- Linaro-mm-sig - lists.linaro.org

Re: [PATCH] dmabuf: fix dmabuf file poll uaf issue

by Christian König

Am 15.04.24 um 12:35 schrieb zhiguojiang: > 在 2024/4/12 14:39, Christian König 写道: >> [Some people who received this message don't often get email from >> christian.koenig(a)amd.com. Learn why this is important at >> https://aka.ms/LearnAboutSenderIdentification ] >> >> Am 12.04.24 um 08:19 schrieb zhiguojiang: >>> [SNIP] >>> -> Here task 2220 do epoll again where internally it will get/put then >>> start to free twice and lead to final crash. >>> >>> Here is the basic flow: >>> >>> 1. Thread A install the dma_buf_fd via dma_buf_export, the fd refcount >>> is 1 >>> >>> 2. Thread A add the fd to epoll list via epoll_ctl(EPOLL_CTL_ADD) >>> >>> 3. After use the dma buf, Thread A close the fd, then here fd refcount >>> is 0, >>> and it will run __fput finally to release the file >> >> Stop, that isn't correct. >> >> The fs layer which calls dma_buf_poll() should make sure that the file >> can't go away until the function returns. >> >> Then inside dma_buf_poll() we add another reference to the file while >> installing the callback: >> >> /* Paired with fput in dma_buf_poll_cb */ >> get_file(dmabuf->file); > Hi, > > The problem may just occurred here. > > Is it possible file reference count already decreased to 0 and fput > already being in progressing just before calling > get_file(dmabuf->file) in dma_buf_poll()? No, exactly that isn't possible. If a function gets a dma_buf pointer or even more general any reference counted pointer which has already decreased to 0 then that is a major bug in the caller of that function. BTW: It's completely illegal to work around such issues by using file_count() or RCU functions. So when you suggest stuff like that it will immediately face rejection. Regards, Christian. > >> >> This reference is only dropped after the callback is completed in >> dma_buf_poll_cb(): >> >> /* Paired with get_file in dma_buf_poll */ >> fput(dmabuf->file); >> >> So your explanation for the issue just seems to be incorrect. >> >>> >>> 4. Here Thread A not do epoll_ctl(EPOLL_CTL_DEL) manunally, so it >>> still resides in one epoll_list. >>> Although __fput will call eventpoll_release to remove the file from >>> binded epoll list, >>> but it has small time window where Thread B jumps in. >> >> Well if that is really the case then that would then be a bug in >> epoll_ctl(). >> >>> >>> 5. During the small window, Thread B do the poll action for >>> dma_buf_fd, where it will fget/fput for the file, >>> this means the fd refcount will be 0 -> 1 -> 0, and it will call >>> __fput again. >>> This will lead to __fput twice for the same file. >>> >>> 6. So the potenial fix is use get_file_rcu which to check if file >>> refcount already zero which means under free. >>> If so, we just return and no need to do the dma_buf_poll. >> >> Well to say it bluntly as far as I can see this suggestion is completely >> nonsense. >> >> When the reference to the file goes away while dma_buf_poll() is >> executed then that's a massive bug in the caller of that function. >> >> Regards, >> Christian. >> >>> >>> Here is the race condition: >>> >>> Thread A Thread B >>> dma_buf_export >>> fd_refcount is 1 >>> epoll_ctl(EPOLL_ADD) >>> add dma_buf_fd to epoll list >>> close(dma_buf_fd) >>> fd_refcount is 0 >>> __fput >>> dma_buf_poll >>> fget >>> fput >>> fd_refcount is zero again >>> >>> Thanks >>> >> >

1 year, 8 months

1
0
0 0

Re: [PATCH v5 2/9] drm/mediatek: Add secure buffer control flow to mtk_drm_gem

by Maxime Ripard

On Wed, Apr 03, 2024 at 06:26:54PM +0800, Shawn Sung wrote: > From: "Jason-JH.Lin" <jason-jh.lin(a)mediatek.com> > > Add secure buffer control flow to mtk_drm_gem. > > When user space takes DRM_MTK_GEM_CREATE_ENCRYPTED flag and size > to create a mtk_drm_gem object, mtk_drm_gem will find a matched size > dma buffer from secure dma-heap and bind it to mtk_drm_gem object. > > Signed-off-by: Jason-JH.Lin <jason-jh.lin(a)mediatek.com> > Signed-off-by: Hsiao Chien Sung <shawn.sung(a)mediatek.com> > --- > drivers/gpu/drm/mediatek/mtk_gem.c | 85 +++++++++++++++++++++++++++++- > drivers/gpu/drm/mediatek/mtk_gem.h | 4 ++ > 2 files changed, 88 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/mediatek/mtk_gem.c b/drivers/gpu/drm/mediatek/mtk_gem.c > index e59e0727717b7..ec34d02c14377 100644 > --- a/drivers/gpu/drm/mediatek/mtk_gem.c > +++ b/drivers/gpu/drm/mediatek/mtk_gem.c > @@ -4,6 +4,8 @@ > */ > > #include <linux/dma-buf.h> > +#include <linux/dma-heap.h> > +#include <uapi/linux/dma-heap.h> > #include <drm/mediatek_drm.h> > > #include <drm/drm.h> > @@ -102,6 +104,81 @@ struct mtk_gem_obj *mtk_gem_create(struct drm_device *dev, > return ERR_PTR(ret); > } > > +struct mtk_gem_obj *mtk_gem_create_from_heap(struct drm_device *dev, > + const char *heap, size_t size) > +{ > + struct mtk_drm_private *priv = dev->dev_private; > + struct mtk_gem_obj *mtk_gem; > + struct drm_gem_object *obj; > + struct dma_heap *dma_heap; > + struct dma_buf *dma_buf; > + struct dma_buf_attachment *attach; > + struct sg_table *sgt; > + struct iosys_map map = {}; > + int ret; > + > + mtk_gem = mtk_gem_init(dev, size); > + if (IS_ERR(mtk_gem)) > + return ERR_CAST(mtk_gem); > + > + obj = &mtk_gem->base; > + > + dma_heap = dma_heap_find(heap); > + if (!dma_heap) { > + DRM_ERROR("heap find fail\n"); > + goto err_gem_free; > + } > + dma_buf = dma_heap_buffer_alloc(dma_heap, size, > + O_RDWR | O_CLOEXEC, DMA_HEAP_VALID_HEAP_FLAGS); > + if (IS_ERR(dma_buf)) { > + DRM_ERROR("buffer alloc fail\n"); > + dma_heap_put(dma_heap); > + goto err_gem_free; > + } > + dma_heap_put(dma_heap); > + > + attach = dma_buf_attach(dma_buf, priv->dma_dev); > + if (IS_ERR(attach)) { > + DRM_ERROR("attach fail, return\n"); > + dma_buf_put(dma_buf); > + goto err_gem_free; > + } > + > + sgt = dma_buf_map_attachment(attach, DMA_BIDIRECTIONAL); > + if (IS_ERR(sgt)) { > + DRM_ERROR("map failed, detach and return\n"); > + dma_buf_detach(dma_buf, attach); > + dma_buf_put(dma_buf); > + goto err_gem_free; > + } > + obj->import_attach = attach; > + mtk_gem->dma_addr = sg_dma_address(sgt->sgl); > + mtk_gem->sg = sgt; > + mtk_gem->size = dma_buf->size; > + > + if (!strcmp(heap, "mtk_svp") || !strcmp(heap, "mtk_svp_cma")) { > + /* secure buffer can not be mapped */ > + mtk_gem->secure = true; > + } else { > + ret = dma_buf_vmap(dma_buf, &map); > + mtk_gem->kvaddr = map.vaddr; > + if (ret) { > + DRM_ERROR("map failed, ret=%d\n", ret); > + dma_buf_unmap_attachment(attach, sgt, DMA_BIDIRECTIONAL); > + dma_buf_detach(dma_buf, attach); > + dma_buf_put(dma_buf); > + mtk_gem->kvaddr = NULL; > + } > + } > + > + return mtk_gem; > + > +err_gem_free: > + drm_gem_object_release(obj); > + kfree(mtk_gem); > + return ERR_PTR(-ENOMEM); > +} > + > void mtk_gem_free_object(struct drm_gem_object *obj) > { > struct mtk_gem_obj *mtk_gem = to_mtk_gem_obj(obj); > @@ -229,7 +306,9 @@ struct drm_gem_object *mtk_gem_prime_import_sg_table(struct drm_device *dev, > if (IS_ERR(mtk_gem)) > return ERR_CAST(mtk_gem); > > + mtk_gem->secure = !sg_page(sg->sgl); > mtk_gem->dma_addr = sg_dma_address(sg->sgl); > + mtk_gem->size = attach->dmabuf->size; > mtk_gem->sg = sg; > > return &mtk_gem->base; > @@ -304,7 +383,11 @@ int mtk_gem_create_ioctl(struct drm_device *dev, void *data, > struct drm_mtk_gem_create *args = data; > int ret; > > - mtk_gem = mtk_gem_create(dev, args->size, false); > + if (args->flags & DRM_MTK_GEM_CREATE_ENCRYPTED) > + mtk_gem = mtk_gem_create_from_heap(dev, "mtk_svp_cma", args->size); That heap doesn't exist upstream either. Also, I'm wondering if it's the right solution there. From what I can tell, you want to allow to create encrypted buffers from the TEE. Why do we need this as a DRM ioctl at all? A heap seems like the perfect solution to do so, and then you just have to import it into DRM. I'm also not entirely sure that not having a SG list is enough to consider the buffer secure. Wouldn't a buffer allocated without a kernel mapping also be in that situation? Maxime

1 year, 8 months

1
0
0 0

Re: [PATCH v5 1/9] drm/mediatek/uapi: Add DRM_MTK_GEM_CREATE_ENCRYPTED flag

by Maxime Ripard

Hi, On Wed, Apr 03, 2024 at 06:26:53PM +0800, Shawn Sung wrote: > From: "Jason-JH.Lin" <jason-jh.lin(a)mediatek.com> > > Add DRM_MTK_GEM_CREATE_ENCRYPTED flag to allow user to allocate > a secure buffer to support secure video path feature. > > Signed-off-by: Jason-JH.Lin <jason-jh.lin(a)mediatek.com> > Signed-off-by: Hsiao Chien Sung <shawn.sung(a)mediatek.com> > --- > include/uapi/drm/mediatek_drm.h | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/include/uapi/drm/mediatek_drm.h b/include/uapi/drm/mediatek_drm.h > index b0dea00bacbc4..e9125de3a24ad 100644 > --- a/include/uapi/drm/mediatek_drm.h > +++ b/include/uapi/drm/mediatek_drm.h > @@ -54,6 +54,7 @@ struct drm_mtk_gem_map_off { > > #define DRM_MTK_GEM_CREATE 0x00 > #define DRM_MTK_GEM_MAP_OFFSET 0x01 > +#define DRM_MTK_GEM_CREATE_ENCRYPTED 0x02 > > #define DRM_IOCTL_MTK_GEM_CREATE DRM_IOWR(DRM_COMMAND_BASE + \ > DRM_MTK_GEM_CREATE, struct drm_mtk_gem_create) That flag doesn't exist in drm-misc-next, which tree is this based on? Maxime

1 year, 8 months

1
0
0 0

Re: [PATCH v3 01/18] ASoC: dt-bindings: mediatek,mt8365-afe: Add audio afe document

by Krzysztof Kozlowski

On 10/04/2024 11:29, Alexandre Mergnat wrote: > > > On 09/04/2024 17:46, Krzysztof Kozlowski wrote: >>> + soc { >>> + #address-cells = <2>; >>> + #size-cells = <2>; >>> + >>> + afe@11220000 { >> Did you implement the comment or decided to keep afe? >> > > Though it was clear according to [1]: > " > Audio Front End, this is the same name used for other MTK SoC, to be > consistent. > > Cook a new patch serie to change "afe" by "audio-controller" for all MTK > SoC would be great. > " > > I want to keep it and fix it later with ALL other MTK SoC. > You didn't answer after that, I though it was ok for you... Then no, I don't agree. If you add code, which you already plan to fix, it means the code is not correct somehow. Then just add correct code in the beginning. Best regards, Krzysztof

1 year, 8 months

1
0
0 0

Re: [PATCH] dmabuf: fix dmabuf file poll uaf issue

by Christian König

Am 12.04.24 um 08:19 schrieb zhiguojiang: > [SNIP] > -> Here task 2220 do epoll again where internally it will get/put then > start to free twice and lead to final crash. > > Here is the basic flow: > > 1. Thread A install the dma_buf_fd via dma_buf_export, the fd refcount > is 1 > > 2. Thread A add the fd to epoll list via epoll_ctl(EPOLL_CTL_ADD) > > 3. After use the dma buf, Thread A close the fd, then here fd refcount > is 0, > and it will run __fput finally to release the file Stop, that isn't correct. The fs layer which calls dma_buf_poll() should make sure that the file can't go away until the function returns. Then inside dma_buf_poll() we add another reference to the file while installing the callback: /* Paired with fput in dma_buf_poll_cb */ get_file(dmabuf->file); This reference is only dropped after the callback is completed in dma_buf_poll_cb(): /* Paired with get_file in dma_buf_poll */ fput(dmabuf->file); So your explanation for the issue just seems to be incorrect. > > 4. Here Thread A not do epoll_ctl(EPOLL_CTL_DEL) manunally, so it > still resides in one epoll_list. > Although __fput will call eventpoll_release to remove the file from > binded epoll list, > but it has small time window where Thread B jumps in. Well if that is really the case then that would then be a bug in epoll_ctl(). > > 5. During the small window, Thread B do the poll action for > dma_buf_fd, where it will fget/fput for the file, > this means the fd refcount will be 0 -> 1 -> 0, and it will call > __fput again. > This will lead to __fput twice for the same file. > > 6. So the potenial fix is use get_file_rcu which to check if file > refcount already zero which means under free. > If so, we just return and no need to do the dma_buf_poll. Well to say it bluntly as far as I can see this suggestion is completely nonsense. When the reference to the file goes away while dma_buf_poll() is executed then that's a massive bug in the caller of that function. Regards, Christian. > > Here is the race condition: > > Thread A Thread B > dma_buf_export > fd_refcount is 1 > epoll_ctl(EPOLL_ADD) > add dma_buf_fd to epoll list > close(dma_buf_fd) > fd_refcount is 0 > __fput > dma_buf_poll > fget > fput > fd_refcount is zero again > > Thanks >

1 year, 8 months

1
0
0 0

Re: [PATCH] dma-buf: add DMA_BUF_IOCTL_SYNC_PARTIAL support

by T.J. Mercier

On Thu, Apr 11, 2024 at 1:21 AM Rong Qianfeng <11065417(a)vivo.com> wrote: > > > 在 2024/4/10 0:37, T.J. Mercier 写道: > > [You don't often get email from tjmercier(a)google.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] > > > > On Tue, Apr 9, 2024 at 12:34 AM Rong Qianfeng <11065417(a)vivo.com> wrote: > >> > >> 在 2024/4/8 15:58, Christian König 写道: > >>> Am 07.04.24 um 09:50 schrieb Rong Qianfeng: > >>>> [SNIP] > >>>>> Am 13.11.21 um 07:22 schrieb Jianqun Xu: > >>>>>> Add DMA_BUF_IOCTL_SYNC_PARTIAL support for user to sync dma-buf with > >>>>>> offset and len. > >>>>> You have not given an use case for this so it is a bit hard to > >>>>> review. And from the existing use cases I don't see why this should > >>>>> be necessary. > >>>>> > >>>>> Even worse from the existing backend implementation I don't even see > >>>>> how drivers should be able to fulfill this semantics. > >>>>> > >>>>> Please explain further, > >>>>> Christian. > >>>> Here is a practical case: > >>>> The user space can allocate a large chunk of dma-buf for > >>>> self-management, used as a shared memory pool. > >>>> Small dma-buf can be allocated from this shared memory pool and > >>>> released back to it after use, thus improving the speed of dma-buf > >>>> allocation and release. > >>>> Additionally, custom functionalities such as memory statistics and > >>>> boundary checking can be implemented in the user space. > >>>> Of course, the above-mentioned functionalities require the > >>>> implementation of a partial cache sync interface. > >>> Well that is obvious, but where is the code doing that? > >>> > >>> You can't send out code without an actual user of it. That will > >>> obviously be rejected. > >>> > >>> Regards, > >>> Christian. > >> In fact, we have already used the user-level dma-buf memory pool in the > >> camera shooting scenario on the phone. > >> > >> From the test results, The execution time of the photo shooting > >> algorithm has been reduced from 3.8s to 3s. > >> > > For phones, the (out of tree) Android version of the system heap has a > > page pool connected to a shrinker. That allows you to skip page > > allocation without fully pinning the memory like you get when > > allocating a dma-buf that's way larger than necessary. If it's for a > > camera maybe you need physically contiguous memory, but it's also > > possible to set that up. > > > > https://android.googlesource.com/kernel/common/+/refs/heads/android14-6.1/d… > > > Thank you for the reminder. > > The page pool of the system heap can meet the needs of most scenarios, > but the camera shooting scenario is quite special. > > Why the camera shooting scenario needs to have a dma-buf memory pool in > the user-level？ > > (1) The memory demand is extremely high and time requirements are > stringent. Preallocating for this makes sense to me, whether it is individual buffers or one large one. > (2) The memory in the page pool(system heap) is easily reclaimed or used > by other apps. Yeah, by design I guess. I have seen an implementation where the page pool is proactively refilled after it has been empty for some time which would help in scenarios where the pool is often reclaimed and low/empty. You could add that in a vendor heap. > (3) High concurrent allocation and release (with deferred-free) lead to > high memory usage peaks. Hopefully this is not every frame? I saw enough complaints about the deferred free of pool pages that it hasn't been carried forward since Android 13, so this should be less of a problem on recent kernels. > Additionally, after the camera exits, the shared memory pool can be > released, with minimal impact. Why do you care about the difference here? In one case it's when the buffer refcount goes to 0 and memory is freed immediately, and in the other it's the next time reclaim runs the shrinker. I don't want to add UAPI for DMA_BUF_IOCTL_SYNC_PARTIAL to Android without it being in the upstream kernel. I don't think we can get that without an in-kernel user of dma_buf_begin_cpu_access_partial first, even though your use case wouldn't rely on that in-kernel usage. :\ So if you want to add this to phones for your camera app, then I think your best option is to add a vendor driver which implements this IOCTL and calls the dma_buf_begin_cpu_access_partial functions which are already exported. Best, T.J.

1 year, 8 months

1
0
0 0

Re: [PATCH] dma-buf: add DMA_BUF_IOCTL_SYNC_PARTIAL support

by T.J. Mercier

On Tue, Apr 9, 2024 at 12:34 AM Rong Qianfeng <11065417(a)vivo.com> wrote: > > > 在 2024/4/8 15:58, Christian König 写道: > > Am 07.04.24 um 09:50 schrieb Rong Qianfeng: > >> [SNIP] > >>> Am 13.11.21 um 07:22 schrieb Jianqun Xu: > >>>> Add DMA_BUF_IOCTL_SYNC_PARTIAL support for user to sync dma-buf with > >>>> offset and len. > >>> > >>> You have not given an use case for this so it is a bit hard to > >>> review. And from the existing use cases I don't see why this should > >>> be necessary. > >>> > >>> Even worse from the existing backend implementation I don't even see > >>> how drivers should be able to fulfill this semantics. > >>> > >>> Please explain further, > >>> Christian. > >> Here is a practical case: > >> The user space can allocate a large chunk of dma-buf for > >> self-management, used as a shared memory pool. > >> Small dma-buf can be allocated from this shared memory pool and > >> released back to it after use, thus improving the speed of dma-buf > >> allocation and release. > >> Additionally, custom functionalities such as memory statistics and > >> boundary checking can be implemented in the user space. > >> Of course, the above-mentioned functionalities require the > >> implementation of a partial cache sync interface. > > > > Well that is obvious, but where is the code doing that? > > > > You can't send out code without an actual user of it. That will > > obviously be rejected. > > > > Regards, > > Christian. > > In fact, we have already used the user-level dma-buf memory pool in the > camera shooting scenario on the phone. > > From the test results, The execution time of the photo shooting > algorithm has been reduced from 3.8s to 3s. > For phones, the (out of tree) Android version of the system heap has a page pool connected to a shrinker. That allows you to skip page allocation without fully pinning the memory like you get when allocating a dma-buf that's way larger than necessary. If it's for a camera maybe you need physically contiguous memory, but it's also possible to set that up. https://android.googlesource.com/kernel/common/+/refs/heads/android14-6.1/d… > To be honest, I didn't understand your concern "...how drivers should be > able to fulfill this semantics." Can you please help explain it in more > detail? > > Thanks, > > Rong Qianfeng. > > > > >> > >> Thanks > >> Rong Qianfeng. > > >

1 year, 8 months

2
3
0 0

Re: [PATCH net-next v8 3/3] net: ethernet: ti: am65-cpsw: Add minimal XDP support

by Jakub Kicinski

On Wed, 10 Apr 2024 16:02:00 +0200 Julien Panis wrote: > > You shouldn't build the skb upfront any more. Give the page to the HW, > > once HW sends you a completion - build the skbs. If build fails > > (allocation failure) just give the page back to HW. If it succeeds, > > however, you'll get a skb which is far more likely to be cache hot. > > Not sure I get this point. > > "Give the page to the HW" = Do you mean that I should dma_map_single() > a full page (|PAGE_SIZE|) in am65_cpsw_nuss_rx_push() ? Yes, I think so. I think that's what you effectively do now anyway, you just limit the len and wrap it in an skb. But am65_cpsw_nuss_rx_push() will effectively get that page back from skb->data and map it.

1 year, 8 months

1
0
0 0

Re: [PATCH net-next v8 2/3] net: ethernet: ti: Add desc_infos member to struct k3_cppi_desc_pool

by Jakub Kicinski

On Wed, 10 Apr 2024 10:36:16 +0200 Julien Panis wrote: > Also, about mem alloc failures, shouldn't we free 'pool' on kstrdup_const() > error at the beginning of k3_cppi_desc_pool_create_name() ? > I mean, it's not visible in my patch but I now wonder if this was done > properly even before I modify the file. Yes, it uses managed memory (devm_*) but prueth (I didn't check other callers) calls it from .ndo_open. So while not technically a full leak we can accumulate infinite memory by repeatedly failing here :S

1 year, 8 months

1
0
0 0

Re: [PATCH net-next v8 3/3] net: ethernet: ti: am65-cpsw: Add minimal XDP support

by Jakub Kicinski

On Mon, 08 Apr 2024 11:38:04 +0200 Julien Panis wrote: > +static struct sk_buff *am65_cpsw_alloc_skb(struct am65_cpsw_rx_chn *rx_chn, > + struct net_device *ndev, > + unsigned int len, > + int desc_idx, > + bool allow_direct) > +{ > + struct sk_buff *skb; > + struct page *page; > + > + page = page_pool_dev_alloc_pages(rx_chn->page_pool); > + if (unlikely(!page)) > + return NULL; > + > + len += AM65_CPSW_HEADROOM; > + > + skb = build_skb(page_address(page), len); You shouldn't build the skb upfront any more. Give the page to the HW, once HW sends you a completion - build the skbs. If build fails (allocation failure) just give the page back to HW. If it succeeds, however, you'll get a skb which is far more likely to be cache hot. > + if (unlikely(!skb)) { > + page_pool_put_full_page(rx_chn->page_pool, page, allow_direct); > + rx_chn->pages[desc_idx] = NULL; > + return NULL; > + }

1 year, 8 months

1
0
0 0

Re: [PATCH net-next v8 2/3] net: ethernet: ti: Add desc_infos member to struct k3_cppi_desc_pool

by Jakub Kicinski

On Mon, 08 Apr 2024 11:38:03 +0200 Julien Panis wrote: > goto gen_pool_create_fail; > } > > + pool->desc_infos = kcalloc(pool->num_desc, > + sizeof(*pool->desc_infos), GFP_KERNEL); > + if (!pool->desc_infos) { > + ret = -ENOMEM; > + dev_err(pool->dev, > + "pool descriptor infos alloc failed %d\n", ret); Please don't add errors on mem alloc failures. They just bloat the kernel, there will be a rather large OOM splat in the logs if GFP_KERNEL allocation fails. > + kfree_const(pool_name); > + goto gen_pool_desc_infos_alloc_fail; > + } > + > pool->gen_pool->name = pool_name; If you add the new allocation after this line, I think you wouldn't have to free pool_name under the if () explicitly. -- pw-bot: cr

1 year, 8 months

1
0
0 0

Re: [PATCH v3 18/18] arm64: dts: mediatek: add audio support for mt8365-evk

by Krzysztof Kozlowski

On 09/04/2024 15:42, Alexandre Mergnat wrote: > Add the sound node which is linked to the MT8365 SoC AFE and > the MT6357 audio codec. > > Update the file header. > > Signed-off-by: Alexandre Mergnat <amergnat(a)baylibre.com> > --- > arch/arm64/boot/dts/mediatek/mt8365-evk.dts | 98 +++++++++++++++++++++++++++-- > 1 file changed, 94 insertions(+), 4 deletions(-) > > diff --git a/arch/arm64/boot/dts/mediatek/mt8365-evk.dts b/arch/arm64/boot/dts/mediatek/mt8365-evk.dts > index 50cbaefa1a99..eb0c5f076dd4 100644 > --- a/arch/arm64/boot/dts/mediatek/mt8365-evk.dts > +++ b/arch/arm64/boot/dts/mediatek/mt8365-evk.dts > @@ -1,9 +1,9 @@ > // SPDX-License-Identifier: GPL-2.0 > /* > - * Copyright (c) 2021-2022 BayLibre, SAS. > - * Authors: > - * Fabien Parent <fparent(a)baylibre.com> > - * Bernhard Rosenkränzer <bero(a)baylibre.com> > + * Copyright (c) 2024 BayLibre, SAS. What is happening with your copyrights? Why do you change existing ones? > + * Authors: Fabien Parent <fparent(a)baylibre.com> > + * Bernhard Rosenkränzer <bero(a)baylibre.com> > + * Alexandre Mergnat <amergnat(a)baylibre.com> > */ > > /dts-v1/; > @@ -86,6 +86,29 @@ optee_reserved: optee@43200000 { > reg = <0 0x43200000 0 0x00c00000>; > }; > }; > + > + sound: sound { > + compatible = "mediatek,mt8365-mt6357"; > + pinctrl-names = "default", > + "dmic", > + "miso_off", > + "miso_on", > + "mosi_off", > + "mosi_on"; > + pinctrl-0 = <&aud_default_pins>; > + pinctrl-1 = <&aud_dmic_pins>; > + pinctrl-2 = <&aud_miso_off_pins>; > + pinctrl-3 = <&aud_miso_on_pins>; > + pinctrl-4 = <&aud_mosi_off_pins>; > + pinctrl-5 = <&aud_mosi_on_pins>; > + mediatek,platform = <&afe>; > + status = "okay"; Where did you disable the node? > + }; > +}; > + > +&afe { > + mediatek,dmic-mode = <1>; > + status = "okay"; > }; > > &cpu0 { > @@ -174,6 +197,12 @@ &mmc1 { > status = "okay"; > }; > > +&mt6357_codec { > + mediatek,micbias0-microvolt = <1900000>; > + mediatek,micbias1-microvolt = <1700000>; > + mediatek,vaud28-supply = <&mt6357_vaud28_reg>; > +}; > + > &mt6357_pmic { > interrupts-extended = <&pio 145 IRQ_TYPE_LEVEL_HIGH>; > interrupt-controller; > @@ -181,6 +210,67 @@ &mt6357_pmic { > }; > > &pio { > + aud_default_pins: audiodefault-pins { > + pins { > + pinmux = <MT8365_PIN_72_CMDAT4__FUNC_I2S3_BCK>, > + <MT8365_PIN_73_CMDAT5__FUNC_I2S3_LRCK>, > + <MT8365_PIN_74_CMDAT6__FUNC_I2S3_MCK>, > + <MT8365_PIN_75_CMDAT7__FUNC_I2S3_DO>; You have broken indentation everywhere. Best regards, Krzysztof

1 year, 8 months

1
0
0 0

Re: [PATCH v3 16/18] arm64: dts: mediatek: add mt6357 audio codec support

by Krzysztof Kozlowski

On 09/04/2024 15:42, Alexandre Mergnat wrote: > Add audio codec support of MT6357 PMIC. > Update the file header. Why? > > Signed-off-by: Alexandre Mergnat <amergnat(a)baylibre.com> > --- > arch/arm64/boot/dts/mediatek/mt6357.dtsi | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/arch/arm64/boot/dts/mediatek/mt6357.dtsi b/arch/arm64/boot/dts/mediatek/mt6357.dtsi > index 3330a03c2f74..ade410851524 100644 > --- a/arch/arm64/boot/dts/mediatek/mt6357.dtsi > +++ b/arch/arm64/boot/dts/mediatek/mt6357.dtsi > @@ -1,7 +1,7 @@ > // SPDX-License-Identifier: (GPL-2.0 OR MIT) > /* > * Copyright (c) 2020 MediaTek Inc. > - * Copyright (c) 2023 BayLibre Inc. > + * Copyright (c) 2024 BayLibre Inc. That's not a reasonable change. The file was published on 2023, wasn't it? If this is not correct, please explain why/how and make it separate patch. > */ > > #include <dt-bindings/input/input.h> > @@ -10,6 +10,9 @@ &pwrap { > mt6357_pmic: pmic { > compatible = "mediatek,mt6357"; > > + mt6357_codec: codec { > + }; There is no single point of having empty nodes. NAK. Best regards, Krzysztof

1 year, 8 months

1
0
0 0

Re: [PATCH v3 04/18] dt-bindings: mfd: mediatek: Add codec property for MT6357 PMIC

by Krzysztof Kozlowski

On 09/04/2024 15:42, Alexandre Mergnat wrote: > Add the audio codec sub-device. This sub-device is used to set required > and optional voltage properties between the codec and the board. > > Signed-off-by: Alexandre Mergnat <amergnat(a)baylibre.com> > --- > Documentation/devicetree/bindings/mfd/mediatek,mt6357.yaml | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/Documentation/devicetree/bindings/mfd/mediatek,mt6357.yaml b/Documentation/devicetree/bindings/mfd/mediatek,mt6357.yaml > index 37423c2e0fdf..7c6a4a587b5f 100644 > --- a/Documentation/devicetree/bindings/mfd/mediatek,mt6357.yaml > +++ b/Documentation/devicetree/bindings/mfd/mediatek,mt6357.yaml > @@ -37,6 +37,11 @@ properties: > "#interrupt-cells": > const: 2 > > + codec: > + type: object > + $ref: /schemas/sound/mt6357.yaml > + unevaluatedProperties: false Just put the properties here, without the codec node. Also, your example is now incomplete. Best regards, Krzysztof

1 year, 8 months

1
0
0 0

Re: [PATCH v3 03/18] ASoC: dt-bindings: mt6357: Add audio codec document

by Krzysztof Kozlowski

On 09/04/2024 15:42, Alexandre Mergnat wrote: > Add MT8365 audio codec bindings to set required > and optional voltage properties between the codec and the board. > The properties are: > - phandle of the requiered power supply. typo > - Setup of microphone bias voltage. > - Setup of the speaker pin pull-down. > > Signed-off-by: Alexandre Mergnat <amergnat(a)baylibre.com> > --- > .../devicetree/bindings/sound/mt6357.yaml | 54 ++++++++++++++++++++++ Filename using compatible syntax, so missing vendor prefix. > 1 file changed, 54 insertions(+) > > diff --git a/Documentation/devicetree/bindings/sound/mt6357.yaml b/Documentation/devicetree/bindings/sound/mt6357.yaml > new file mode 100644 > index 000000000000..381cb71b959f > --- /dev/null > +++ b/Documentation/devicetree/bindings/sound/mt6357.yaml > @@ -0,0 +1,54 @@ > +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause) > +%YAML 1.2 > +--- > +$id: http://devicetree.org/schemas/sound/mt6357.yaml# > +$schema: http://devicetree.org/meta-schemas/core.yaml# > + > +title: Mediatek MT6357 Codec > + > +maintainers: > + - Alexandre Mergnat <amergnat(a)baylibre.com> > + > +description: | Do not need '|' unless you need to preserve formatting. > + This is the required and optional voltage properties for this subdevice. > + The communication between MT6357 and SoC is through Mediatek PMIC wrapper. > + For more detail, please visit Mediatek PMIC wrapper documentation. > + Must be a child node of PMIC wrapper. Why? > + > +properties: > + Drop blank line > + mediatek,hp-pull-down: > + description: > + Earphone driver positive output stage short to > + the audio reference ground. > + type: boolean > + > + mediatek,micbias0-microvolt: > + description: Selects MIC Bias 0 output voltage. > + enum: [1700000, 1800000, 1900000, 2000000, > + 2100000, 2500000, 2600000, 2700000] > + default: 1700000 > + > + mediatek,micbias1-microvolt: > + description: Selects MIC Bias 1 output voltage. > + enum: [1700000, 1800000, 1900000, 2000000, > + 2100000, 2500000, 2600000, 2700000] > + default: 1700000 > + > + mediatek,vaud28-supply: > + description: 2.8 volt supply phandle for the audio codec Supplies go without vendor prefixes. > + > +required: > + - mediatek,vaud28-supply That's basically no-op schema. I do not understand what you are trying to achieve here. > + > +additionalProperties: false > + > +examples: > + - | > + codec { > + mediatek,micbias0-microvolt = <1900000>; > + mediatek,micbias1-microvolt = <1700000>; > + mediatek,vaud28-supply = <&mt6357_vaud28_reg>; Sorry, this does not work. Change voltage to 1111111 and check the results. Best regards, Krzysztof

1 year, 8 months

1
0
0 0

Re: [PATCH v3 02/18] ASoC: dt-bindings: mediatek,mt8365-mt6357: Add audio sound card document

by Krzysztof Kozlowski

On 09/04/2024 15:42, Alexandre Mergnat wrote: > Add soundcard bindings for the MT8365 SoC with the MT6357 audio codec. > > Signed-off-by: Alexandre Mergnat <amergnat(a)baylibre.com> > +patternProperties: > + "^dai-link-[0-9]+$": > + type: object > + description: > + Container for dai-link level properties and CODEC sub-nodes. > + > + properties: > + codec: > + type: object > + description: Holds subnode which indicates codec dai. > + > + properties: > + sound-dai: > + maxItems: 1 > + description: phandle of the codec DAI > + > + additionalProperties: false > + > + link-name: > + description: > + This property corresponds to the name of the BE dai-link to which > + we are going to update parameters in this node. > + items: > + const: 2ND_I2S_BE What is the type of link-name? Why is it fixed? How can you have here multiple dai links if all of them must have the same name? Best regards, Krzysztof

1 year, 8 months

1
0
0 0

Re: [PATCH v3 01/18] ASoC: dt-bindings: mediatek,mt8365-afe: Add audio afe document

by Krzysztof Kozlowski

On 09/04/2024 15:41, Alexandre Mergnat wrote: > Add MT8365 audio front-end bindings > > Signed-off-by: Alexandre Mergnat <amergnat(a)baylibre.com> > --- > +properties: > + compatible: > + const: mediatek,mt8365-afe-pcm > + > + reg: > + maxItems: 1 > + > + "#sound-dai-cells": > + const: 0 > + > + clocks: > + items: > + - description: 26M clock > + - description: mux for audio clock > + - description: audio i2s0 mck > + - description: audio i2s1 mck > + - description: audio i2s2 mck > + - description: audio i2s3 mck > + - description: engen 1 clock > + - description: engen 2 clock > + - description: audio 1 clock > + - description: audio 2 clock > + - description: mux for i2s0 > + - description: mux for i2s1 > + - description: mux for i2s2 > + - description: mux for i2s3 > + > + clock-names: > + items: > + - const: top_clk26m_clk > + - const: top_audio_sel > + - const: audio_i2s0_m > + - const: audio_i2s1_m > + - const: audio_i2s2_m > + - const: audio_i2s3_m > + - const: engen1 > + - const: engen2 > + - const: aud1 > + - const: aud2 > + - const: i2s0_m_sel > + - const: i2s1_m_sel > + - const: i2s2_m_sel > + - const: i2s3_m_sel > + > + interrupts: > + maxItems: 1 > + > + power-domains: > + maxItems: 1 > + > + mediatek,dmic-mode: > + $ref: /schemas/types.yaml#/definitions/uint32 > + description: > + Indicates how many data pins are used to transmit two channels of PDM > + signal. 1 means two wires, 0 means one wire. Default value is 0. > + enum: > + - 0 # one wire > + - 1 # two wires > + > + mediatek,topckgen: > + $ref: /schemas/types.yaml#/definitions/phandle > + description: The phandle of the mediatek topckgen controller Nothing improved, so again, so something which is not obvious. What is it used for? Why AFE needs topckgen for example? > + > +required: > + - compatible > + - reg > + - clocks > + - clock-names > + - interrupts > + - power-domains > + - mediatek,topckgen > + > +additionalProperties: false > + > +examples: > + - | > + #include <dt-bindings/clock/mediatek,mt8365-clk.h> > + #include <dt-bindings/interrupt-controller/arm-gic.h> > + #include <dt-bindings/interrupt-controller/irq.h> > + #include <dt-bindings/power/mediatek,mt8365-power.h> > + > + soc { > + #address-cells = <2>; > + #size-cells = <2>; > + > + afe@11220000 { Did you implement the comment or decided to keep afe? BTW, whatever "consistency" you have in mind, it does not really matter that much for that example. And for sure do not add incorrect code intentionally just to fix it in next patch. Best regards, Krzysztof

1 year, 8 months

1
0
0 0

Re: [PATCH] dma-buf: add DMA_BUF_IOCTL_SYNC_PARTIAL support

by Christian König

Am 09.04.24 um 09:32 schrieb Rong Qianfeng: > > 在 2024/4/8 15:58, Christian König 写道: >> Am 07.04.24 um 09:50 schrieb Rong Qianfeng: >>> [SNIP] >>>> Am 13.11.21 um 07:22 schrieb Jianqun Xu: >>>>> Add DMA_BUF_IOCTL_SYNC_PARTIAL support for user to sync dma-buf with >>>>> offset and len. >>>> >>>> You have not given an use case for this so it is a bit hard to >>>> review. And from the existing use cases I don't see why this should >>>> be necessary. >>>> >>>> Even worse from the existing backend implementation I don't even >>>> see how drivers should be able to fulfill this semantics. >>>> >>>> Please explain further, >>>> Christian. >>> Here is a practical case: >>> The user space can allocate a large chunk of dma-buf for >>> self-management, used as a shared memory pool. >>> Small dma-buf can be allocated from this shared memory pool and >>> released back to it after use, thus improving the speed of dma-buf >>> allocation and release. >>> Additionally, custom functionalities such as memory statistics and >>> boundary checking can be implemented in the user space. >>> Of course, the above-mentioned functionalities require the >>> implementation of a partial cache sync interface. >> >> Well that is obvious, but where is the code doing that? >> >> You can't send out code without an actual user of it. That will >> obviously be rejected. >> >> Regards, >> Christian. > > In fact, we have already used the user-level dma-buf memory pool in > the camera shooting scenario on the phone. > > From the test results, The execution time of the photo shooting > algorithm has been reduced from 3.8s to 3s. > > To be honest, I didn't understand your concern "...how drivers should > be able to fulfill this semantics." Can you please help explain it in > more detail? Well you don't give any upstream driver code which actually uses this interface. If you want to suggest some changes to the core Linux kernel your driver actually needs to be upstream. As long as that isn't the case this approach here is a completely no-go. Regards, Christian. > > Thanks, > > Rong Qianfeng. > >> >>> >>> Thanks >>> Rong Qianfeng. >>

1 year, 8 months

1
0
0 0

Re: [PATCH v3 2/2] misc: sram: Add DMA-BUF Heap exporting of SRAM areas

by Andrew Davis

On 4/9/24 7:06 AM, Pascal FONTAIN wrote: > From: Andrew Davis <afd(a)ti.com> > > This new export type exposes to userspace the SRAM area as a DMA-BUF > Heap, > this allows for allocations of DMA-BUFs that can be consumed by various > DMA-BUF supporting devices. > > Signed-off-by: Andrew Davis <afd(a)ti.com> > Tested-by: Pascal Fontain <pascal.fontain(a)bachmann.info> > --- The last time I posted this I got this comment[0], for which I didn't really have a good response and so haven't reposted this since then. Bacically this driver is backed by something other than "normal" memory. So we really need to be careful here, the page pointer is really just a cookie to keep track for the real mappings. We might be able to use something similar to dma_get_sgtable() to hide that, but under the hood it would still a bit unsafe[1]. Andrew [0] https://patchwork.kernel.org/project/linux-media/patch/20230713191316.11601… [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/ker… > drivers/misc/Kconfig | 7 + > drivers/misc/Makefile | 1 + > drivers/misc/sram-dma-heap.c | 246 +++++++++++++++++++++++++++++++++++ > drivers/misc/sram.c | 6 + > drivers/misc/sram.h | 16 +++ > 5 files changed, 276 insertions(+) > create mode 100644 drivers/misc/sram-dma-heap.c > > diff --git a/drivers/misc/Kconfig b/drivers/misc/Kconfig > index 9e4ad4d61f06..e6674e913168 100644 > --- a/drivers/misc/Kconfig > +++ b/drivers/misc/Kconfig > @@ -448,6 +448,13 @@ config SRAM > config SRAM_EXEC > bool > > +config SRAM_DMA_HEAP > + bool "Export on-chip SRAM pools using DMA-Heaps" > + depends on DMABUF_HEAPS && SRAM > + help > + This driver allows the export of on-chip SRAM marked as both pool > + and exportable to userspace using the DMA-Heaps interface. > + > config DW_XDATA_PCIE > depends on PCI > tristate "Synopsys DesignWare xData PCIe driver" > diff --git a/drivers/misc/Makefile b/drivers/misc/Makefile > index cdc6405584e3..63effdde5163 100644 > --- a/drivers/misc/Makefile > +++ b/drivers/misc/Makefile > @@ -47,6 +47,7 @@ obj-$(CONFIG_VMWARE_VMCI) += vmw_vmci/ > obj-$(CONFIG_LATTICE_ECP3_CONFIG) += lattice-ecp3-config.o > obj-$(CONFIG_SRAM) += sram.o > obj-$(CONFIG_SRAM_EXEC) += sram-exec.o > +obj-$(CONFIG_SRAM_DMA_HEAP) += sram-dma-heap.o > obj-$(CONFIG_GENWQE) += genwqe/ > obj-$(CONFIG_ECHO) += echo/ > obj-$(CONFIG_CXL_BASE) += cxl/ > diff --git a/drivers/misc/sram-dma-heap.c b/drivers/misc/sram-dma-heap.c > new file mode 100644 > index 000000000000..e5a0bafe8cb9 > --- /dev/null > +++ b/drivers/misc/sram-dma-heap.c > @@ -0,0 +1,246 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * SRAM DMA-Heap userspace exporter > + * > + * Copyright (C) 2019-2022 Texas Instruments Incorporated - https://www.ti.com/ > + * Andrew Davis <afd(a)ti.com> > + */ > + > +#include <linux/dma-mapping.h> > +#include <linux/err.h> > +#include <linux/genalloc.h> > +#include <linux/io.h> > +#include <linux/mm.h> > +#include <linux/scatterlist.h> > +#include <linux/slab.h> > +#include <linux/dma-buf.h> > +#include <linux/dma-heap.h> > + > +#include "sram.h" > + > +struct sram_dma_heap { > + struct dma_heap *heap; > + struct gen_pool *pool; > +}; > + > +struct sram_dma_heap_buffer { > + struct gen_pool *pool; > + struct list_head attachments; > + struct mutex attachments_lock; > + unsigned long len; > + void *vaddr; > + phys_addr_t paddr; > +}; > + > +struct dma_heap_attachment { > + struct device *dev; > + struct sg_table *table; > + struct list_head list; > +}; > + > +static int dma_heap_attach(struct dma_buf *dmabuf, > + struct dma_buf_attachment *attachment) > +{ > + struct sram_dma_heap_buffer *buffer = dmabuf->priv; > + struct dma_heap_attachment *a; > + struct sg_table *table; > + > + a = kzalloc(sizeof(*a), GFP_KERNEL); > + if (!a) > + return -ENOMEM; > + > + table = kmalloc(sizeof(*table), GFP_KERNEL); > + if (!table) { > + kfree(a); > + return -ENOMEM; > + } > + if (sg_alloc_table(table, 1, GFP_KERNEL)) { > + kfree(table); > + kfree(a); > + return -ENOMEM; > + } > + sg_set_page(table->sgl, pfn_to_page(PFN_DOWN(buffer->paddr)), buffer->len, 0); > + > + a->table = table; > + a->dev = attachment->dev; > + INIT_LIST_HEAD(&a->list); > + > + attachment->priv = a; > + > + mutex_lock(&buffer->attachments_lock); > + list_add(&a->list, &buffer->attachments); > + mutex_unlock(&buffer->attachments_lock); > + > + return 0; > +} > + > +static void dma_heap_detatch(struct dma_buf *dmabuf, > + struct dma_buf_attachment *attachment) > +{ > + struct sram_dma_heap_buffer *buffer = dmabuf->priv; > + struct dma_heap_attachment *a = attachment->priv; > + > + mutex_lock(&buffer->attachments_lock); > + list_del(&a->list); > + mutex_unlock(&buffer->attachments_lock); > + > + sg_free_table(a->table); > + kfree(a->table); > + kfree(a); > +} > + > +static struct sg_table *dma_heap_map_dma_buf(struct dma_buf_attachment *attachment, > + enum dma_data_direction direction) > +{ > + struct dma_heap_attachment *a = attachment->priv; > + struct sg_table *table = a->table; > + > + /* > + * As this heap is backed by uncached SRAM memory we do not need to > + * perform any sync operations on the buffer before allowing device > + * domain access. For this reason we use SKIP_CPU_SYNC and also do > + * not use or provide begin/end_cpu_access() dma-buf functions. > + */ > + if (!dma_map_sg_attrs(attachment->dev, table->sgl, table->nents, > + direction, DMA_ATTR_SKIP_CPU_SYNC)) > + return ERR_PTR(-ENOMEM); > + > + return table; > +} > + > +static void dma_heap_unmap_dma_buf(struct dma_buf_attachment *attachment, > + struct sg_table *table, > + enum dma_data_direction direction) > +{ > + dma_unmap_sg_attrs(attachment->dev, table->sgl, table->nents, > + direction, DMA_ATTR_SKIP_CPU_SYNC); > +} > + > +static void dma_heap_dma_buf_release(struct dma_buf *dmabuf) > +{ > + struct sram_dma_heap_buffer *buffer = dmabuf->priv; > + > + gen_pool_free(buffer->pool, (unsigned long)buffer->vaddr, buffer->len); > + kfree(buffer); > +} > + > +static int dma_heap_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma) > +{ > + struct sram_dma_heap_buffer *buffer = dmabuf->priv; > + int ret; > + > + /* SRAM mappings are not cached */ > + vma->vm_page_prot = pgprot_writecombine(vma->vm_page_prot); > + > + ret = vm_iomap_memory(vma, buffer->paddr, buffer->len); > + if (ret) > + pr_err("Could not map buffer to userspace\n"); > + > + return ret; > +} > + > +static int dma_heap_vmap(struct dma_buf *dmabuf, struct iosys_map *map) > +{ > + struct sram_dma_heap_buffer *buffer = dmabuf->priv; > + > + iosys_map_set_vaddr(map, buffer->vaddr); > + > + return 0; > +} > + > +static const struct dma_buf_ops sram_dma_heap_buf_ops = { > + .attach = dma_heap_attach, > + .detach = dma_heap_detatch, > + .map_dma_buf = dma_heap_map_dma_buf, > + .unmap_dma_buf = dma_heap_unmap_dma_buf, > + .release = dma_heap_dma_buf_release, > + .mmap = dma_heap_mmap, > + .vmap = dma_heap_vmap, > +}; > + > +static struct dma_buf *sram_dma_heap_allocate(struct dma_heap *heap, > + unsigned long len, > + unsigned long fd_flags, > + unsigned long heap_flags) > +{ > + struct sram_dma_heap *sram_dma_heap = dma_heap_get_drvdata(heap); > + struct sram_dma_heap_buffer *buffer; > + > + DEFINE_DMA_BUF_EXPORT_INFO(exp_info); > + struct dma_buf *dmabuf; > + int ret; > + > + buffer = kzalloc(sizeof(*buffer), GFP_KERNEL); > + if (!buffer) > + return ERR_PTR(-ENOMEM); > + buffer->pool = sram_dma_heap->pool; > + INIT_LIST_HEAD(&buffer->attachments); > + mutex_init(&buffer->attachments_lock); > + buffer->len = len; > + > + buffer->vaddr = (void *)gen_pool_alloc(buffer->pool, buffer->len); > + if (!buffer->vaddr) { > + ret = -ENOMEM; > + goto free_buffer; > + } > + > + buffer->paddr = gen_pool_virt_to_phys(buffer->pool, (unsigned long)buffer->vaddr); > + if (buffer->paddr == -1) { > + ret = -ENOMEM; > + goto free_pool; > + } > + > + /* create the dmabuf */ > + exp_info.exp_name = dma_heap_get_name(heap); > + exp_info.ops = &sram_dma_heap_buf_ops; > + exp_info.size = buffer->len; > + exp_info.flags = fd_flags; > + exp_info.priv = buffer; > + dmabuf = dma_buf_export(&exp_info); > + if (IS_ERR(dmabuf)) { > + ret = PTR_ERR(dmabuf); > + goto free_pool; > + } > + > + return dmabuf; > + > +free_pool: > + gen_pool_free(buffer->pool, (unsigned long)buffer->vaddr, buffer->len); > +free_buffer: > + kfree(buffer); > + > + return ERR_PTR(ret); > +} > + > +static struct dma_heap_ops sram_dma_heap_ops = { > + .allocate = sram_dma_heap_allocate, > +}; > + > +int sram_add_dma_heap(struct sram_dev *sram, > + struct sram_reserve *block, > + phys_addr_t start, > + struct sram_partition *part) > +{ > + struct sram_dma_heap *sram_dma_heap; > + struct dma_heap_export_info exp_info; > + > + dev_info(sram->dev, "Exporting SRAM Heap '%s'\n", block->label); > + > + sram_dma_heap = kzalloc(sizeof(*sram_dma_heap), GFP_KERNEL); > + if (!sram_dma_heap) > + return -ENOMEM; > + sram_dma_heap->pool = part->pool; > + > + exp_info.name = kasprintf(GFP_KERNEL, "sram_%s", block->label); > + exp_info.ops = &sram_dma_heap_ops; > + exp_info.priv = sram_dma_heap; > + sram_dma_heap->heap = dma_heap_add(&exp_info); > + if (IS_ERR(sram_dma_heap->heap)) { > + int ret = PTR_ERR(sram_dma_heap->heap); > + > + kfree(sram_dma_heap); > + return ret; > + } > + > + return 0; > +} > diff --git a/drivers/misc/sram.c b/drivers/misc/sram.c > index 632f90d9bcea..643c77598beb 100644 > --- a/drivers/misc/sram.c > +++ b/drivers/misc/sram.c > @@ -120,6 +120,12 @@ static int sram_add_partition(struct sram_dev *sram, struct sram_reserve *block, > ret = sram_add_pool(sram, block, start, part); > if (ret) > return ret; > + > + if (block->export) { > + ret = sram_add_dma_heap(sram, block, start, part); > + if (ret) > + return ret; > + } > } > if (block->export) { > ret = sram_add_export(sram, block, start, part); > diff --git a/drivers/misc/sram.h b/drivers/misc/sram.h > index 397205b8bf6f..062bdd25fa06 100644 > --- a/drivers/misc/sram.h > +++ b/drivers/misc/sram.h > @@ -60,4 +60,20 @@ static inline int sram_add_protect_exec(struct sram_partition *part) > return -ENODEV; > } > #endif /* CONFIG_SRAM_EXEC */ > + > +#ifdef CONFIG_SRAM_DMA_HEAP > +int sram_add_dma_heap(struct sram_dev *sram, > + struct sram_reserve *block, > + phys_addr_t start, > + struct sram_partition *part); > +#else > +static inline int sram_add_dma_heap(struct sram_dev *sram, > + struct sram_reserve *block, > + phys_addr_t start, > + struct sram_partition *part) > +{ > + return 0; > +} > +#endif /* CONFIG_SRAM_DMA_HEAP */ > + > #endif /* __SRAM_H */

1 year, 8 months

1
0
0 0

Re: [PATCH v2 04/18] ASoC: dt-bindings: mt6357: Add audio codec document

by Rob Herring

On Tue, 09 Apr 2024 12:13:25 +0200, Alexandre Mergnat wrote: > Add MT8365 audio codec bindings to set required > and optional voltage properties between the codec and the board. > The properties are: > - phandle of the requiered power supply. > - Setup of microphone bias voltage. > - Setup of the speaker pin pull-down. > > Signed-off-by: Alexandre Mergnat <amergnat(a)baylibre.com> > --- > .../devicetree/bindings/sound/mt6357.yaml | 54 ++++++++++++++++++++++ > 1 file changed, 54 insertions(+) > My bot found errors running 'make DT_CHECKER_FLAGS=-m dt_binding_check' on your patch (DT_CHECKER_FLAGS is new in v5.13): yamllint warnings/errors: dtschema/dtc warnings/errors: /builds/robherring/dt-review-ci/linux/Documentation/devicetree/bindings/sound/mt6357.yaml: properties:vaud28-supply: '$ref' is not one of ['description', 'deprecated'] from schema $id: http://devicetree.org/meta-schemas/core.yaml# doc reference errors (make refcheckdocs): See https://patchwork.ozlabs.org/project/devicetree-bindings/patch/20240226-aud… The base for the series is generally the latest rc1. A different dependency should be noted in *this* patch. If you already ran 'make dt_binding_check' and didn't see the above error(s), then make sure 'yamllint' is installed and dt-schema is up to date: pip3 install dtschema --upgrade Please check and re-submit after running the above command yourself. Note that DT_SCHEMA_FILES can be set to your schema file to speed up checking your schema. However, it must be unset to test all examples with your schema.

1 year, 8 months

1
0
0 0

Re: [PATCH v2 03/18] dt-bindings: mfd: mediatek: Add codec property for MT6357 PMIC

by Rob Herring

On Tue, 09 Apr 2024 12:13:24 +0200, Alexandre Mergnat wrote: > Add the audio codec sub-device. This sub-device is used to set required > and optional voltage properties between the codec and the board. > > Signed-off-by: Alexandre Mergnat <amergnat(a)baylibre.com> > --- > Documentation/devicetree/bindings/mfd/mediatek,mt6357.yaml | 5 +++++ > 1 file changed, 5 insertions(+) > My bot found errors running 'make DT_CHECKER_FLAGS=-m dt_binding_check' on your patch (DT_CHECKER_FLAGS is new in v5.13): yamllint warnings/errors: dtschema/dtc warnings/errors: /builds/robherring/dt-review-ci/linux/Documentation/devicetree/bindings/mfd/mediatek,mt6357.yaml: Error in referenced schema matching $id: http://devicetree.org/schemas/sound/mt6357.yaml doc reference errors (make refcheckdocs): See https://patchwork.ozlabs.org/project/devicetree-bindings/patch/20240226-aud… The base for the series is generally the latest rc1. A different dependency should be noted in *this* patch. If you already ran 'make dt_binding_check' and didn't see the above error(s), then make sure 'yamllint' is installed and dt-schema is up to date: pip3 install dtschema --upgrade Please check and re-submit after running the above command yourself. Note that DT_SCHEMA_FILES can be set to your schema file to speed up checking your schema. However, it must be unset to test all examples with your schema.

1 year, 8 months

1
0
0 0

Re: [PATCH] dma-buf: add DMA_BUF_IOCTL_SYNC_PARTIAL support

by Christian König

Am 07.04.24 um 09:50 schrieb Rong Qianfeng: > [SNIP] >> Am 13.11.21 um 07:22 schrieb Jianqun Xu: >>> Add DMA_BUF_IOCTL_SYNC_PARTIAL support for user to sync dma-buf with >>> offset and len. >> >> You have not given an use case for this so it is a bit hard to >> review. And from the existing use cases I don't see why this should >> be necessary. >> >> Even worse from the existing backend implementation I don't even see >> how drivers should be able to fulfill this semantics. >> >> Please explain further, >> Christian. > Here is a practical case: > The user space can allocate a large chunk of dma-buf for > self-management, used as a shared memory pool. > Small dma-buf can be allocated from this shared memory pool and > released back to it after use, thus improving the speed of dma-buf > allocation and release. > Additionally, custom functionalities such as memory statistics and > boundary checking can be implemented in the user space. > Of course, the above-mentioned functionalities require the > implementation of a partial cache sync interface. Well that is obvious, but where is the code doing that? You can't send out code without an actual user of it. That will obviously be rejected. Regards, Christian. > > Thanks > Rong Qianfeng.

1 year, 8 months

1
0
0 0

[PATCH v9 0/6] iio: new DMABUF based API

by Paul Cercueil

Hi Jonathan, Here's the final-er version of the IIO DMABUF patchset. This v9 fixes the few issues reported by the kernel bot. This was based on next-20240308. Changelog: - [3/6]: - Select DMA_SHARED_BUFFER in Kconfig - Remove useless forward declaration of 'iio_dma_fence' - Import DMA-BUF namespace - Add missing __user tag to iio_buffer_detach_dmabuf() argument Cheers, -Paul Paul Cercueil (6): dmaengine: Add API function dmaengine_prep_peripheral_dma_vec() dmaengine: dma-axi-dmac: Implement device_prep_peripheral_dma_vec iio: core: Add new DMABUF interface infrastructure iio: buffer-dma: Enable support for DMABUFs iio: buffer-dmaengine: Support new DMABUF based userspace API Documentation: iio: Document high-speed DMABUF based API Documentation/iio/iio_dmabuf_api.rst | 54 ++ Documentation/iio/index.rst | 1 + drivers/dma/dma-axi-dmac.c | 40 ++ drivers/iio/Kconfig | 1 + drivers/iio/buffer/industrialio-buffer-dma.c | 181 ++++++- .../buffer/industrialio-buffer-dmaengine.c | 59 ++- drivers/iio/industrialio-buffer.c | 462 ++++++++++++++++++ include/linux/dmaengine.h | 27 + include/linux/iio/buffer-dma.h | 31 ++ include/linux/iio/buffer_impl.h | 30 ++ include/uapi/linux/iio/buffer.h | 22 + 11 files changed, 891 insertions(+), 17 deletions(-) create mode 100644 Documentation/iio/iio_dmabuf_api.rst -- 2.43.0

1 year, 8 months

4
12
0 0

Re: [PATCH] dmabuf: fix dmabuf file poll uaf issue

by Christian König

Am 02.04.24 um 08:49 schrieb zhiguojiang: >> As far as I can see that's not because of the DMA-buf code, but >> because you are somehow using this interface incorrectly. >> >> When dma_buf_poll() is called it is mandatory for the caller to hold >> a reference to the file descriptor on which the poll operation is >> executed. >> >> So adding code like "if (!file_count(file))" in the beginning of >> dma_buf_poll() is certainly broken. >> >> My best guess is that you have some unbalanced >> dma_buf_get()/dma_buf_put() somewhere instead. >> >> > Hi Christian, > > The kernel dma_buf_poll() code shound not cause system crashes due to > the user mode usage logical issues ? What user mode logical issues are you talking about? Closing a file while polling on it is perfectly valid. dma_buf_poll() is called by the filesystem layer and it's the filesystem layer which should make sure that a file can't be closed while polling for an event. If that doesn't work then you have stumbled over a massive bug in the fs layer. And I have some doubts that this is actually the case. What is more likely is that some driver messes up the reference count and because of this you see an UAF. Anyway as far as I can see the DMA-buf code is correct regarding this. Regards, Christian. > > Thanks > > > 在 2024/4/1 20:22, Christian König 写道: >> Am 27.03.24 um 03:29 schrieb Zhiguo Jiang: >>> The issue is a UAF issue of dmabuf file fd. Throght debugging, we found >>> that the dmabuf file fd is added to the epoll event listener list, and >>> when it is released, it is not removed from the epoll list, which leads >>> to the UAF(Use-After-Free) issue. >> >> As far as I can see that's not because of the DMA-buf code, but >> because you are somehow using this interface incorrectly. >> >> When dma_buf_poll() is called it is mandatory for the caller to hold >> a reference to the file descriptor on which the poll operation is >> executed. >> >> So adding code like "if (!file_count(file))" in the beginning of >> dma_buf_poll() is certainly broken. >> >> My best guess is that you have some unbalanced >> dma_buf_get()/dma_buf_put() somewhere instead. >> >> Regards, >> Christian. >> >>> >>> The UAF issue can be solved by checking dmabuf file->f_count value and >>> skipping the poll operation for the closed dmabuf file in the >>> dma_buf_poll(). We have tested this solved patch multiple times and >>> have not reproduced the uaf issue. >>> >>> crash dump: >>> list_del corruption, ffffff8a6f143a90->next is LIST_POISON1 >>> (dead000000000100) >>> ------------[ cut here ]------------ >>> kernel BUG at lib/list_debug.c:55! >>> Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP >>> pc : __list_del_entry_valid+0x98/0xd4 >>> lr : __list_del_entry_valid+0x98/0xd4 >>> sp : ffffffc01d413d00 >>> x29: ffffffc01d413d00 x28: 00000000000000c0 x27: 0000000000000020 >>> x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000080007 >>> x23: ffffff8b22e5dcc0 x22: ffffff88a6be12d0 x21: ffffff8b22e572b0 >>> x20: ffffff80254ed0a0 x19: ffffff8a6f143a00 x18: ffffffda5efed3c0 >>> x17: 6165642820314e4f x16: 53494f505f545349 x15: 4c20736920747865 >>> x14: 6e3e2d3039613334 x13: 2930303130303030 x12: 0000000000000018 >>> x11: ffffff8b6c188000 x10: 00000000ffffffff x9 : 6c8413a194897b00 >>> x8 : 6c8413a194897b00 x7 : 74707572726f6320 x6 : 6c65645f7473696c >>> x5 : ffffff8b6c3b2a3e x4 : ffffff8b6c3b2a40 x3 : ffff103000001005 >>> x2 : 0000000000000001 x1 : 00000000000000c0 x0 : 000000000000004e >>> Call trace: >>> __list_del_entry_valid+0x98/0xd4 >>> dma_buf_file_release+0x48/0x90 >>> __fput+0xf4/0x280 >>> ____fput+0x10/0x20 >>> task_work_run+0xcc/0xf4 >>> do_notify_resume+0x2a0/0x33c >>> el0_svc+0x5c/0xa4 >>> el0t_64_sync_handler+0x68/0xb4 >>> el0t_64_sync+0x1a0/0x1a4 >>> Code: d0006fe0 912c5000 f2fbd5a2 94231a01 (d4210000) >>> ---[ end trace 0000000000000000 ]--- >>> Kernel panic - not syncing: Oops - BUG: Fatal exception >>> SMP: stopping secondary CPUs >>> >>> Signed-off-by: Zhiguo Jiang <justinjiang(a)vivo.com> >>> --- >>> drivers/dma-buf/dma-buf.c | 28 ++++++++++++++++++++++++---- >>> 1 file changed, 24 insertions(+), 4 deletions(-) >>> mode change 100644 => 100755 drivers/dma-buf/dma-buf.c >>> >>> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c >>> index 8fe5aa67b167..e469dd9288cc >>> --- a/drivers/dma-buf/dma-buf.c >>> +++ b/drivers/dma-buf/dma-buf.c >>> @@ -240,6 +240,10 @@ static __poll_t dma_buf_poll(struct file *file, >>> poll_table *poll) >>> struct dma_resv *resv; >>> __poll_t events; >>> + /* Check if the file exists */ >>> + if (!file_count(file)) >>> + return EPOLLERR; >>> + >>> dmabuf = file->private_data; >>> if (!dmabuf || !dmabuf->resv) >>> return EPOLLERR; >>> @@ -266,8 +270,15 @@ static __poll_t dma_buf_poll(struct file *file, >>> poll_table *poll) >>> spin_unlock_irq(&dmabuf->poll.lock); >>> if (events & EPOLLOUT) { >>> - /* Paired with fput in dma_buf_poll_cb */ >>> - get_file(dmabuf->file); >>> + /* >>> + * Paired with fput in dma_buf_poll_cb, >>> + * Skip poll for the closed file. >>> + */ >>> + if (!get_file_rcu(&dmabuf->file)) { >>> + events &= ~EPOLLOUT; >>> + dcb->active = 0; >>> + goto clear_out_event; >>> + } >>> if (!dma_buf_poll_add_cb(resv, true, dcb)) >>> /* No callback queued, wake up any other waiters */ >>> @@ -277,6 +288,7 @@ static __poll_t dma_buf_poll(struct file *file, >>> poll_table *poll) >>> } >>> } >>> +clear_out_event: >>> if (events & EPOLLIN) { >>> struct dma_buf_poll_cb_t *dcb = &dmabuf->cb_in; >>> @@ -289,8 +301,15 @@ static __poll_t dma_buf_poll(struct file >>> *file, poll_table *poll) >>> spin_unlock_irq(&dmabuf->poll.lock); >>> if (events & EPOLLIN) { >>> - /* Paired with fput in dma_buf_poll_cb */ >>> - get_file(dmabuf->file); >>> + /* >>> + * Paired with fput in dma_buf_poll_cb, >>> + * Skip poll for the closed file. >>> + */ >>> + if (!get_file_rcu(&dmabuf->file)) { >>> + events &= ~EPOLLIN; >>> + dcb->active = 0; >>> + goto clear_in_event; >>> + } >>> if (!dma_buf_poll_add_cb(resv, false, dcb)) >>> /* No callback queued, wake up any other waiters */ >>> @@ -300,6 +319,7 @@ static __poll_t dma_buf_poll(struct file *file, >>> poll_table *poll) >>> } >>> } >>> +clear_in_event: >>> dma_resv_unlock(resv); >>> return events; >>> } >> >

1 year, 8 months

2
1
0 0

Re: [PATCH] dma-buf: Do not build debugfs related code when !CONFIG_DEBUG_FS

by Christian König

Am 01.04.24 um 14:39 schrieb Tvrtko Ursulin: > > On 29/03/2024 00:00, T.J. Mercier wrote: >> On Thu, Mar 28, 2024 at 7:53 AM Tvrtko Ursulin <tursulin(a)igalia.com> >> wrote: >>> >>> From: Tvrtko Ursulin <tursulin(a)ursulin.net> >>> >>> There is no point in compiling in the list and mutex operations >>> which are >>> only used from the dma-buf debugfs code, if debugfs is not compiled in. >>> >>> Put the code in questions behind some kconfig guards and so save >>> some text >>> and maybe even a pointer per object at runtime when not enabled. >>> >>> Signed-off-by: Tvrtko Ursulin <tursulin(a)ursulin.net> >> >> Reviewed-by: T.J. Mercier <tjmercier(a)google.com> > > Thanks! > > How would patches to dma-buf be typically landed? Via what tree I > mean? drm-misc-next? That should go through drm-misc-next. And feel free to add Reviewed-by: Christian König <christian.koenig(a)amd.com> as well. Regards, Christian. > > Regards, > > Tvrtko

1 year, 8 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Linaro-mm-sig