- Linux-stable-mirror - lists.linaro.org

[for-linus][PATCH 2/4] tracing: Add missing helper functions in event pointer dereference check

by Steven Rostedt

From: Steven Rostedt <rostedt(a)goodmis.org> The process_pointer() helper function looks to see if various trace event macros are used. These macros are for storing data in the event. This makes it safe to dereference as the dereference will then point into the event on the ring buffer where the content of the data stays with the event itself. A few helper functions were missing. Those were: __get_rel_dynamic_array() __get_dynamic_array_len() __get_rel_dynamic_array_len() __get_rel_sockaddr() Also add a helper function find_print_string() to not need to use a middle man variable to test if the string exists. Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Al Viro <viro(a)ZenIV.linux.org.uk> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Link: https://lore.kernel.org/20241217024720.521836792@goodmis.org Fixes: 5013f454a352c ("tracing: Add check of trace event print fmts for dereferencing pointers") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace_events.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c index 14e160a5b905..df75c06bb23f 100644 --- a/kernel/trace/trace_events.c +++ b/kernel/trace/trace_events.c @@ -274,6 +274,15 @@ static bool test_field(const char *fmt, struct trace_event_call *call) return false; } +/* Look for a string within an argument */ +static bool find_print_string(const char *arg, const char *str, const char *end) +{ + const char *r; + + r = strstr(arg, str); + return r && r < end; +} + /* Return true if the argument pointer is safe */ static bool process_pointer(const char *fmt, int len, struct trace_event_call *call) { @@ -292,9 +301,17 @@ static bool process_pointer(const char *fmt, int len, struct trace_event_call *c a = strchr(fmt, '&'); if ((a && (a < r)) || test_field(r, call)) return true; - } else if ((r = strstr(fmt, "__get_dynamic_array(")) && r < e) { + } else if (find_print_string(fmt, "__get_dynamic_array(", e)) { + return true; + } else if (find_print_string(fmt, "__get_rel_dynamic_array(", e)) { + return true; + } else if (find_print_string(fmt, "__get_dynamic_array_len(", e)) { + return true; + } else if (find_print_string(fmt, "__get_rel_dynamic_array_len(", e)) { + return true; + } else if (find_print_string(fmt, "__get_sockaddr(", e)) { return true; - } else if ((r = strstr(fmt, "__get_sockaddr(")) && r < e) { + } else if (find_print_string(fmt, "__get_rel_sockaddr(", e)) { return true; } return false; -- 2.45.2

1 year

1
0
0 0

[for-linus][PATCH 1/4] tracing: Fix test_event_printk() to process entire print argument

by Steven Rostedt

From: Steven Rostedt <rostedt(a)goodmis.org> The test_event_printk() analyzes print formats of trace events looking for cases where it may dereference a pointer that is not in the ring buffer which can possibly be a bug when the trace event is read from the ring buffer and the content of that pointer no longer exists. The function needs to accurately go from one print format argument to the next. It handles quotes and parenthesis that may be included in an argument. When it finds the start of the next argument, it uses a simple "c = strstr(fmt + i, ',')" to find the end of that argument! In order to include "%s" dereferencing, it needs to process the entire content of the print format argument and not just the content of the first ',' it finds. As there may be content like: ({ const char *saved_ptr = trace_seq_buffer_ptr(p); static const char *access_str[] = { "---", "--x", "w--", "w-x", "-u-", "-ux", "wu-", "wux" }; union kvm_mmu_page_role role; role.word = REC->role; trace_seq_printf(p, "sp gen %u gfn %llx l%u %u-byte q%u%s %s%s" " %snxe %sad root %u %s%c", REC->mmu_valid_gen, REC->gfn, role.level, role.has_4_byte_gpte ? 4 : 8, role.quadrant, role.direct ? " direct" : "", access_str[role.access], role.invalid ? " invalid" : "", role.efer_nx ? "" : "!", role.ad_disabled ? "!" : "", REC->root_count, REC->unsync ? "unsync" : "sync", 0); saved_ptr; }) Which is an example of a full argument of an existing event. As the code already handles finding the next print format argument, process the argument at the end of it and not the start of it. This way it has both the start of the argument as well as the end of it. Add a helper function "process_pointer()" that will do the processing during the loop as well as at the end. It also makes the code cleaner and easier to read. Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Al Viro <viro(a)ZenIV.linux.org.uk> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Link: https://lore.kernel.org/20241217024720.362271189@goodmis.org Fixes: 5013f454a352c ("tracing: Add check of trace event print fmts for dereferencing pointers") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace_events.c | 82 ++++++++++++++++++++++++------------- 1 file changed, 53 insertions(+), 29 deletions(-) diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c index 77e68efbd43e..14e160a5b905 100644 --- a/kernel/trace/trace_events.c +++ b/kernel/trace/trace_events.c @@ -265,8 +265,7 @@ static bool test_field(const char *fmt, struct trace_event_call *call) len = p - fmt; for (; field->type; field++) { - if (strncmp(field->name, fmt, len) || - field->name[len]) + if (strncmp(field->name, fmt, len) || field->name[len]) continue; array_descriptor = strchr(field->type, '['); /* This is an array and is OK to dereference. */ @@ -275,6 +274,32 @@ static bool test_field(const char *fmt, struct trace_event_call *call) return false; } +/* Return true if the argument pointer is safe */ +static bool process_pointer(const char *fmt, int len, struct trace_event_call *call) +{ + const char *r, *e, *a; + + e = fmt + len; + + /* Find the REC-> in the argument */ + r = strstr(fmt, "REC->"); + if (r && r < e) { + /* + * Addresses of events on the buffer, or an array on the buffer is + * OK to dereference. There's ways to fool this, but + * this is to catch common mistakes, not malicious code. + */ + a = strchr(fmt, '&'); + if ((a && (a < r)) || test_field(r, call)) + return true; + } else if ((r = strstr(fmt, "__get_dynamic_array(")) && r < e) { + return true; + } else if ((r = strstr(fmt, "__get_sockaddr(")) && r < e) { + return true; + } + return false; +} + /* * Examine the print fmt of the event looking for unsafe dereference * pointers using %p* that could be recorded in the trace event and @@ -285,12 +310,12 @@ static void test_event_printk(struct trace_event_call *call) { u64 dereference_flags = 0; bool first = true; - const char *fmt, *c, *r, *a; + const char *fmt; int parens = 0; char in_quote = 0; int start_arg = 0; int arg = 0; - int i; + int i, e; fmt = call->print_fmt; @@ -403,42 +428,41 @@ static void test_event_printk(struct trace_event_call *call) case ',': if (in_quote || parens) continue; + e = i; i++; while (isspace(fmt[i])) i++; - start_arg = i; - if (!(dereference_flags & (1ULL << arg))) - goto next_arg; - /* Find the REC-> in the argument */ - c = strchr(fmt + i, ','); - r = strstr(fmt + i, "REC->"); - if (r && (!c || r < c)) { - /* - * Addresses of events on the buffer, - * or an array on the buffer is - * OK to dereference. - * There's ways to fool this, but - * this is to catch common mistakes, - * not malicious code. - */ - a = strchr(fmt + i, '&'); - if ((a && (a < r)) || test_field(r, call)) + /* + * If start_arg is zero, then this is the start of the + * first argument. The processing of the argument happens + * when the end of the argument is found, as it needs to + * handle paranthesis and such. + */ + if (!start_arg) { + start_arg = i; + /* Balance out the i++ in the for loop */ + i--; + continue; + } + + if (dereference_flags & (1ULL << arg)) { + if (process_pointer(fmt + start_arg, e - start_arg, call)) dereference_flags &= ~(1ULL << arg); - } else if ((r = strstr(fmt + i, "__get_dynamic_array(")) && - (!c || r < c)) { - dereference_flags &= ~(1ULL << arg); - } else if ((r = strstr(fmt + i, "__get_sockaddr(")) && - (!c || r < c)) { - dereference_flags &= ~(1ULL << arg); } - next_arg: - i--; + start_arg = i; arg++; + /* Balance out the i++ in the for loop */ + i--; } } + if (dereference_flags & (1ULL << arg)) { + if (process_pointer(fmt + start_arg, i - start_arg, call)) + dereference_flags &= ~(1ULL << arg); + } + /* * If you triggered the below warning, the trace event reported * uses an unsafe dereference pointer %p*. As the data stored -- 2.45.2

1 year

1
0
0 0

FAILED: patch "[PATCH] drm/i915: Fix memory leak by correcting cache object name in" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 2828e5808bcd5aae7fdcd169cac1efa2701fa2dd # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024121518-unspoken-ladle-1d6a@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2828e5808bcd5aae7fdcd169cac1efa2701fa2dd Mon Sep 17 00:00:00 2001 From: Jiasheng Jiang <jiashengjiangcool(a)outlook.com> Date: Wed, 27 Nov 2024 20:10:42 +0000 Subject: [PATCH] drm/i915: Fix memory leak by correcting cache object name in error handler Replace "slab_priorities" with "slab_dependencies" in the error handler to avoid memory leak. Fixes: 32eb6bcfdda9 ("drm/i915: Make request allocation caches global") Cc: <stable(a)vger.kernel.org> # v5.2+ Signed-off-by: Jiasheng Jiang <jiashengjiangcool(a)outlook.com> Reviewed-by: Nirmoy Das <nirmoy.das(a)intel.com> Reviewed-by: Andi Shyti <andi.shyti(a)linux.intel.com> Signed-off-by: Andi Shyti <andi.shyti(a)linux.intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241127201042.29620-1-jiashe… (cherry picked from commit 9bc5e7dc694d3112bbf0fa4c46ef0fa0f114937a) Signed-off-by: Tvrtko Ursulin <tursulin(a)ursulin.net> diff --git a/drivers/gpu/drm/i915/i915_scheduler.c b/drivers/gpu/drm/i915/i915_scheduler.c index 762127dd56c5..70a854557e6e 100644 --- a/drivers/gpu/drm/i915/i915_scheduler.c +++ b/drivers/gpu/drm/i915/i915_scheduler.c @@ -506,6 +506,6 @@ int __init i915_scheduler_module_init(void) return 0; err_priorities: - kmem_cache_destroy(slab_priorities); + kmem_cache_destroy(slab_dependencies); return -ENOMEM; }

1 year

3
2
0 0

6.12.4: System partially freezes with _swap_info_get: Unused swap offset entry

by Kai Krakow

Sorry for posting without subject. Added. Thanks. Am Mi., 18. Dez. 2024 um 01:57 Uhr schrieb Kai Krakow <kai(a)kaishome.de>: > > Hello! > > Running 6.12.4 on Gentoo, using zswap with zsmalloc. > > Since 6.12, I often experience the following error while > installing/compiling packages: > > Dez 16 03:11:58 jupiter kernel: Huh VM_FAULT_OOM leaked out to the #PF > handler. Retrying PF > Dez 16 03:11:58 jupiter kernel: Huh VM_FAULT_OOM leaked out to the #PF > handler. Retrying PF > Dez 16 03:11:58 jupiter kernel: Huh VM_FAULT_OOM leaked out to the #PF > handler. Retrying PF > Dez 16 03:11:58 jupiter kernel: Huh VM_FAULT_OOM leaked out to the #PF > handler. Retrying PF > Dez 16 03:11:58 jupiter kernel: Huh VM_FAULT_OOM leaked out to the #PF > handler. Retrying PF > Dez 16 03:11:58 jupiter kernel: Huh VM_FAULT_OOM leaked out to the #PF > handler. Retrying PF > Dez 16 03:11:58 jupiter kernel: Huh VM_FAULT_OOM leaked out to the #PF > handler. Retrying PF > Dez 16 03:11:58 jupiter kernel: Huh VM_FAULT_OOM leaked out to the #PF > handler. Retrying PF > Dez 16 03:11:58 jupiter kernel: Huh VM_FAULT_OOM leaked out to the #PF > handler. Retrying PF > Dez 16 03:11:58 jupiter kernel: Huh VM_FAULT_OOM leaked out to the #PF > handler. Retrying PF > Dez 16 03:12:03 jupiter kernel: pagefault_out_of_memory: 8645812 > callbacks suppressed > > Programs then slowly start to stop responding and the system won't > shut down cleanly. > > I'm starting to get backtraces after a while: > > Dez 16 03:58:17 jupiter kernel: ------------[ cut here ]------------ > Dez 16 03:58:17 jupiter kernel: WARNING: CPU: 5 PID: 5149 at > mm/swapfile.c:1566 free_swap_and_cache_nr+0xab/0x540 > Dez 16 03:58:17 jupiter kernel: Modules linked in: nfnetlink_queue > nf_conntrack_netlink ip6t_REJECT nf_reject_ipv6 ip6table_nat > ip6table_filter xt_nat ipt_REJECT nf_reject_ipv4 xt_NFQUEUE xt_mark > xt_connmark iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 > nf_defrag_ipv4 iptable_filter ip6table_mangle ip6_tables > iptable_mangle xt_DSCP xt_tcpudp ip_tables x_tables rfcomm > snd_hrtimer> > Dez 16 03:58:17 jupiter kernel: gpu_sched drm_gpuvm drm_exec i915 > drm_buddy drm_display_helper ttm nvidia_uvm(PO) nvidia_modeset(PO) > nvidia(PO) lm92 efivarfs > Dez 16 03:58:17 jupiter kernel: CPU: 5 UID: 1000 PID: 5149 Comm: > QXcbEventQueue Tainted: P O 6.12.4-gentoo-r1 #1 > Dez 16 03:58:17 jupiter kernel: Tainted: [P]=PROPRIETARY_MODULE, [O]=OOT_MODULE > Dez 16 03:58:17 jupiter kernel: Hardware name: ASRock Z690 Pro RS/Z690 > Pro RS, BIOS 18.02 01/04/2024 > Dez 16 03:58:17 jupiter kernel: RIP: 0010:free_swap_and_cache_nr+0xab/0x540 > Dez 16 03:58:17 jupiter kernel: Code: 31 ed 4c 89 7c 24 10 49 89 dc 48 > ba 00 00 00 00 00 00 00 fc 48 89 5c 24 18 45 89 ef 48 21 d1 44 88 4c > 24 26 48 89 0c 24 eb 1c <0f> 0b 41 83 c7 01 49 83 c4 01 45 39 fe 0f 8e > dd 00 00 00 48 8b 45 > Dez 16 03:58:17 jupiter kernel: RSP: 0018:ffffb2bcc984bac8 EFLAGS: 00010246 > Dez 16 03:58:17 jupiter kernel: RAX: 0000000000000000 RBX: > 00000000002c1603 RCX: 0000000000000000 > Dez 16 03:58:17 jupiter kernel: RDX: fc00000000000000 RSI: > 0000000000000001 RDI: ffff8e093c170f00 > Dez 16 03:58:17 jupiter kernel: RBP: ffff8e084a8bec00 R08: > 0000000000000008 R09: 0000000000000000 > Dez 16 03:58:17 jupiter kernel: R10: ffffd68059365ec0 R11: > 0000000000000000 R12: 00000000002c1603 > Dez 16 03:58:17 jupiter kernel: R13: 0000000000000000 R14: > 0000000000000001 R15: 0000000000000000 > Dez 16 03:58:17 jupiter kernel: FS: 0000000000000000(0000) > GS:ffff8e0f6f340000(0000) knlGS:0000000000000000 > Dez 16 03:58:17 jupiter kernel: CS: 0010 DS: 0000 ES: 0000 CR0: > 0000000080050033 > Dez 16 03:58:17 jupiter kernel: CR2: 0000188c00a50000 CR3: > 00000007db42b000 CR4: 0000000000f52ef0 > Dez 16 03:58:17 jupiter kernel: PKRU: 55555554 > Dez 16 03:58:17 jupiter kernel: Call Trace: > Dez 16 03:58:17 jupiter kernel: <TASK> > Dez 16 03:58:17 jupiter kernel: ? __warn.cold+0x90/0x9e > Dez 16 03:58:17 jupiter kernel: ? free_swap_and_cache_nr+0xab/0x540 > Dez 16 03:58:17 jupiter kernel: ? report_bug+0xf6/0x140 > Dez 16 03:58:17 jupiter kernel: ? handle_bug+0x4f/0x90 > Dez 16 03:58:17 jupiter kernel: ? exc_invalid_op+0x17/0x60 > Dez 16 03:58:17 jupiter kernel: ? asm_exc_invalid_op+0x1a/0x20 > Dez 16 03:58:17 jupiter kernel: ? free_swap_and_cache_nr+0xab/0x540 > Dez 16 03:58:17 jupiter kernel: ? free_swap_and_cache_nr+0x2c/0x540 > Dez 16 03:58:17 jupiter kernel: ? swap_pte_batch+0xdc/0x1f0 > Dez 16 03:58:17 jupiter kernel: unmap_page_range+0xa18/0x16b0 > Dez 16 03:58:17 jupiter kernel: unmap_vmas+0xb7/0x170 > Dez 16 03:58:17 jupiter kernel: exit_mmap+0xfb/0x280 > Dez 16 03:58:17 jupiter kernel: __mmput+0x35/0x120 > Dez 16 03:58:17 jupiter kernel: do_exit+0x255/0x930 > Dez 16 03:58:17 jupiter kernel: do_group_exit+0x2b/0x80 > Dez 16 03:58:17 jupiter kernel: get_signal+0x774/0x7b0 > Dez 16 03:58:17 jupiter kernel: arch_do_signal_or_restart+0x29/0x230 > Dez 16 03:58:17 jupiter kernel: syscall_exit_to_user_mode+0x7b/0xf0 > Dez 16 03:58:17 jupiter kernel: do_syscall_64+0x57/0x100 > Dez 16 03:58:17 jupiter kernel: entry_SYSCALL_64_after_hwframe+0x4b/0x53 > Dez 16 03:58:17 jupiter kernel: RIP: 0033:0x564111720e3f > Dez 16 03:58:17 jupiter kernel: Code: Unable to access opcode bytes at > 0x564111720e15. > Dez 16 03:58:17 jupiter kernel: RSP: 002b:000056410b1fda00 EFLAGS: > 00000293 ORIG_RAX: 0000000000000007 > Dez 16 03:58:17 jupiter kernel: RAX: fffffffffffffdfc RBX: > 0000564131839600 RCX: 0000564111720e3f > Dez 16 03:58:17 jupiter kernel: RDX: 00000000ffffffff RSI: > 0000000000000001 RDI: 000056410b1fda48 > Dez 16 03:58:17 jupiter kernel: RBP: 000056410b1fdb20 R08: > 0000000000000000 R09: 0000000000000081 > Dez 16 03:58:17 jupiter kernel: R10: 0000000000000000 R11: > 0000000000000293 R12: 000056410b1fda48 > Dez 16 03:58:17 jupiter kernel: R13: 0000000000000000 R14: > 0000000000000000 R15: 0000564131839618 > Dez 16 03:58:17 jupiter kernel: </TASK> > Dez 16 03:58:17 jupiter kernel: ---[ end trace 0000000000000000 ]--- > Dez 16 03:58:17 jupiter kernel: BUG: Bad rss-counter state > mm:00000000bf899335 type:MM_ANONPAGES val:1 > Dez 16 03:58:17 jupiter kernel: BUG: Bad rss-counter state > mm:00000000bf899335 type:MM_SHMEMPAGES val:-1 > Dez 16 03:58:17 jupiter kernel: BUG: Bad page cache in process > QXcbEventQueue pfn:81fdec > Dez 16 03:58:17 jupiter kernel: page: refcount:3 mapcount:1 > mapping:00000000e6a99870 index:0x10 pfn:0x81fdec > Dez 16 03:58:17 jupiter kernel: memcg:ffff8e09819f9000 > Dez 16 03:58:17 jupiter kernel: aops:0xffffffffbb027a60 ino:20c5 > Dez 16 03:58:17 jupiter kernel: flags: > 0xa00000000002002d(locked|referenced|uptodate|lru|swapbacked|zone=2) > Dez 16 03:58:17 jupiter kernel: raw: a00000000002002d ffffd680607facc8 > ffffd6806075c308 ffff8e0805f5e0b8 > Dez 16 03:58:17 jupiter kernel: raw: 0000000000000010 0000000000000000 > 0000000300000000 ffff8e09819f9000 > Dez 16 03:58:17 jupiter kernel: page dumped because: still mapped when deleted > > When trying to kill processes with sysrq or via kill command, those > processes usually get stuck in state D and I get the following errors > in dmesg: > > Dez 16 20:40:12 jupiter kernel: _swap_info_get: Unused swap offset > entry 002c16ee > Dez 16 20:40:12 jupiter kernel: _swap_info_get: Unused swap offset > entry 002c16c0 > Dez 16 20:40:12 jupiter kernel: _swap_info_get: Unused swap offset > entry 002c16c1 > Dez 16 20:40:12 jupiter kernel: _swap_info_get: Unused swap offset > entry 002c1760 > Dez 16 20:40:12 jupiter kernel: _swap_info_get: Unused swap offset > entry 40000000004ce36 > Dez 16 20:40:12 jupiter kernel: _swap_info_get: Unused swap offset > entry 40000000004ce1d > Dez 16 20:40:12 jupiter kernel: _swap_info_get: Unused swap offset > entry 40000000004ce52 > Dez 16 20:40:12 jupiter kernel: _swap_info_get: Unused swap offset > entry 40000000004ced8 > Dez 16 20:40:12 jupiter kernel: _swap_info_get: Unused swap offset > entry 40000000004ced9 > Dez 16 20:40:12 jupiter kernel: _swap_info_get: Unused swap offset > entry 40000000004cec4 > Dez 16 20:40:12 jupiter kernel: _swap_info_get: Unused swap offset > entry 40000000004cec3 > > The system can then only be rebooted with alt+sysrq+b. > > Regards, > Kai

1 year

1
0
0 0

FAILED: patch "[PATCH] drm/i915: Fix memory leak by correcting cache object name in" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 2828e5808bcd5aae7fdcd169cac1efa2701fa2dd # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024121517-deserve-wharf-c2d0@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2828e5808bcd5aae7fdcd169cac1efa2701fa2dd Mon Sep 17 00:00:00 2001 From: Jiasheng Jiang <jiashengjiangcool(a)outlook.com> Date: Wed, 27 Nov 2024 20:10:42 +0000 Subject: [PATCH] drm/i915: Fix memory leak by correcting cache object name in error handler Replace "slab_priorities" with "slab_dependencies" in the error handler to avoid memory leak. Fixes: 32eb6bcfdda9 ("drm/i915: Make request allocation caches global") Cc: <stable(a)vger.kernel.org> # v5.2+ Signed-off-by: Jiasheng Jiang <jiashengjiangcool(a)outlook.com> Reviewed-by: Nirmoy Das <nirmoy.das(a)intel.com> Reviewed-by: Andi Shyti <andi.shyti(a)linux.intel.com> Signed-off-by: Andi Shyti <andi.shyti(a)linux.intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241127201042.29620-1-jiashe… (cherry picked from commit 9bc5e7dc694d3112bbf0fa4c46ef0fa0f114937a) Signed-off-by: Tvrtko Ursulin <tursulin(a)ursulin.net> diff --git a/drivers/gpu/drm/i915/i915_scheduler.c b/drivers/gpu/drm/i915/i915_scheduler.c index 762127dd56c5..70a854557e6e 100644 --- a/drivers/gpu/drm/i915/i915_scheduler.c +++ b/drivers/gpu/drm/i915/i915_scheduler.c @@ -506,6 +506,6 @@ int __init i915_scheduler_module_init(void) return 0; err_priorities: - kmem_cache_destroy(slab_priorities); + kmem_cache_destroy(slab_dependencies); return -ENOMEM; }

1 year

5
6
0 0

+ fs-proc-task_mmu-fix-pagemap-flags-with-pmd-thp-entries-on-32bit.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: fs/proc/task_mmu: fix pagemap flags with PMD THP entries on 32bit has been added to the -mm mm-hotfixes-unstable branch. Its filename is fs-proc-task_mmu-fix-pagemap-flags-with-pmd-thp-entries-on-32bit.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: David Hildenbrand <david(a)redhat.com> Subject: fs/proc/task_mmu: fix pagemap flags with PMD THP entries on 32bit Date: Tue, 17 Dec 2024 20:50:00 +0100 Entries (including flags) are u64, even on 32bit. So right now we are cutting of the flags on 32bit. This way, for example the cow selftest complains about: # ./cow ... Bail Out! read and ioctl return unmatched results for populated: 0 1 Link: https://lkml.kernel.org/r/20241217195000.1734039-1-david@redhat.com Fixes: 2c1f057e5be6 ("fs/proc/task_mmu: properly detect PM_MMAP_EXCLUSIVE per page of PMD-mapped THPs") Signed-off-by: David Hildenbrand <david(a)redhat.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/task_mmu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/proc/task_mmu.c~fs-proc-task_mmu-fix-pagemap-flags-with-pmd-thp-entries-on-32bit +++ a/fs/proc/task_mmu.c @@ -1810,7 +1810,7 @@ static int pagemap_pmd_range(pmd_t *pmdp } for (; addr != end; addr += PAGE_SIZE, idx++) { - unsigned long cur_flags = flags; + u64 cur_flags = flags; pagemap_entry_t pme; if (folio && (flags & PM_PRESENT) && _ Patches currently in -mm which might be from david(a)redhat.com are mm-page_alloc-dont-call-pfn_to_page-on-possibly-non-existent-pfn-in-split_large_buddy.patch fs-proc-task_mmu-fix-pagemap-flags-with-pmd-thp-entries-on-32bit.patch docs-tmpfs-update-the-large-folios-policy-for-tmpfs-and-shmem.patch mm-memory_hotplug-move-debug_pagealloc_map_pages-into-online_pages_range.patch mm-page_isolation-dont-pass-gfp-flags-to-isolate_single_pageblock.patch mm-page_isolation-dont-pass-gfp-flags-to-start_isolate_page_range.patch mm-page_alloc-make-__alloc_contig_migrate_range-static.patch mm-page_alloc-sort-out-the-alloc_contig_range-gfp-flags-mess.patch mm-page_alloc-forward-the-gfp-flags-from-alloc_contig_range-to-post_alloc_hook.patch powernv-memtrace-use-__gfp_zero-with-alloc_contig_pages.patch mm-hugetlb-dont-map-folios-writable-without-vm_write-when-copying-during-fork.patch fs-proc-vmcore-convert-vmcore_cb_lock-into-vmcore_mutex.patch fs-proc-vmcore-replace-vmcoredd_mutex-by-vmcore_mutex.patch fs-proc-vmcore-disallow-vmcore-modifications-while-the-vmcore-is-open.patch fs-proc-vmcore-prefix-all-pr_-with-vmcore.patch fs-proc-vmcore-move-vmcore-definitions-out-of-kcoreh.patch fs-proc-vmcore-factor-out-allocating-a-vmcore-range-and-adding-it-to-a-list.patch fs-proc-vmcore-factor-out-freeing-a-list-of-vmcore-ranges.patch fs-proc-vmcore-introduce-proc_vmcore_device_ram-to-detect-device-ram-ranges-in-2nd-kernel.patch virtio-mem-mark-device-ready-before-registering-callbacks-in-kdump-mode.patch virtio-mem-remember-usable-region-size.patch virtio-mem-support-config_proc_vmcore_device_ram.patch s390-kdump-virtio-mem-kdump-support-config_proc_vmcore_device_ram.patch mm-page_alloc-dont-use-__gfp_hardwall-when-migrating-pages-via-alloc_contig.patch mm-memory_hotplug-dont-use-__gfp_hardwall-when-migrating-pages-via-memory-offlining.patch

1 year

1
0
0 0

[PATCH 1/5] clk: mediatek: mt2701-vdec: fix conversion to mtk_clk_simple_probe

by Daniel Golle

Commit 973d1607d936 ("clk: mediatek: mt2701: use mtk_clk_simple_probe to simplify driver") broke DT bindings as the highest index was reduced by 1 because the id count starts from 1 and not from 0. Fix this, like for other drivers which had the same issue, by adding a dummy clk at index 0. Fixes: 973d1607d936 ("clk: mediatek: mt2701: use mtk_clk_simple_probe to simplify driver") Cc: stable(a)vger.kernel.org Signed-off-by: Daniel Golle <daniel(a)makrotopia.org> --- drivers/clk/mediatek/clk-mt2701-vdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/clk/mediatek/clk-mt2701-vdec.c b/drivers/clk/mediatek/clk-mt2701-vdec.c index 94db86f8d0a4..5299d92f3aba 100644 --- a/drivers/clk/mediatek/clk-mt2701-vdec.c +++ b/drivers/clk/mediatek/clk-mt2701-vdec.c @@ -31,6 +31,7 @@ static const struct mtk_gate_regs vdec1_cg_regs = { GATE_MTK(_id, _name, _parent, &vdec1_cg_regs, _shift, &mtk_clk_gate_ops_setclr_inv) static const struct mtk_gate vdec_clks[] = { + GATE_DUMMY(CLK_DUMMY, "vdec_dummy"), GATE_VDEC0(CLK_VDEC_CKGEN, "vdec_cken", "vdec_sel", 0), GATE_VDEC1(CLK_VDEC_LARB, "vdec_larb_cken", "mm_sel", 0), }; -- 2.47.1

1 year

3
14
0 0

[PATCH v1] fs/proc/task_mmu: fix pagemap flags with PMD THP entries on 32bit

by David Hildenbrand

Entries (including flags) are u64, even on 32bit. So right now we are cutting of the flags on 32bit. This way, for example the cow selftest complains about: # ./cow ... Bail Out! read and ioctl return unmatched results for populated: 0 1 Fixes: 2c1f057e5be6 ("fs/proc/task_mmu: properly detect PM_MMAP_EXCLUSIVE per page of PMD-mapped THPs") Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: David Hildenbrand <david(a)redhat.com> --- fs/proc/task_mmu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c index 38a5a3e9cba20..f02cd362309a0 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -1810,7 +1810,7 @@ static int pagemap_pmd_range(pmd_t *pmdp, unsigned long addr, unsigned long end, } for (; addr != end; addr += PAGE_SIZE, idx++) { - unsigned long cur_flags = flags; + u64 cur_flags = flags; pagemap_entry_t pme; if (folio && (flags & PM_PRESENT) && -- 2.47.1

1 year

1
0
0 0

[PATCH AUTOSEL 5.15 01/13] PCI: Add ACS quirk for Broadcom BCM5760X NIC

by Sasha Levin

From: Ajit Khaparde <ajit.khaparde(a)broadcom.com> [ Upstream commit 524e057b2d66b61f9b63b6db30467ab7b0bb4796 ] The Broadcom BCM5760X NIC may be a multi-function device. While it does not advertise an ACS capability, peer-to-peer transactions are not possible between the individual functions. So it is ok to treat them as fully isolated. Add an ACS quirk for this device so the functions can be in independent IOMMU groups and attached individually to userspace applications using VFIO. [kwilczynski: commit log] Link: https://lore.kernel.org/linux-pci/20240510204228.73435-1-ajit.khaparde@broa… Signed-off-by: Ajit Khaparde <ajit.khaparde(a)broadcom.com> Signed-off-by: Krzysztof Wilczyński <kwilczynski(a)kernel.org> Signed-off-by: Bjorn Helgaas <bhelgaas(a)google.com> Reviewed-by: Andy Gospodarek <gospo(a)broadcom.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/pci/quirks.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c index 4d4267105cd2b..842e8fecf0a9a 100644 --- a/drivers/pci/quirks.c +++ b/drivers/pci/quirks.c @@ -4971,6 +4971,10 @@ static const struct pci_dev_acs_enabled { { PCI_VENDOR_ID_BROADCOM, 0x1750, pci_quirk_mf_endpoint_acs }, { PCI_VENDOR_ID_BROADCOM, 0x1751, pci_quirk_mf_endpoint_acs }, { PCI_VENDOR_ID_BROADCOM, 0x1752, pci_quirk_mf_endpoint_acs }, + { PCI_VENDOR_ID_BROADCOM, 0x1760, pci_quirk_mf_endpoint_acs }, + { PCI_VENDOR_ID_BROADCOM, 0x1761, pci_quirk_mf_endpoint_acs }, + { PCI_VENDOR_ID_BROADCOM, 0x1762, pci_quirk_mf_endpoint_acs }, + { PCI_VENDOR_ID_BROADCOM, 0x1763, pci_quirk_mf_endpoint_acs }, { PCI_VENDOR_ID_BROADCOM, 0xD714, pci_quirk_brcm_acs }, /* Amazon Annapurna Labs */ { PCI_VENDOR_ID_AMAZON_ANNAPURNA_LABS, 0x0031, pci_quirk_al_acs }, -- 2.43.0

1 year

2
14
0 0

+ maple_tree-reload-mas-before-the-second-call-for-mas_empty_area-fix.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: maple_tree: fix mas_alloc_cyclic() second search has been added to the -mm mm-hotfixes-unstable branch. Its filename is maple_tree-reload-mas-before-the-second-call-for-mas_empty_area-fix.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: "Liam R. Howlett" <Liam.Howlett(a)Oracle.com> Subject: maple_tree: fix mas_alloc_cyclic() second search Date: Mon, 16 Dec 2024 14:01:12 -0500 The first search may leave the maple state in an error state. Reset the maple state before the second search so that the search has a chance of executing correctly after an exhausted first search. Link: https://lore.kernel.org/all/20241216060600.287B4C4CED0@smtp.kernel.org/ Link: https://lkml.kernel.org/r/20241216190113.1226145-2-Liam.Howlett@oracle.com Fixes: 9b6713cc7522 ("maple_tree: Add mtree_alloc_cyclic()") Signed-off-by: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Reviewed-by: Yang Erkun <yangerkun(a)huawei.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Chuck Lever <chuck.lever(a)oracle.com> says: Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/maple_tree.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/lib/maple_tree.c~maple_tree-reload-mas-before-the-second-call-for-mas_empty_area-fix +++ a/lib/maple_tree.c @@ -4346,7 +4346,6 @@ int mas_alloc_cyclic(struct ma_state *ma { unsigned long min = range_lo; int ret = 0; - struct ma_state m = *mas; range_lo = max(min, *next); ret = mas_empty_area(mas, range_lo, range_hi, 1); @@ -4355,7 +4354,7 @@ int mas_alloc_cyclic(struct ma_state *ma ret = 1; } if (ret < 0 && range_lo > min) { - *mas = m; + mas_reset(mas); ret = mas_empty_area(mas, min, range_hi, 1); if (ret == 0) ret = 1; _ Patches currently in -mm which might be from Liam.Howlett(a)Oracle.com are maple_tree-reload-mas-before-the-second-call-for-mas_empty_area-fix.patch test_maple_tree-test-exhausted-upper-limit-of-mtree_alloc_cyclic.patch

1 year

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror