c:1773, as 1st parameter in call to function 'nvmet_rdma_queue_disconnect' at rdma.c:1787 and as 2nd parameter in call to function 'nvmet_rdma_queue_connect_fail' at rdma.c:1800, where it is dereferenced. I understand, that driver is confident that the RDMA_CM_EVENT_CONNECT_REQUEST event will occur first and perform initialization, but maliciously prepared hardware could send events in violation of the protocol. Nothing guarantees that the sequence of events will start with RDMA_CM_EVENT_CONNECT_REQUEST. Found by Linux Verification Center (linuxtesting.org) with SVACE Fixes: e1a2ee249b19 ("nvmet-rdma: Fix use after free in nvmet_rdma_cm_handler()") Cc: stable(a)vger.kernel.org Signed-off-by: George Rurikov <g.ryurikov(a)securitycode.ru> --- drivers/nvme/target/rdma.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c index 1b6264fa5803..becebc95f349 100644 --- a/drivers/nvme/target/rdma.c +++ b/drivers/nvme/target/rdma.c @@ -1770,8 +1770,10 @@ static int nvmet_rdma_cm_handler(struct rdma_cm_id *cm_id, ret = nvmet_rdma_queue_connect(cm_id, event); break; case RDMA_CM_EVENT_ESTABLISHED: - nvmet_rdma_queue_established(queue); - break; + if (!queue) { + nvmet_rdma_queue_established(queue); + break; + } case RDMA_CM_EVENT_ADDR_CHANGE: if (!queue) { struct nvmet_rdma_port *port = cm_id->context; @@ -1782,8 +1784,10 @@ static int nvmet_rdma_cm_handler(struct rdma_cm_id *cm_id, fallthrough; case RDMA_CM_EVENT_DISCONNECTED: case RDMA_CM_EVENT_TIMEWAIT_EXIT: - nvmet_rdma_queue_disconnect(queue); - break; + if (!queue) { + nvmet_rdma_queue_disconnect(queue); + break; + } case RDMA_CM_EVENT_DEVICE_REMOVAL: ret = nvmet_rdma_device_removal(cm_id, queue); break; @@ -1793,8 +1797,10 @@ static int nvmet_rdma_cm_handler(struct rdma_cm_id *cm_id, fallthrough; case RDMA_CM_EVENT_UNREACHABLE: case RDMA_CM_EVENT_CONNECT_ERROR: - nvmet_rdma_queue_connect_fail(cm_id, queue); - break; + if (!queue) { + nvmet_rdma_queue_connect_fail(cm_id, queue); + break; + } default: pr_err("received unrecognized RDMA CM event %d\n", event->event); -- 2.34.1 Заявление о конфиденциальности Данное электронное письмо и любые приложения к нему являются конфиденциальными и предназначены исключительно для адресата. Если Вы не являетесь адресатом данного письма, пожалуйста, уведомите немедленно отправителя, не раскрывайте содержание другим лицам, не используйте его в каких-либо целях, не храните и не копируйте информацию любым способом.

11 months, 3 weeks

1
0
0 0

[PATCH 2/2] clk: samsung: Fixes PLL locktime for PLL142XX used on FSD platfom

by Varada Pavani

Add PLL locktime for PLL142XX controller. Fixes: 4f346005aaed ("clk: samsung: fsd: Add initial clock support") Cc: stable(a)vger.kernel.org Signed-off-by: Varada Pavani <v.pavani(a)samsung.com> --- drivers/clk/samsung/clk-pll.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/clk/samsung/clk-pll.c b/drivers/clk/samsung/clk-pll.c index 4be879ab917e..d4c5ae20de4f 100644 --- a/drivers/clk/samsung/clk-pll.c +++ b/drivers/clk/samsung/clk-pll.c @@ -206,6 +206,7 @@ static const struct clk_ops samsung_pll3000_clk_ops = { */ /* Maximum lock time can be 270 * PDIV cycles */ #define PLL35XX_LOCK_FACTOR (270) +#define PLL142XX_LOCK_FACTOR (150) #define PLL35XX_MDIV_MASK (0x3FF) #define PLL35XX_PDIV_MASK (0x3F) @@ -272,7 +273,11 @@ static int samsung_pll35xx_set_rate(struct clk_hw *hw, unsigned long drate, } /* Set PLL lock time. */ - writel_relaxed(rate->pdiv * PLL35XX_LOCK_FACTOR, + if (pll->type == pll_142xx) + writel_relaxed(rate->pdiv * PLL142XX_LOCK_FACTOR, + pll->lock_reg); + else + writel_relaxed(rate->pdiv * PLL35XX_LOCK_FACTOR, pll->lock_reg); /* Change PLL PMS values */ -- 2.17.1

11 months, 3 weeks

1
0
0 0

[PATCH] drm: Add check for encoder in intel_get_crtc_new_encoder()

by George Rurikov

If the video card driver could not find the connector assigned to the current video controller, or if the hardware status has changed so that a pre-existing connector is no longer active, none of the state connectors will meet the assignment criteria for the current crtc video controller. In the drm_WARN function, encoder->base.dev is called, so '&encoder->base.dev' will be dereferenced since encoder will still be initialized NULL. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: e12d6218fda2 ("drm/i915: Reduce bigjoiner special casing") Cc: stable(a)vger.kernel.org Signed-off-by: George Rurikov <g.ryurikov(a)securitycode.ru> --- drivers/gpu/drm/i915/display/intel_display.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/display/intel_display.c b/drivers/gpu/drm/i915/display/intel_display.c index b4ef4d59da1a..1f25b12e5f67 100644 --- a/drivers/gpu/drm/i915/display/intel_display.c +++ b/drivers/gpu/drm/i915/display/intel_display.c @@ -819,9 +819,11 @@ intel_get_crtc_new_encoder(const struct intel_atomic_state *state, num_encoders++; } - drm_WARN(state->base.dev, num_encoders != 1, + if (encoder) { + drm_WARN(state->base.dev, num_encoders != 1, "%d encoders for pipe %c\n", num_encoders, pipe_name(primary_crtc->pipe)); + } return encoder; } -- 2.34.1 Заявление о конфиденциальности Данное электронное письмо и любые приложения к нему являются конфиденциальными и предназначены исключительно для адресата. Если Вы не являетесь адресатом данного письма, пожалуйста, уведомите немедленно отправителя, не раскрывайте содержание другим лицам, не используйте его в каких-либо целях, не храните и не копируйте информацию любым способом.

11 months, 3 weeks

1
0
0 0

[PATCH] drm: Add check for encoder in intel_get_crtc_new_encoder()

by George Rurikov

If the video card driver could not find the connector assigned to the current video controller, or if the hardware status has changed so that a pre-existing connector is no longer active, none of the state connectors will meet the assignment criteria for the current crtc video controller. In the drm_WARN function, encoder->base.dev is called, so '&encoder->base.dev' will be dereferenced since encoder will still be initialized NULL. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: e12d6218fda2 ("drm/i915: Reduce bigjoiner special casing") Cc: stable(a)vger.kernel.org Signed-off-by: George Rurikov <g.ryurikov(a)securitycode.ru> --- drivers/gpu/drm/i915/display/intel_display.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/i915/display/intel_display.c b/drivers/gpu/drm/i915/display/intel_display.c index b4ef4d59da1a..a5e24d64f909 100644 --- a/drivers/gpu/drm/i915/display/intel_display.c +++ b/drivers/gpu/drm/i915/display/intel_display.c @@ -819,9 +819,10 @@ intel_get_crtc_new_encoder(const struct intel_atomic_state *state, num_encoders++; } - drm_WARN(state->base.dev, num_encoders != 1, - "%d encoders for pipe %c\n", - num_encoders, pipe_name(primary_crtc->pipe)); + if (encoder) + drm_WARN(state->base.dev, num_encoders != 1, + "%d encoders for pipe %c\n", + num_encoders, pipe_name(primary_crtc->pipe)); return encoder; } -- 2.34.1 Заявление о конфиденциальности Данное электронное письмо и любые приложения к нему являются конфиденциальными и предназначены исключительно для адресата. Если Вы не являетесь адресатом данного письма, пожалуйста, уведомите немедленно отправителя, не раскрывайте содержание другим лицам, не используйте его в каких-либо целях, не храните и не копируйте информацию любым способом.

11 months, 3 weeks

1
0
0 0

[PATCH 3/8] drm/sched: Always increment correct scheduler score

by Tvrtko Ursulin

From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Entities run queue can change during drm_sched_entity_push_job() so make sure to update the score consistently. Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Fixes: d41a39dda140 ("drm/scheduler: improve job distribution with multiple queues") Cc: Nirmoy Das <nirmoy.das(a)amd.com> Cc: Christian König <christian.koenig(a)amd.com> Cc: Luben Tuikov <ltuikov89(a)gmail.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: David Airlie <airlied(a)gmail.com> Cc: Daniel Vetter <daniel(a)ffwll.ch> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v5.9+ Reviewed-by: Christian König <christian.koenig(a)amd.com> Reviewed-by: Nirmoy Das <nirmoy.das(a)intel.com> --- drivers/gpu/drm/scheduler/sched_entity.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c index a75eede8bf8d..b2cf3e0c1838 100644 --- a/drivers/gpu/drm/scheduler/sched_entity.c +++ b/drivers/gpu/drm/scheduler/sched_entity.c @@ -586,7 +586,6 @@ void drm_sched_entity_push_job(struct drm_sched_job *sched_job) ktime_t submit_ts; trace_drm_sched_job(sched_job, entity); - atomic_inc(entity->rq->sched->score); WRITE_ONCE(entity->last_user, current->group_leader); /* @@ -614,6 +613,7 @@ void drm_sched_entity_push_job(struct drm_sched_job *sched_job) rq = entity->rq; sched = rq->sched; + atomic_inc(sched->score); drm_sched_rq_add_entity(rq, entity); spin_unlock(&entity->rq_lock); -- 2.46.0

11 months, 3 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror