- Linaro-mm-sig - lists.linaro.org

[PATCH 22/27] kbuild, dma-buf: heaps: remove MODULE_LICENSE in non-modules

by Nick Alcock

Since commit 8b41fc4454e ("kbuild: create modules.builtin without Makefile.modbuiltin or tristate.conf"), MODULE_LICENSE declarations are used to identify modules. As a consequence, uses of the macro in non-modules will cause modprobe to misidentify their containing object file as a module when it is not (false positives), and modprobe might succeed rather than failing with a suitable error message. So remove it in the files in this commit, none of which can be built as modules. Signed-off-by: Nick Alcock <nick.alcock(a)oracle.com> Suggested-by: Luis Chamberlain <mcgrof(a)kernel.org> Cc: Luis Chamberlain <mcgrof(a)kernel.org> Cc: linux-modules(a)vger.kernel.org Cc: linux-kernel(a)vger.kernel.org Cc: Hitomi Hasegawa <hasegawa-hitomi(a)fujitsu.com> Cc: Sumit Semwal <sumit.semwal(a)linaro.org> Cc: "Christian König" <christian.koenig(a)amd.com> Cc: linux-media(a)vger.kernel.org Cc: dri-devel(a)lists.freedesktop.org Cc: linaro-mm-sig(a)lists.linaro.org --- drivers/dma-buf/heaps/cma_heap.c | 1 - drivers/dma-buf/heaps/system_heap.c | 1 - 2 files changed, 2 deletions(-) diff --git a/drivers/dma-buf/heaps/cma_heap.c b/drivers/dma-buf/heaps/cma_heap.c index 1131fb943992..a7f048048864 100644 --- a/drivers/dma-buf/heaps/cma_heap.c +++ b/drivers/dma-buf/heaps/cma_heap.c @@ -407,4 +407,3 @@ static int add_default_cma_heap(void) } module_init(add_default_cma_heap); MODULE_DESCRIPTION("DMA-BUF CMA Heap"); -MODULE_LICENSE("GPL v2"); diff --git a/drivers/dma-buf/heaps/system_heap.c b/drivers/dma-buf/heaps/system_heap.c index e8bd10e60998..79c03f5b4e28 100644 --- a/drivers/dma-buf/heaps/system_heap.c +++ b/drivers/dma-buf/heaps/system_heap.c @@ -440,4 +440,3 @@ static int system_heap_create(void) return 0; } module_init(system_heap_create); -MODULE_LICENSE("GPL v2"); -- 2.39.1.268.g9de2f9a303

2 years, 11 months

1
0
0 0

[PATCH v5 00/14] dma-fence: Deadline awareness

by Rob Clark

From: Rob Clark <robdclark(a)chromium.org> This series adds a deadline hint to fences, so realtime deadlines such as vblank can be communicated to the fence signaller for power/ frequency management decisions. This is partially inspired by a trick i915 does, but implemented via dma-fence for a couple of reasons: 1) To continue to be able to use the atomic helpers 2) To support cases where display and gpu are different drivers This iteration adds a dma-fence ioctl to set a deadline (both to support igt-tests, and compositors which delay decisions about which client buffer to display), and a sw_sync ioctl to read back the deadline. IGT tests utilizing these can be found at: https://gitlab.freedesktop.org/robclark/igt-gpu-tools/-/commits/fence-deadl… v1: https://patchwork.freedesktop.org/series/93035/ v2: Move filtering out of later deadlines to fence implementation to avoid increasing the size of dma_fence v3: Add support in fence-array and fence-chain; Add some uabi to support igt tests and userspace compositors. v4: Rebase, address various comments, and add syncobj deadline support, and sync_file EPOLLPRI based on experience with perf/ freq issues with clvk compute workloads on i915 (anv) v5: Clarify that this is a hint as opposed to a more hard deadline guarantee, switch to using u64 ns values in UABI (still absolute CLOCK_MONOTONIC values), drop syncobj related cap and driver feature flag in favor of allowing count_handles==0 for probing kernel support. Rob Clark (14): dma-buf/dma-fence: Add deadline awareness dma-buf/fence-array: Add fence deadline support dma-buf/fence-chain: Add fence deadline support dma-buf/dma-resv: Add a way to set fence deadline dma-buf/sync_file: Add SET_DEADLINE ioctl dma-buf/sync_file: Support (E)POLLPRI dma-buf/sw_sync: Add fence deadline support drm/scheduler: Add fence deadline support drm/syncobj: Add deadline support for syncobj waits drm/vblank: Add helper to get next vblank time drm/atomic-helper: Set fence deadline for vblank drm/msm: Add deadline based boost support drm/msm: Add wait-boost support drm/i915: Add deadline based boost support drivers/dma-buf/dma-fence-array.c | 11 ++++ drivers/dma-buf/dma-fence-chain.c | 13 +++++ drivers/dma-buf/dma-fence.c | 21 +++++++ drivers/dma-buf/dma-resv.c | 22 ++++++++ drivers/dma-buf/sw_sync.c | 58 +++++++++++++++++++ drivers/dma-buf/sync_debug.h | 2 + drivers/dma-buf/sync_file.c | 27 +++++++++ drivers/gpu/drm/drm_atomic_helper.c | 36 ++++++++++++ drivers/gpu/drm/drm_syncobj.c | 59 +++++++++++++++----- drivers/gpu/drm/drm_vblank.c | 32 +++++++++++ drivers/gpu/drm/i915/i915_request.c | 20 +++++++ drivers/gpu/drm/msm/msm_drv.c | 12 ++-- drivers/gpu/drm/msm/msm_fence.c | 74 +++++++++++++++++++++++++ drivers/gpu/drm/msm/msm_fence.h | 20 +++++++ drivers/gpu/drm/msm/msm_gem.c | 5 ++ drivers/gpu/drm/scheduler/sched_fence.c | 46 +++++++++++++++ drivers/gpu/drm/scheduler/sched_main.c | 2 +- include/drm/drm_vblank.h | 1 + include/drm/gpu_scheduler.h | 8 +++ include/linux/dma-fence.h | 20 +++++++ include/linux/dma-resv.h | 2 + include/uapi/drm/drm.h | 5 ++ include/uapi/drm/msm_drm.h | 14 ++++- include/uapi/linux/sync_file.h | 23 ++++++++ 24 files changed, 513 insertions(+), 20 deletions(-) -- 2.39.1

2 years, 11 months

1
10
0 0

KMSAN: uninit-value in __dma_map_sg_attrs

by Dipanjan Das

Hi, We would like to report the following bug which has been found by our modified version of syzkaller. ====================================================== description: KMSAN: uninit-value in __dma_map_sg_attrs affected file: kernel/dma/mapping.c kernel version: 6.2.0-rc5 kernel commit: 41c66f47061608dc1fd493eebce198f0e74cc2d7 git tree: kmsan kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=a9a22da1efde3af6 crash reproducer: attached ====================================================== Crash log: ====================================================== BUG: KMSAN: uninit-value in __dma_map_sg_attrs+0x1f3/0x2e0 kernel/dma/mapping.c:200 __dma_map_sg_attrs+0x1f3/0x2e0 kernel/dma/mapping.c:200 dma_map_sg_attrs+0x4a/0x60 kernel/dma/mapping.c:232 ata_sg_setup drivers/ata/libata-core.c:4544 [inline] ata_qc_issue+0x958/0x1480 drivers/ata/libata-core.c:4845 ata_scsi_translate drivers/ata/libata-scsi.c:1745 [inline] __ata_scsi_queuecmd+0x161c/0x16c0 drivers/ata/libata-scsi.c:4023 ata_scsi_queuecmd+0x86d/0x970 drivers/ata/libata-scsi.c:4068 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1517 [inline] scsi_queue_rq+0x478f/0x55c0 drivers/scsi/scsi_lib.c:1758 blk_mq_dispatch_rq_list+0x13e9/0x40f0 block/blk-mq.c:2056 __blk_mq_do_dispatch_sched block/blk-mq-sched.c:173 [inline] blk_mq_do_dispatch_sched+0xd97/0x1630 block/blk-mq-sched.c:187 __blk_mq_sched_dispatch_requests+0x495/0x620 blk_mq_sched_dispatch_requests+0x146/0x2b0 block/blk-mq-sched.c:339 __blk_mq_run_hw_queue+0xf7/0x310 block/blk-mq.c:2174 __blk_mq_delay_run_hw_queue+0x13c/0x6b0 block/blk-mq.c:2250 blk_mq_run_hw_queue+0x527/0x850 block/blk-mq.c:2298 blk_mq_sched_insert_requests+0x50f/0x7d0 block/blk-mq-sched.c:493 blk_mq_dispatch_plug_list block/blk-mq.c:2758 [inline] blk_mq_flush_plug_list+0x752/0x1300 block/blk-mq.c:2800 __blk_flush_plug+0x600/0x680 block/blk-core.c:1137 blk_finish_plug+0x71/0x90 block/blk-core.c:1161 ext4_do_writepages+0x5c84/0x6e40 fs/ext4/inode.c:2928 ext4_writepages+0x2bc/0x660 fs/ext4/inode.c:2965 do_writepages+0x475/0x930 mm/page-writeback.c:2581 filemap_fdatawrite_wbc+0x1c4/0x260 mm/filemap.c:388 __filemap_fdatawrite_range mm/filemap.c:421 [inline] file_write_and_wait_range+0x22f/0x410 mm/filemap.c:777 ext4_sync_file+0x1ef/0x15b0 fs/ext4/fsync.c:151 vfs_fsync_range+0x1ee/0x240 fs/sync.c:188 generic_write_sync include/linux/fs.h:2885 [inline] ext4_buffered_write_iter+0xaa3/0xb90 fs/ext4/file.c:292 ext4_file_write_iter+0xc9c/0x3350 do_iter_write+0x645/0x12e0 fs/read_write.c:861 vfs_writev+0x307/0x750 fs/read_write.c:934 do_pwritev fs/read_write.c:1031 [inline] __do_sys_pwritev2 fs/read_write.c:1090 [inline] __se_sys_pwritev2+0x275/0x480 fs/read_write.c:1081 __x64_sys_pwritev2+0xe0/0x140 fs/read_write.c:1081 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was created at: __alloc_pages+0x767/0xee0 mm/page_alloc.c:5572 alloc_pages+0xa9a/0xd90 mm/mempolicy.c:2286 folio_alloc+0x41/0x100 mm/mempolicy.c:2296 filemap_alloc_folio+0xa5/0x450 mm/filemap.c:972 __filemap_get_folio+0xe7c/0x1960 mm/filemap.c:1966 pagecache_get_page+0x46/0x270 mm/folio-compat.c:98 grab_cache_page_write_begin+0x51/0x70 mm/folio-compat.c:110 ext4_write_begin+0x3d8/0x31d0 fs/ext4/inode.c:1194 ext4_da_write_begin+0x5f4/0x11c0 fs/ext4/inode.c:3058 generic_perform_write+0x376/0xc50 mm/filemap.c:3772 ext4_buffered_write_iter+0x583/0xb90 fs/ext4/file.c:285 ext4_file_write_iter+0xc9c/0x3350 do_iter_write+0x645/0x12e0 fs/read_write.c:861 vfs_writev+0x307/0x750 fs/read_write.c:934 do_pwritev fs/read_write.c:1031 [inline] __do_sys_pwritev2 fs/read_write.c:1090 [inline] __se_sys_pwritev2+0x275/0x480 fs/read_write.c:1081 __x64_sys_pwritev2+0xe0/0x140 fs/read_write.c:1081 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Bytes 0-1279 of 4096 are uninitialized Memory access of size 4096 starts at ffff8880324c6000 CPU: 0 PID: 24178 Comm: syz-executor.4 Not tainted 6.2.0-rc5-00010-g41c66f470616 #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 -- Thanks and Regards, Dipanjan

2 years, 12 months

1
0
0 0

[PATCH] dma-buf: make kobj_type structure constant

by Thomas Weißschuh

Since commit ee6d3dd4ed48 ("driver core: make kobj_type constant.") the driver core allows the usage of const struct kobj_type. Take advantage of this to constify the structure definition to prevent modification at runtime. Signed-off-by: Thomas Weißschuh <linux(a)weissschuh.net> --- drivers/dma-buf/dma-buf-sysfs-stats.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma-buf/dma-buf-sysfs-stats.c b/drivers/dma-buf/dma-buf-sysfs-stats.c index fbf725fae7c1..6cfbbf0720bd 100644 --- a/drivers/dma-buf/dma-buf-sysfs-stats.c +++ b/drivers/dma-buf/dma-buf-sysfs-stats.c @@ -112,7 +112,7 @@ static void dma_buf_sysfs_release(struct kobject *kobj) kfree(sysfs_entry); } -static struct kobj_type dma_buf_ktype = { +static const struct kobj_type dma_buf_ktype = { .sysfs_ops = &dma_buf_stats_sysfs_ops, .release = dma_buf_sysfs_release, .default_groups = dma_buf_stats_default_groups, --- base-commit: 3ac88fa4605ec98e545fb3ad0154f575fda2de5f change-id: 20230217-kobj_type-dma-buf-a2ea6a8a1de3 Best regards, -- Thomas Weißschuh <linux(a)weissschuh.net>

2 years, 12 months

2
1
0 0

[PATCH v2 0/1] tee: Add tee_shm_register_fd

by Olivier Masse

Add a new ioctl called TEE_IOC_SHM_REGISTER_FD to register a shared memory from a dmabuf file descriptor. This new ioctl will allow the Linux Kernel to register a buffer to be used by the Secure Data Path OPTEE OS feature. Please find more information here: https://static.linaro.org/connect/san19/presentations/san19-107.pdf Patch tested on Hikey 6220. Etienne Carriere (1): tee: new ioctl to a register tee_shm from a dmabuf file descriptor drivers/tee/tee_core.c | 38 +++++++++++++++ drivers/tee/tee_shm.c | 99 +++++++++++++++++++++++++++++++++++++++- include/linux/tee_drv.h | 11 +++++ include/uapi/linux/tee.h | 29 ++++++++++++ 4 files changed, 175 insertions(+), 2 deletions(-) -- 2.25.0

3 years

9
24
0 0

[PATCH] Fix drm documentation warning

by Taichi Nishimura

Sorry to re-send this patch again. I forgot to attach description. When running make htmldocs, I found that drm_accel_node does not exist. The documents do not have any links to acceleration nodes, so I removed them. This patch is an extra credit for documentation task in the Linux kernel Bug Fixing Spring unpaid 2023. Best, Taichi Signed-off-by: Taichi Nishimura <awkrail01(a)gmail.com> --- include/drm/drm_file.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/include/drm/drm_file.h b/include/drm/drm_file.h index 0d1f853092ab..cffccf6b94de 100644 --- a/include/drm/drm_file.h +++ b/include/drm/drm_file.h @@ -407,8 +407,6 @@ static inline bool drm_is_render_client(const struct drm_file *file_priv) * * Returns true if this is an open file of the compute acceleration node, i.e. * &drm_file.minor of @file_priv is a accel minor. - * - * See also the :ref:`section on accel nodes <drm_accel_node>`. */ static inline bool drm_is_accel_client(const struct drm_file *file_priv) { -- 2.25.1

3 years

1
0
0 0

[PATCH] Fix drm documentation warning

by Taichi Nishimura

Signed-off-by: Taichi Nishimura <awkrail01(a)gmail.com> --- include/drm/drm_file.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/include/drm/drm_file.h b/include/drm/drm_file.h index 0d1f853092ab..cffccf6b94de 100644 --- a/include/drm/drm_file.h +++ b/include/drm/drm_file.h @@ -407,8 +407,6 @@ static inline bool drm_is_render_client(const struct drm_file *file_priv) * * Returns true if this is an open file of the compute acceleration node, i.e. * &drm_file.minor of @file_priv is a accel minor. - * - * See also the :ref:`section on accel nodes <drm_accel_node>`. */ static inline bool drm_is_accel_client(const struct drm_file *file_priv) { -- 2.25.1

3 years

1
0
0 0

[PATCH v2 0/4] Track exported dma-buffers with memcg

by T.J. Mercier

Based on discussions at LPC, this series adds a memory.stat counter for exported dmabufs. This counter allows us to continue tracking system-wide total exported buffer sizes which there is no longer any way to get without DMABUF_SYSFS_STATS, and adds a new capability to track per-cgroup exported buffer sizes. The total (root counter) is helpful for accounting in-kernel dmabuf use (by comparing with the sum of child nodes or with the sum of sizes of mapped buffers or FD references in procfs) in addition to helping identify driver memory leaks when in-kernel use continually increases over time. With per-application cgroups, the per-cgroup counter allows us to quickly see how much dma-buf memory an application has caused to be allocated. This avoids the need to read through all of procfs which can be a lengthy process, and causes the charge to "stick" to the allocating process/cgroup as long as the buffer is alive, regardless of how the buffer is shared (unless the charge is transferred). The first patch adds the counter to memcg. The next two patches allow the charge for a buffer to be transferred across cgroups which is necessary because of the way most dmabufs are allocated from a central process on Android. The fourth patch adds the binder object flags to the existing selinux_binder_transfer_file LSM hook and a SELinux permission for charge transfers. [1] https://lore.kernel.org/all/20220617085702.4298-1-christian.koenig@amd.com/ v2: Actually charge memcg vs just mutate the stat counter per Shakeel Butt and Michal Hocko. Shakeel pointed me at the skmem functions which turned out to be very similar to how I was thinking the dmabuf tracking should work. So I've added a pair of dmabuf functions that do essentially the same thing, except conditionally implemented behind CONFIG_MEMCG alongside the other charge/uncharge functions. Drop security_binder_transfer_charge per Casey Schaufler and Paul Moore Drop BINDER_FDA_FLAG_XFER_CHARGE (and fix commit message) per Carlos Llamas Don't expose is_dma_buf_file for use by binder per Hillf Danton Call dma_buf_stats_teardown in dma_buf_export error handling Rebase onto v6.2-rc5 Hridya Valsaraju (1): binder: Add flags to relinquish ownership of fds T.J. Mercier (3): memcg: Track exported dma-buffers dmabuf: Add cgroup charge transfer function security: binder: Add binder object flags to selinux_binder_transfer_file Documentation/admin-guide/cgroup-v2.rst | 5 ++ drivers/android/binder.c | 27 ++++++++-- drivers/dma-buf/dma-buf.c | 69 +++++++++++++++++++++++++ include/linux/dma-buf.h | 4 ++ include/linux/lsm_hook_defs.h | 2 +- include/linux/lsm_hooks.h | 5 +- include/linux/memcontrol.h | 43 +++++++++++++++ include/linux/security.h | 6 ++- include/uapi/linux/android/binder.h | 19 +++++-- mm/memcontrol.c | 19 +++++++ security/security.c | 4 +- security/selinux/hooks.c | 13 ++++- security/selinux/include/classmap.h | 2 +- 13 files changed, 201 insertions(+), 17 deletions(-) base-commit: 2241ab53cbb5cdb08a6b2d4688feb13971058f65 -- 2.39.0.246.g2a6d74b583-goog

3 years

4
18
0 0

[PATCH] dma-buf: Add "dma-buf" to title of documentation

by Jonathan Neuschäfer

To make it easier to find the dma-buf documentation when looking through tables-of-contents etc., put the name "dma-buf" in the title. Signed-off-by: Jonathan Neuschäfer <j.neuschaefer(a)gmx.net> --- Documentation/driver-api/dma-buf.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Documentation/driver-api/dma-buf.rst b/Documentation/driver-api/dma-buf.rst index 622b8156d2127..61b6f42ed0f18 100644 --- a/Documentation/driver-api/dma-buf.rst +++ b/Documentation/driver-api/dma-buf.rst @@ -1,5 +1,5 @@ -Buffer Sharing and Synchronization -================================== +Buffer Sharing and Synchronization (dma-buf) +============================================ The dma-buf subsystem provides the framework for sharing buffers for hardware (DMA) access across multiple device drivers and subsystems, and -- 2.39.0

3 years

2
1
0 0

DMA-heap driver hints

by Christian König

Hi guys, this is just an RFC! The last time we discussed the DMA-buf coherency problem [1] we concluded that DMA-heap first needs a better way to communicate to userspace which heap to use for a certain device. As far as I know userspace currently just hard codes that information which is certainly not desirable considering that we should have this inside the kernel as well. So what those two patches here do is to first add some dma_heap_create_device_link() and dma_heap_remove_device_link() function and then demonstrating the functionality with uvcvideo driver. The preferred DMA-heap is represented with a symlink in sysfs between the device and the virtual DMA-heap device node. What's still missing is certainly matching userspace for this since I wanted to discuss the initial kernel approach first. Please take a look and comment. Thanks, Christian. [1] https://lore.kernel.org/all/11a6f97c-e45f-f24b-8a73-48d5a388a2cc@gmail.com/…

3 years

7
17
0 0

[PATCH 10/15] serial: ambarella: add support for Ambarella uart_port

by lchen＠ambarella.com

The content of this message was lost. It was probably cross-posted to multiple lists and previously handled on another list.

3 years

3
3
0 0

[PATCH 0/4] Track exported dma-buffers with memcg

by T.J. Mercier

Based on discussions at LPC, this series adds a memory.stat counter for exported dmabufs. This counter allows us to continue tracking system-wide total exported buffer sizes which there is no longer any way to get without DMABUF_SYSFS_STATS, and adds a new capability to track per-cgroup exported buffer sizes. The total (root counter) is helpful for accounting in-kernel dmabuf use (by comparing with the sum of child nodes or with the sum of sizes of mapped buffers or FD references in procfs) in addition to helping identify driver memory leaks when in-kernel use continually increases over time. With per-application cgroups, the per-cgroup counter allows us to quickly see how much dma-buf memory an application has caused to be allocated. This avoids the need to read through all of procfs which can be a lengthy process, and causes the charge to "stick" to the allocating process/cgroup as long as the buffer is alive, regardless of how the buffer is shared (unless the charge is transferred). The first patch adds the counter to memcg. The next two patches allow the charge for a buffer to be transferred across cgroups which is necessary because of the way most dmabufs are allocated from a central process on Android. The fourth patch adds a SELinux hook to binder in order to control who is allowed to transfer buffer charges. [1] https://lore.kernel.org/all/20220617085702.4298-1-christian.koenig@amd.com/ Hridya Valsaraju (1): binder: Add flags to relinquish ownership of fds T.J. Mercier (3): memcg: Track exported dma-buffers dmabuf: Add cgroup charge transfer function security: binder: Add transfer_charge SElinux hook Documentation/admin-guide/cgroup-v2.rst | 5 +++ drivers/android/binder.c | 36 +++++++++++++++-- drivers/dma-buf/dma-buf.c | 54 +++++++++++++++++++++++-- include/linux/dma-buf.h | 5 +++ include/linux/lsm_hook_defs.h | 2 + include/linux/lsm_hooks.h | 6 +++ include/linux/memcontrol.h | 7 ++++ include/linux/security.h | 2 + include/uapi/linux/android/binder.h | 23 +++++++++-- mm/memcontrol.c | 4 ++ security/security.c | 6 +++ security/selinux/hooks.c | 9 +++++ security/selinux/include/classmap.h | 2 +- 13 files changed, 149 insertions(+), 12 deletions(-) base-commit: b7bfaa761d760e72a969d116517eaa12e404c262 -- 2.39.0.314.g84b9a713c41-goog

3 years

6
14
0 0

[PATCH v2] drm/msm: Add missing check and destroy for alloc_ordered_workqueue

by Jiasheng Jiang

Add check for the return value of alloc_ordered_workqueue as it may return NULL pointer. Moreover, use the destroy_workqueue in the later fails in order to avoid memory leak. Signed-off-by: Jiasheng Jiang <jiasheng(a)iscas.ac.cn> --- Changelog: v1 -> v2: 1. Convert "goto err_destroy_workqueue" into "goto err_msm_unit" and remove "err_destroy_workqueue" label. --- drivers/gpu/drm/msm/msm_drv.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c index 8b0b0ac74a6f..54be323ed33d 100644 --- a/drivers/gpu/drm/msm/msm_drv.c +++ b/drivers/gpu/drm/msm/msm_drv.c @@ -418,6 +418,8 @@ static int msm_drm_init(struct device *dev, const struct drm_driver *drv) priv->dev = ddev; priv->wq = alloc_ordered_workqueue("msm", 0); + if (!priv->wq) + return -ENOMEM; INIT_LIST_HEAD(&priv->objects); mutex_init(&priv->obj_lock); @@ -440,12 +442,12 @@ static int msm_drm_init(struct device *dev, const struct drm_driver *drv) ret = msm_init_vram(ddev); if (ret) - return ret; + goto err_msm_uninit; /* Bind all our sub-components: */ ret = component_bind_all(dev, ddev); if (ret) - return ret; + goto err_msm_uninit; dma_set_max_seg_size(dev, UINT_MAX); -- 2.25.1

3 years

2
2
0 0

[PATCH] drm/msm/gem: Add check for kmalloc

by Jiasheng Jiang

Add the check for the return value of kmalloc in order to avoid NULL pointer dereference in copy_from_user. Fixes: 20224d715a88 ("drm/msm/submit: Move copy_from_user ahead of locking bos") Signed-off-by: Jiasheng Jiang <jiasheng(a)iscas.ac.cn> --- drivers/gpu/drm/msm/msm_gem_submit.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c index 45a3e5cadc7d..7c2cc1262c05 100644 --- a/drivers/gpu/drm/msm/msm_gem_submit.c +++ b/drivers/gpu/drm/msm/msm_gem_submit.c @@ -209,6 +209,10 @@ static int submit_lookup_cmds(struct msm_gem_submit *submit, goto out; } submit->cmd[i].relocs = kmalloc(sz, GFP_KERNEL); + if (!submit->cmd[i].relocs) { + ret = -ENOMEM; + goto out; + } ret = copy_from_user(submit->cmd[i].relocs, userptr, sz); if (ret) { ret = -EFAULT; -- 2.25.1

3 years

2
2
0 0

[PATCH RESEND] drm/msm: Add missing check and destroy for alloc_ordered_workqueue

by Jiasheng Jiang

Add check for the return value of alloc_ordered_workqueue as it may return NULL pointer. Moreover, use the destroy_workqueue in the later fails in order to avoid memory leak. Fixes: c8afe684c95c ("drm/msm: basic KMS driver for snapdragon") Signed-off-by: Jiasheng Jiang <jiasheng(a)iscas.ac.cn> --- drivers/gpu/drm/msm/msm_drv.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c index 8b0b0ac74a6f..b82d938226ad 100644 --- a/drivers/gpu/drm/msm/msm_drv.c +++ b/drivers/gpu/drm/msm/msm_drv.c @@ -418,6 +418,8 @@ static int msm_drm_init(struct device *dev, const struct drm_driver *drv) priv->dev = ddev; priv->wq = alloc_ordered_workqueue("msm", 0); + if (!priv->wq) + return -ENOMEM; INIT_LIST_HEAD(&priv->objects); mutex_init(&priv->obj_lock); @@ -440,12 +442,12 @@ static int msm_drm_init(struct device *dev, const struct drm_driver *drv) ret = msm_init_vram(ddev); if (ret) - return ret; + goto err_destroy_workqueue; /* Bind all our sub-components: */ ret = component_bind_all(dev, ddev); if (ret) - return ret; + goto err_destroy_workqueue; dma_set_max_seg_size(dev, UINT_MAX); @@ -540,6 +542,8 @@ static int msm_drm_init(struct device *dev, const struct drm_driver *drv) err_msm_uninit: msm_drm_uninit(dev); +err_destroy_workqueue: + destroy_workqueue(priv->wq); return ret; } -- 2.25.1

3 years, 1 month

2
1
0 0

[PATCH] drm/msm: Add missing check and destroy for alloc_ordered_workqueue

by Jiasheng Jiang

Add check for the return value of alloc_ordered_workqueue as it may return NULL pointer. Moreover, use the destroy_workqueue in the later fails in order to avoid memory leak. Fixes: c8afe684c95c ("drm/msm: basic KMS driver for snapdragon") Signed-off-by: Jiasheng Jiang <jiasheng(a)iscas.ac.cn> --- drivers/gpu/drm/msm/msm_drv.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c index 8b0b0ac74a6f..b82d938226ad 100644 --- a/drivers/gpu/drm/msm/msm_drv.c +++ b/drivers/gpu/drm/msm/msm_drv.c @@ -418,6 +418,8 @@ static int msm_drm_init(struct device *dev, const struct drm_driver *drv) priv->dev = ddev; priv->wq = alloc_ordered_workqueue("msm", 0); + if (!priv->wq) + return -ENOMEM; INIT_LIST_HEAD(&priv->objects); mutex_init(&priv->obj_lock); @@ -440,12 +442,12 @@ static int msm_drm_init(struct device *dev, const struct drm_driver *drv) ret = msm_init_vram(ddev); if (ret) - return ret; + goto err_destroy_workqueue; /* Bind all our sub-components: */ ret = component_bind_all(dev, ddev); if (ret) - return ret; + goto err_destroy_workqueue; dma_set_max_seg_size(dev, UINT_MAX); @@ -540,6 +542,8 @@ static int msm_drm_init(struct device *dev, const struct drm_driver *drv) err_msm_uninit: msm_drm_uninit(dev); +err_destroy_workqueue: + destroy_workqueue(priv->wq); return ret; } -- 2.25.1

3 years, 1 month

2
1
0 0

Try to address the DMA-buf coherency problem

by Christian König

Hi guys, after finding that we essentially have two separate worlds for coherent sharing of buffer through DMA-buf I thought I will tackle that problem a bit and at least allow the framework to reject attachments which won't work. So those patches here add a new dma_coherent flag to each DMA-buf object telling the framework that dev_is_dma_coherent() needs to return true for an importing device to be able to attach. Since we should always have a fallback path this should give userspace the chance to still keep the use case working, either by doing a CPU copy instead or reversing the roles of exporter and importer. For DRM and most V4L2 devices I then fill in the dma_coherent flag based on the return value of dev_is_dma_coherent(). Exporting drivers are allowed to clear the flag for their buffers if special handling like the USWC flag in amdgpu or the uncached allocations for radeon/nouveau are in use. Additional to that importers can also check the flag if they have some non-snooping operations like the special scanout case for amdgpu for example. The patches are only smoke tested and the solution isn't ideal, but as far as I can see should at least keep things working. Please review and/or comment, Christian.

3 years, 1 month

12
60
0 0

[PATCH] dma-buf: fix dma_buf_export init order v2

by Christian König

The init order and resulting error handling in dma_buf_export was pretty messy. Subordinate objects like the file and the sysfs kernel objects were initializing and wiring itself up with the object in the wrong order resulting not only in complicating and partially incorrect error handling, but also in publishing only halve initialized DMA-buf objects. Clean this up thoughtfully by allocating the file independent of the DMA-buf object. Then allocate and initialize the DMA-buf object itself, before publishing it through sysfs. If everything works as expected the file is then connected with the DMA-buf object and publish it through debugfs. Also adds the missing dma_resv_fini() into the error handling. v2: add some missing changes to dma_bug_getfile() and a missing NULL check in dma_buf_file_release() Signed-off-by: Christian König <christian.koenig(a)amd.com> --- drivers/dma-buf/dma-buf-sysfs-stats.c | 7 +-- drivers/dma-buf/dma-buf-sysfs-stats.h | 4 +- drivers/dma-buf/dma-buf.c | 84 +++++++++++++-------------- 3 files changed, 43 insertions(+), 52 deletions(-) diff --git a/drivers/dma-buf/dma-buf-sysfs-stats.c b/drivers/dma-buf/dma-buf-sysfs-stats.c index 2bba0babcb62..4b680e10c15a 100644 --- a/drivers/dma-buf/dma-buf-sysfs-stats.c +++ b/drivers/dma-buf/dma-buf-sysfs-stats.c @@ -168,14 +168,11 @@ void dma_buf_uninit_sysfs_statistics(void) kset_unregister(dma_buf_stats_kset); } -int dma_buf_stats_setup(struct dma_buf *dmabuf) +int dma_buf_stats_setup(struct dma_buf *dmabuf, struct file *file) { struct dma_buf_sysfs_entry *sysfs_entry; int ret; - if (!dmabuf || !dmabuf->file) - return -EINVAL; - if (!dmabuf->exp_name) { pr_err("exporter name must not be empty if stats needed\n"); return -EINVAL; @@ -192,7 +189,7 @@ int dma_buf_stats_setup(struct dma_buf *dmabuf) /* create the directory for buffer stats */ ret = kobject_init_and_add(&sysfs_entry->kobj, &dma_buf_ktype, NULL, - "%lu", file_inode(dmabuf->file)->i_ino); + "%lu", file_inode(file)->i_ino); if (ret) goto err_sysfs_dmabuf; diff --git a/drivers/dma-buf/dma-buf-sysfs-stats.h b/drivers/dma-buf/dma-buf-sysfs-stats.h index a49c6e2650cc..7a8a995b75ba 100644 --- a/drivers/dma-buf/dma-buf-sysfs-stats.h +++ b/drivers/dma-buf/dma-buf-sysfs-stats.h @@ -13,7 +13,7 @@ int dma_buf_init_sysfs_statistics(void); void dma_buf_uninit_sysfs_statistics(void); -int dma_buf_stats_setup(struct dma_buf *dmabuf); +int dma_buf_stats_setup(struct dma_buf *dmabuf, struct file *file); void dma_buf_stats_teardown(struct dma_buf *dmabuf); #else @@ -25,7 +25,7 @@ static inline int dma_buf_init_sysfs_statistics(void) static inline void dma_buf_uninit_sysfs_statistics(void) {} -static inline int dma_buf_stats_setup(struct dma_buf *dmabuf) +static inline int dma_buf_stats_setup(struct dma_buf *dmabuf, struct file *file) { return 0; } diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c index e6f36c014c4c..eb6b59363c4f 100644 --- a/drivers/dma-buf/dma-buf.c +++ b/drivers/dma-buf/dma-buf.c @@ -95,10 +95,11 @@ static int dma_buf_file_release(struct inode *inode, struct file *file) return -EINVAL; dmabuf = file->private_data; - - mutex_lock(&db_list.lock); - list_del(&dmabuf->list_node); - mutex_unlock(&db_list.lock); + if (dmabuf) { + mutex_lock(&db_list.lock); + list_del(&dmabuf->list_node); + mutex_unlock(&db_list.lock); + } return 0; } @@ -523,17 +524,17 @@ static inline int is_dma_buf_file(struct file *file) return file->f_op == &dma_buf_fops; } -static struct file *dma_buf_getfile(struct dma_buf *dmabuf, int flags) +static struct file *dma_buf_getfile(size_t size, int flags) { static atomic64_t dmabuf_inode = ATOMIC64_INIT(0); - struct file *file; struct inode *inode = alloc_anon_inode(dma_buf_mnt->mnt_sb); + struct file *file; if (IS_ERR(inode)) return ERR_CAST(inode); - inode->i_size = dmabuf->size; - inode_set_bytes(inode, dmabuf->size); + inode->i_size = size; + inode_set_bytes(inode, size); /* * The ->i_ino acquired from get_next_ino() is not unique thus @@ -547,8 +548,6 @@ static struct file *dma_buf_getfile(struct dma_buf *dmabuf, int flags) flags, &dma_buf_fops); if (IS_ERR(file)) goto err_alloc_file; - file->private_data = dmabuf; - file->f_path.dentry->d_fsdata = dmabuf; return file; @@ -614,19 +613,11 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info) size_t alloc_size = sizeof(struct dma_buf); int ret; - if (!exp_info->resv) - alloc_size += sizeof(struct dma_resv); - else - /* prevent &dma_buf[1] == dma_buf->resv */ - alloc_size += 1; - - if (WARN_ON(!exp_info->priv - || !exp_info->ops - || !exp_info->ops->map_dma_buf - || !exp_info->ops->unmap_dma_buf - || !exp_info->ops->release)) { + if (WARN_ON(!exp_info->priv || !exp_info->ops + || !exp_info->ops->map_dma_buf + || !exp_info->ops->unmap_dma_buf + || !exp_info->ops->release)) return ERR_PTR(-EINVAL); - } if (WARN_ON(exp_info->ops->cache_sgt_mapping && (exp_info->ops->pin || exp_info->ops->unpin))) @@ -638,10 +629,21 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info) if (!try_module_get(exp_info->owner)) return ERR_PTR(-ENOENT); + file = dma_buf_getfile(exp_info->size, exp_info->flags); + if (IS_ERR(file)) { + ret = PTR_ERR(file); + goto err_module; + } + + if (!exp_info->resv) + alloc_size += sizeof(struct dma_resv); + else + /* prevent &dma_buf[1] == dma_buf->resv */ + alloc_size += 1; dmabuf = kzalloc(alloc_size, GFP_KERNEL); if (!dmabuf) { ret = -ENOMEM; - goto err_module; + goto err_file; } dmabuf->priv = exp_info->priv; @@ -653,44 +655,36 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info) init_waitqueue_head(&dmabuf->poll); dmabuf->cb_in.poll = dmabuf->cb_out.poll = &dmabuf->poll; dmabuf->cb_in.active = dmabuf->cb_out.active = 0; + mutex_init(&dmabuf->lock); + INIT_LIST_HEAD(&dmabuf->attachments); if (!resv) { - resv = (struct dma_resv *)&dmabuf[1]; - dma_resv_init(resv); + dmabuf->resv = (struct dma_resv *)&dmabuf[1]; + dma_resv_init(dmabuf->resv); + } else { + dmabuf->resv = resv; } - dmabuf->resv = resv; - file = dma_buf_getfile(dmabuf, exp_info->flags); - if (IS_ERR(file)) { - ret = PTR_ERR(file); + ret = dma_buf_stats_setup(dmabuf, file); + if (ret) goto err_dmabuf; - } + file->private_data = dmabuf; + file->f_path.dentry->d_fsdata = dmabuf; dmabuf->file = file; - mutex_init(&dmabuf->lock); - INIT_LIST_HEAD(&dmabuf->attachments); - mutex_lock(&db_list.lock); list_add(&dmabuf->list_node, &db_list.head); mutex_unlock(&db_list.lock); - ret = dma_buf_stats_setup(dmabuf); - if (ret) - goto err_sysfs; - return dmabuf; -err_sysfs: - /* - * Set file->f_path.dentry->d_fsdata to NULL so that when - * dma_buf_release() gets invoked by dentry_ops, it exits - * early before calling the release() dma_buf op. - */ - file->f_path.dentry->d_fsdata = NULL; - fput(file); err_dmabuf: + if (!resv) + dma_resv_fini(dmabuf->resv); kfree(dmabuf); +err_file: + fput(file); err_module: module_put(exp_info->owner); return ERR_PTR(ret); -- 2.34.1

3 years, 1 month

5
6
0 0

[PATCH v2] crypto: ccp - Allocate TEE ring and cmd buffer using DMA APIs

by Rijo Thomas

For AMD Secure Processor (ASP) to map and access TEE ring buffer, the ring buffer address sent by host to ASP must be a real physical address and the pages must be physically contiguous. In a virtualized environment though, when the driver is running in a guest VM, the pages allocated by __get_free_pages() may not be contiguous in the host (or machine) physical address space. Guests will see a guest (or pseudo) physical address and not the actual host (or machine) physical address. The TEE running on ASP cannot decipher pseudo physical addresses. It needs host or machine physical address. To resolve this problem, use DMA APIs for allocating buffers that must be shared with TEE. This will ensure that the pages are contiguous in host (or machine) address space. If the DMA handle is an IOVA, translate it into a physical address before sending it to ASP. This patch also exports two APIs (one for buffer allocation and another to free the buffer). This API can be used by AMD-TEE driver to share buffers with TEE. Fixes: 33960acccfbd ("crypto: ccp - add TEE support for Raven Ridge") Cc: Tom Lendacky <thomas.lendacky(a)amd.com> Cc: stable(a)vger.kernel.org Signed-off-by: Rijo Thomas <Rijo-john.Thomas(a)amd.com> Co-developed-by: Jeshwanth <JESHWANTHKUMAR.NK(a)amd.com> Signed-off-by: Jeshwanth <JESHWANTHKUMAR.NK(a)amd.com> Reviewed-by: Devaraj Rangasamy <Devaraj.Rangasamy(a)amd.com> --- v2: * Removed references to dma_buffer. * If psp_init() fails, clear reference to master device. * Handle gfp flags within psp_tee_alloc_buffer() instead of passing it as a function argument. * Added comments within psp_tee_alloc_buffer() to serve as future documentation. drivers/crypto/ccp/psp-dev.c | 13 ++-- drivers/crypto/ccp/tee-dev.c | 124 +++++++++++++++++++++++------------ drivers/crypto/ccp/tee-dev.h | 9 +-- include/linux/psp-tee.h | 49 ++++++++++++++ 4 files changed, 142 insertions(+), 53 deletions(-) diff --git a/drivers/crypto/ccp/psp-dev.c b/drivers/crypto/ccp/psp-dev.c index c9c741ac8442..380f5caaa550 100644 --- a/drivers/crypto/ccp/psp-dev.c +++ b/drivers/crypto/ccp/psp-dev.c @@ -161,13 +161,13 @@ int psp_dev_init(struct sp_device *sp) goto e_err; } - ret = psp_init(psp); - if (ret) - goto e_irq; - if (sp->set_psp_master_device) sp->set_psp_master_device(sp); + ret = psp_init(psp); + if (ret) + goto e_clear; + /* Enable interrupt */ iowrite32(-1, psp->io_regs + psp->vdata->inten_reg); @@ -175,7 +175,10 @@ int psp_dev_init(struct sp_device *sp) return 0; -e_irq: +e_clear: + if (sp->clear_psp_master_device) + sp->clear_psp_master_device(sp); + sp_free_psp_irq(psp->sp, psp); e_err: sp->psp_data = NULL; diff --git a/drivers/crypto/ccp/tee-dev.c b/drivers/crypto/ccp/tee-dev.c index 5c9d47f3be37..5c43e6e166f1 100644 --- a/drivers/crypto/ccp/tee-dev.c +++ b/drivers/crypto/ccp/tee-dev.c @@ -12,8 +12,9 @@ #include <linux/mutex.h> #include <linux/delay.h> #include <linux/slab.h> +#include <linux/dma-direct.h> +#include <linux/iommu.h> #include <linux/gfp.h> -#include <linux/psp-sev.h> #include <linux/psp-tee.h> #include "psp-dev.h" @@ -21,25 +22,73 @@ static bool psp_dead; +struct psp_tee_buffer *psp_tee_alloc_buffer(unsigned long size) +{ + struct psp_device *psp = psp_get_master_device(); + struct psp_tee_buffer *buf; + struct iommu_domain *dom; + + if (!psp || !size) + return NULL; + + buf = kzalloc(sizeof(*buf), GFP_KERNEL); + if (!buf) + return NULL; + + /* The pages allocated for PSP Trusted OS must be physically + * contiguous in host (or machine) address space. Therefore, + * use DMA API to allocate memory. + */ + + buf->vaddr = dma_alloc_coherent(psp->dev, size, &buf->dma, + GFP_KERNEL | __GFP_ZERO); + if (!buf->vaddr || !buf->dma) { + kfree(buf); + return NULL; + } + + buf->size = size; + + /* Check whether IOMMU is present. If present, convert IOVA to + * physical address. In the absence of IOMMU, the DMA address + * is actually the physical address. + */ + + dom = iommu_get_domain_for_dev(psp->dev); + if (dom) + buf->paddr = iommu_iova_to_phys(dom, buf->dma); + else + buf->paddr = buf->dma; + + return buf; +} +EXPORT_SYMBOL(psp_tee_alloc_buffer); + +void psp_tee_free_buffer(struct psp_tee_buffer *buf) +{ + struct psp_device *psp = psp_get_master_device(); + + if (!psp || !buf) + return; + + dma_free_coherent(psp->dev, buf->size, buf->vaddr, buf->dma); + + kfree(buf); +} +EXPORT_SYMBOL(psp_tee_free_buffer); + static int tee_alloc_ring(struct psp_tee_device *tee, int ring_size) { struct ring_buf_manager *rb_mgr = &tee->rb_mgr; - void *start_addr; if (!ring_size) return -EINVAL; - /* We need actual physical address instead of DMA address, since - * Trusted OS running on AMD Secure Processor will map this region - */ - start_addr = (void *)__get_free_pages(GFP_KERNEL, get_order(ring_size)); - if (!start_addr) + rb_mgr->ring_buf = psp_tee_alloc_buffer(ring_size); + if (!rb_mgr->ring_buf) { + dev_err(tee->dev, "ring allocation failed\n"); return -ENOMEM; - - memset(start_addr, 0x0, ring_size); - rb_mgr->ring_start = start_addr; - rb_mgr->ring_size = ring_size; - rb_mgr->ring_pa = __psp_pa(start_addr); + } mutex_init(&rb_mgr->mutex); return 0; @@ -49,15 +98,8 @@ static void tee_free_ring(struct psp_tee_device *tee) { struct ring_buf_manager *rb_mgr = &tee->rb_mgr; - if (!rb_mgr->ring_start) - return; - - free_pages((unsigned long)rb_mgr->ring_start, - get_order(rb_mgr->ring_size)); + psp_tee_free_buffer(rb_mgr->ring_buf); - rb_mgr->ring_start = NULL; - rb_mgr->ring_size = 0; - rb_mgr->ring_pa = 0; mutex_destroy(&rb_mgr->mutex); } @@ -81,35 +123,35 @@ static int tee_wait_cmd_poll(struct psp_tee_device *tee, unsigned int timeout, return -ETIMEDOUT; } -static -struct tee_init_ring_cmd *tee_alloc_cmd_buffer(struct psp_tee_device *tee) +static struct psp_tee_buffer *tee_alloc_cmd_buffer(struct psp_tee_device *tee) { + struct psp_tee_buffer *cmd_buffer; struct tee_init_ring_cmd *cmd; - cmd = kzalloc(sizeof(*cmd), GFP_KERNEL); - if (!cmd) + cmd_buffer = psp_tee_alloc_buffer(sizeof(*cmd)); + if (!cmd_buffer) return NULL; - cmd->hi_addr = upper_32_bits(tee->rb_mgr.ring_pa); - cmd->low_addr = lower_32_bits(tee->rb_mgr.ring_pa); - cmd->size = tee->rb_mgr.ring_size; + cmd = (struct tee_init_ring_cmd *)cmd_buffer->vaddr; + cmd->hi_addr = upper_32_bits(tee->rb_mgr.ring_buf->paddr); + cmd->low_addr = lower_32_bits(tee->rb_mgr.ring_buf->paddr); + cmd->size = tee->rb_mgr.ring_buf->size; dev_dbg(tee->dev, "tee: ring address: high = 0x%x low = 0x%x size = %u\n", cmd->hi_addr, cmd->low_addr, cmd->size); - return cmd; + return cmd_buffer; } -static inline void tee_free_cmd_buffer(struct tee_init_ring_cmd *cmd) +static inline void tee_free_cmd_buffer(struct psp_tee_buffer *cmd_buffer) { - kfree(cmd); + psp_tee_free_buffer(cmd_buffer); } static int tee_init_ring(struct psp_tee_device *tee) { int ring_size = MAX_RING_BUFFER_ENTRIES * sizeof(struct tee_ring_cmd); - struct tee_init_ring_cmd *cmd; - phys_addr_t cmd_buffer; + struct psp_tee_buffer *cmd_buffer; unsigned int reg; int ret; @@ -123,21 +165,19 @@ static int tee_init_ring(struct psp_tee_device *tee) tee->rb_mgr.wptr = 0; - cmd = tee_alloc_cmd_buffer(tee); - if (!cmd) { + cmd_buffer = tee_alloc_cmd_buffer(tee); + if (!cmd_buffer) { tee_free_ring(tee); return -ENOMEM; } - cmd_buffer = __psp_pa((void *)cmd); - /* Send command buffer details to Trusted OS by writing to * CPU-PSP message registers */ - iowrite32(lower_32_bits(cmd_buffer), + iowrite32(lower_32_bits(cmd_buffer->paddr), tee->io_regs + tee->vdata->cmdbuff_addr_lo_reg); - iowrite32(upper_32_bits(cmd_buffer), + iowrite32(upper_32_bits(cmd_buffer->paddr), tee->io_regs + tee->vdata->cmdbuff_addr_hi_reg); iowrite32(TEE_RING_INIT_CMD, tee->io_regs + tee->vdata->cmdresp_reg); @@ -157,7 +197,7 @@ static int tee_init_ring(struct psp_tee_device *tee) } free_buf: - tee_free_cmd_buffer(cmd); + tee_free_cmd_buffer(cmd_buffer); return ret; } @@ -167,7 +207,7 @@ static void tee_destroy_ring(struct psp_tee_device *tee) unsigned int reg; int ret; - if (!tee->rb_mgr.ring_start) + if (!tee->rb_mgr.ring_buf->vaddr) return; if (psp_dead) @@ -256,7 +296,7 @@ static int tee_submit_cmd(struct psp_tee_device *tee, enum tee_cmd_id cmd_id, do { /* Get pointer to ring buffer command entry */ cmd = (struct tee_ring_cmd *) - (tee->rb_mgr.ring_start + tee->rb_mgr.wptr); + (tee->rb_mgr.ring_buf->vaddr + tee->rb_mgr.wptr); rptr = ioread32(tee->io_regs + tee->vdata->ring_rptr_reg); @@ -305,7 +345,7 @@ static int tee_submit_cmd(struct psp_tee_device *tee, enum tee_cmd_id cmd_id, /* Update local copy of write pointer */ tee->rb_mgr.wptr += sizeof(struct tee_ring_cmd); - if (tee->rb_mgr.wptr >= tee->rb_mgr.ring_size) + if (tee->rb_mgr.wptr >= tee->rb_mgr.ring_buf->size) tee->rb_mgr.wptr = 0; /* Trigger interrupt to Trusted OS */ diff --git a/drivers/crypto/ccp/tee-dev.h b/drivers/crypto/ccp/tee-dev.h index 49d26158b71e..ee22d60177a2 100644 --- a/drivers/crypto/ccp/tee-dev.h +++ b/drivers/crypto/ccp/tee-dev.h @@ -16,6 +16,7 @@ #include <linux/device.h> #include <linux/mutex.h> +#include <linux/psp-tee.h> #define TEE_DEFAULT_TIMEOUT 10 #define MAX_BUFFER_SIZE 988 @@ -48,16 +49,12 @@ struct tee_init_ring_cmd { /** * struct ring_buf_manager - Helper structure to manage ring buffer. - * @ring_start: starting address of ring buffer - * @ring_size: size of ring buffer in bytes - * @ring_pa: physical address of ring buffer + * @ring_buf: ring buffer allocated for sharing with TEE * @wptr: index to the last written entry in ring buffer */ struct ring_buf_manager { struct mutex mutex; /* synchronizes access to ring buffer */ - void *ring_start; - u32 ring_size; - phys_addr_t ring_pa; + struct psp_tee_buffer *ring_buf; u32 wptr; }; diff --git a/include/linux/psp-tee.h b/include/linux/psp-tee.h index cb0c95d6d76b..670bb7877456 100644 --- a/include/linux/psp-tee.h +++ b/include/linux/psp-tee.h @@ -13,6 +13,7 @@ #include <linux/types.h> #include <linux/errno.h> +#include <linux/dma-mapping.h> /* This file defines the Trusted Execution Environment (TEE) interface commands * and the API exported by AMD Secure Processor driver to communicate with @@ -40,6 +41,22 @@ enum tee_cmd_id { TEE_CMD_ID_UNMAP_SHARED_MEM, }; +/** + * struct psp_tee_buffer - Structure that has buffer details of memory that can + * be shared with PSP TEE. + * + * @dma: DMA address of memory + * @paddr: Physical address of memory + * @vaddr: CPU virtual address of memory + * @size: Size of memory in bytes + */ +struct psp_tee_buffer { + dma_addr_t dma; + phys_addr_t paddr; + void *vaddr; + unsigned long size; +}; + #ifdef CONFIG_CRYPTO_DEV_SP_PSP /** * psp_tee_process_cmd() - Process command in Trusted Execution Environment @@ -75,6 +92,28 @@ int psp_tee_process_cmd(enum tee_cmd_id cmd_id, void *buf, size_t len, */ int psp_check_tee_status(void); +/** + * psp_tee_alloc_buffer() - Allocates memory of requested size using + * dma_alloc_coherent() API. + * + * This function can be used to allocate a shared memory region between the + * host and PSP TEE. + * + * Returns: + * non-NULL a valid pointer to struct psp_tee_buffer + * NULL on failure + */ +struct psp_tee_buffer *psp_tee_alloc_buffer(unsigned long size); + +/** + * psp_tee_free_buffer() - Deallocates memory using dma_free_coherent() API. + * + * This function can be used to release shared memory region between host + * and PSP TEE. + * + */ +void psp_tee_free_buffer(struct psp_tee_buffer *buffer); + #else /* !CONFIG_CRYPTO_DEV_SP_PSP */ static inline int psp_tee_process_cmd(enum tee_cmd_id cmd_id, void *buf, @@ -87,5 +126,15 @@ static inline int psp_check_tee_status(void) { return -ENODEV; } + +static inline +struct psp_tee_buffer *psp_tee_alloc_buffer(unsigned long size) +{ + return NULL; +} + +static inline void psp_tee_free_buffer(struct psp_tee_buffer *buffer) +{ +} #endif /* CONFIG_CRYPTO_DEV_SP_PSP */ #endif /* __PSP_TEE_H_ */ -- 2.25.1

3 years, 1 month

4
5
0 0

[PATCH AUTOSEL 6.0 7/7] drm/amdkfd: Fix double release compute pasid

by Sasha Levin

From: Philip Yang <Philip.Yang(a)amd.com> [ Upstream commit 1a799c4c190ea9f0e81028e3eb3037ed0ab17ff5 ] If kfd_process_device_init_vm returns failure after vm is converted to compute vm and vm->pasid set to compute pasid, KFD will not take pdd->drm_file reference. As a result, drm close file handler maybe called to release the compute pasid before KFD process destroy worker to release the same pasid and set vm->pasid to zero, this generates below WARNING backtrace and NULL pointer access. Add helper amdgpu_amdkfd_gpuvm_set_vm_pasid and call it at the last step of kfd_process_device_init_vm, to ensure vm pasid is the original pasid if acquiring vm failed or is the compute pasid with pdd->drm_file reference taken to avoid double release same pasid. amdgpu: Failed to create process VM object ida_free called for id=32770 which is not allocated. WARNING: CPU: 57 PID: 72542 at ../lib/idr.c:522 ida_free+0x96/0x140 RIP: 0010:ida_free+0x96/0x140 Call Trace: amdgpu_pasid_free_delayed+0xe1/0x2a0 [amdgpu] amdgpu_driver_postclose_kms+0x2d8/0x340 [amdgpu] drm_file_free.part.13+0x216/0x270 [drm] drm_close_helper.isra.14+0x60/0x70 [drm] drm_release+0x6e/0xf0 [drm] __fput+0xcc/0x280 ____fput+0xe/0x20 task_work_run+0x96/0xc0 do_exit+0x3d0/0xc10 BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: 0010:ida_free+0x76/0x140 Call Trace: amdgpu_pasid_free_delayed+0xe1/0x2a0 [amdgpu] amdgpu_driver_postclose_kms+0x2d8/0x340 [amdgpu] drm_file_free.part.13+0x216/0x270 [drm] drm_close_helper.isra.14+0x60/0x70 [drm] drm_release+0x6e/0xf0 [drm] __fput+0xcc/0x280 ____fput+0xe/0x20 task_work_run+0x96/0xc0 do_exit+0x3d0/0xc10 Signed-off-by: Philip Yang <Philip.Yang(a)amd.com> Reviewed-by: Felix Kuehling <Felix.Kuehling(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 4 +- .../gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 39 +++++++++++++------ drivers/gpu/drm/amd/amdkfd/kfd_process.c | 12 ++++-- 3 files changed, 40 insertions(+), 15 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h index 647220a8762d..30f145dc8724 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h @@ -265,8 +265,10 @@ int amdgpu_amdkfd_get_pcie_bandwidth_mbytes(struct amdgpu_device *adev, bool is_ (&((struct amdgpu_fpriv *) \ ((struct drm_file *)(drm_priv))->driver_priv)->vm) +int amdgpu_amdkfd_gpuvm_set_vm_pasid(struct amdgpu_device *adev, + struct file *filp, u32 pasid); int amdgpu_amdkfd_gpuvm_acquire_process_vm(struct amdgpu_device *adev, - struct file *filp, u32 pasid, + struct file *filp, void **process_info, struct dma_fence **ef); void amdgpu_amdkfd_gpuvm_release_process_vm(struct amdgpu_device *adev, diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c index 5e184952ec98..f86a132bb761 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c @@ -1471,10 +1471,9 @@ static void amdgpu_amdkfd_gpuvm_unpin_bo(struct amdgpu_bo *bo) amdgpu_bo_unreserve(bo); } -int amdgpu_amdkfd_gpuvm_acquire_process_vm(struct amdgpu_device *adev, - struct file *filp, u32 pasid, - void **process_info, - struct dma_fence **ef) +int amdgpu_amdkfd_gpuvm_set_vm_pasid(struct amdgpu_device *adev, + struct file *filp, u32 pasid) + { struct amdgpu_fpriv *drv_priv; struct amdgpu_vm *avm; @@ -1485,10 +1484,6 @@ int amdgpu_amdkfd_gpuvm_acquire_process_vm(struct amdgpu_device *adev, return ret; avm = &drv_priv->vm; - /* Already a compute VM? */ - if (avm->process_info) - return -EINVAL; - /* Free the original amdgpu allocated pasid, * will be replaced with kfd allocated pasid. */ @@ -1497,14 +1492,36 @@ int amdgpu_amdkfd_gpuvm_acquire_process_vm(struct amdgpu_device *adev, amdgpu_vm_set_pasid(adev, avm, 0); } - /* Convert VM into a compute VM */ - ret = amdgpu_vm_make_compute(adev, avm); + ret = amdgpu_vm_set_pasid(adev, avm, pasid); if (ret) return ret; - ret = amdgpu_vm_set_pasid(adev, avm, pasid); + return 0; +} + +int amdgpu_amdkfd_gpuvm_acquire_process_vm(struct amdgpu_device *adev, + struct file *filp, + void **process_info, + struct dma_fence **ef) +{ + struct amdgpu_fpriv *drv_priv; + struct amdgpu_vm *avm; + int ret; + + ret = amdgpu_file_to_fpriv(filp, &drv_priv); if (ret) return ret; + avm = &drv_priv->vm; + + /* Already a compute VM? */ + if (avm->process_info) + return -EINVAL; + + /* Convert VM into a compute VM */ + ret = amdgpu_vm_make_compute(adev, avm); + if (ret) + return ret; + /* Initialize KFD part of the VM and process info */ ret = init_kfd_vm(avm, process_info, ef); if (ret) diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process.c b/drivers/gpu/drm/amd/amdkfd/kfd_process.c index 04678f9e214b..febf0e9f7af1 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c @@ -1581,9 +1581,9 @@ int kfd_process_device_init_vm(struct kfd_process_device *pdd, p = pdd->process; dev = pdd->dev; - ret = amdgpu_amdkfd_gpuvm_acquire_process_vm( - dev->adev, drm_file, p->pasid, - &p->kgd_process_info, &p->ef); + ret = amdgpu_amdkfd_gpuvm_acquire_process_vm(dev->adev, drm_file, + &p->kgd_process_info, + &p->ef); if (ret) { pr_err("Failed to create process VM object\n"); return ret; @@ -1598,10 +1598,16 @@ int kfd_process_device_init_vm(struct kfd_process_device *pdd, if (ret) goto err_init_cwsr; + ret = amdgpu_amdkfd_gpuvm_set_vm_pasid(dev->adev, drm_file, p->pasid); + if (ret) + goto err_set_pasid; + pdd->drm_file = drm_file; return 0; +err_set_pasid: + kfd_process_device_destroy_cwsr_dgpu(pdd); err_init_cwsr: kfd_process_device_destroy_ib_mem(pdd); err_reserve_ib_mem: -- 2.35.1

3 years, 1 month

1
0
0 0

[PATCH AUTOSEL 6.1 7/7] drm/amdkfd: Fix double release compute pasid

by Sasha Levin

From: Philip Yang <Philip.Yang(a)amd.com> [ Upstream commit 1a799c4c190ea9f0e81028e3eb3037ed0ab17ff5 ] If kfd_process_device_init_vm returns failure after vm is converted to compute vm and vm->pasid set to compute pasid, KFD will not take pdd->drm_file reference. As a result, drm close file handler maybe called to release the compute pasid before KFD process destroy worker to release the same pasid and set vm->pasid to zero, this generates below WARNING backtrace and NULL pointer access. Add helper amdgpu_amdkfd_gpuvm_set_vm_pasid and call it at the last step of kfd_process_device_init_vm, to ensure vm pasid is the original pasid if acquiring vm failed or is the compute pasid with pdd->drm_file reference taken to avoid double release same pasid. amdgpu: Failed to create process VM object ida_free called for id=32770 which is not allocated. WARNING: CPU: 57 PID: 72542 at ../lib/idr.c:522 ida_free+0x96/0x140 RIP: 0010:ida_free+0x96/0x140 Call Trace: amdgpu_pasid_free_delayed+0xe1/0x2a0 [amdgpu] amdgpu_driver_postclose_kms+0x2d8/0x340 [amdgpu] drm_file_free.part.13+0x216/0x270 [drm] drm_close_helper.isra.14+0x60/0x70 [drm] drm_release+0x6e/0xf0 [drm] __fput+0xcc/0x280 ____fput+0xe/0x20 task_work_run+0x96/0xc0 do_exit+0x3d0/0xc10 BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: 0010:ida_free+0x76/0x140 Call Trace: amdgpu_pasid_free_delayed+0xe1/0x2a0 [amdgpu] amdgpu_driver_postclose_kms+0x2d8/0x340 [amdgpu] drm_file_free.part.13+0x216/0x270 [drm] drm_close_helper.isra.14+0x60/0x70 [drm] drm_release+0x6e/0xf0 [drm] __fput+0xcc/0x280 ____fput+0xe/0x20 task_work_run+0x96/0xc0 do_exit+0x3d0/0xc10 Signed-off-by: Philip Yang <Philip.Yang(a)amd.com> Reviewed-by: Felix Kuehling <Felix.Kuehling(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 4 +- .../gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 39 +++++++++++++------ drivers/gpu/drm/amd/amdkfd/kfd_process.c | 12 ++++-- 3 files changed, 40 insertions(+), 15 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h index 647220a8762d..30f145dc8724 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h @@ -265,8 +265,10 @@ int amdgpu_amdkfd_get_pcie_bandwidth_mbytes(struct amdgpu_device *adev, bool is_ (&((struct amdgpu_fpriv *) \ ((struct drm_file *)(drm_priv))->driver_priv)->vm) +int amdgpu_amdkfd_gpuvm_set_vm_pasid(struct amdgpu_device *adev, + struct file *filp, u32 pasid); int amdgpu_amdkfd_gpuvm_acquire_process_vm(struct amdgpu_device *adev, - struct file *filp, u32 pasid, + struct file *filp, void **process_info, struct dma_fence **ef); void amdgpu_amdkfd_gpuvm_release_process_vm(struct amdgpu_device *adev, diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c index 1f76e27f1a35..18a7cbbd00ff 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c @@ -1473,10 +1473,9 @@ static void amdgpu_amdkfd_gpuvm_unpin_bo(struct amdgpu_bo *bo) amdgpu_bo_unreserve(bo); } -int amdgpu_amdkfd_gpuvm_acquire_process_vm(struct amdgpu_device *adev, - struct file *filp, u32 pasid, - void **process_info, - struct dma_fence **ef) +int amdgpu_amdkfd_gpuvm_set_vm_pasid(struct amdgpu_device *adev, + struct file *filp, u32 pasid) + { struct amdgpu_fpriv *drv_priv; struct amdgpu_vm *avm; @@ -1487,10 +1486,6 @@ int amdgpu_amdkfd_gpuvm_acquire_process_vm(struct amdgpu_device *adev, return ret; avm = &drv_priv->vm; - /* Already a compute VM? */ - if (avm->process_info) - return -EINVAL; - /* Free the original amdgpu allocated pasid, * will be replaced with kfd allocated pasid. */ @@ -1499,14 +1494,36 @@ int amdgpu_amdkfd_gpuvm_acquire_process_vm(struct amdgpu_device *adev, amdgpu_vm_set_pasid(adev, avm, 0); } - /* Convert VM into a compute VM */ - ret = amdgpu_vm_make_compute(adev, avm); + ret = amdgpu_vm_set_pasid(adev, avm, pasid); if (ret) return ret; - ret = amdgpu_vm_set_pasid(adev, avm, pasid); + return 0; +} + +int amdgpu_amdkfd_gpuvm_acquire_process_vm(struct amdgpu_device *adev, + struct file *filp, + void **process_info, + struct dma_fence **ef) +{ + struct amdgpu_fpriv *drv_priv; + struct amdgpu_vm *avm; + int ret; + + ret = amdgpu_file_to_fpriv(filp, &drv_priv); if (ret) return ret; + avm = &drv_priv->vm; + + /* Already a compute VM? */ + if (avm->process_info) + return -EINVAL; + + /* Convert VM into a compute VM */ + ret = amdgpu_vm_make_compute(adev, avm); + if (ret) + return ret; + /* Initialize KFD part of the VM and process info */ ret = init_kfd_vm(avm, process_info, ef); if (ret) diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process.c b/drivers/gpu/drm/amd/amdkfd/kfd_process.c index 9821fa9268d3..dd351105c1bc 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c @@ -1576,9 +1576,9 @@ int kfd_process_device_init_vm(struct kfd_process_device *pdd, p = pdd->process; dev = pdd->dev; - ret = amdgpu_amdkfd_gpuvm_acquire_process_vm( - dev->adev, drm_file, p->pasid, - &p->kgd_process_info, &p->ef); + ret = amdgpu_amdkfd_gpuvm_acquire_process_vm(dev->adev, drm_file, + &p->kgd_process_info, + &p->ef); if (ret) { pr_err("Failed to create process VM object\n"); return ret; @@ -1593,10 +1593,16 @@ int kfd_process_device_init_vm(struct kfd_process_device *pdd, if (ret) goto err_init_cwsr; + ret = amdgpu_amdkfd_gpuvm_set_vm_pasid(dev->adev, drm_file, p->pasid); + if (ret) + goto err_set_pasid; + pdd->drm_file = drm_file; return 0; +err_set_pasid: + kfd_process_device_destroy_cwsr_dgpu(pdd); err_init_cwsr: kfd_process_device_destroy_ib_mem(pdd); err_reserve_ib_mem: -- 2.35.1

3 years, 1 month

1
0
0 0

Re: [PATCH v3] usb: gadget: aspeed_udc: Add check for dma_alloc_coherent

by Jiasheng Jiang

On Fri, Dec 23, 2022 at 10:54:37PM +0800, Greg KH wrote: >> diff --git a/drivers/usb/gadget/udc/aspeed_udc.c b/drivers/usb/gadget/udc/aspeed_udc.c >> index 01968e2167f9..7dc2457c7460 100644 >> --- a/drivers/usb/gadget/udc/aspeed_udc.c >> +++ b/drivers/usb/gadget/udc/aspeed_udc.c >> @@ -1516,6 +1516,10 @@ static int ast_udc_probe(struct platform_device *pdev) >> AST_UDC_EP_DMA_SIZE * >> AST_UDC_NUM_ENDPOINTS, >> &udc->ep0_buf_dma, GFP_KERNEL); >> + if (!udc->ep0_buf) { >> + rc = -ENOMEM; >> + goto err; >> + } >> >> udc->gadget.speed = USB_SPEED_UNKNOWN; >> udc->gadget.max_speed = USB_SPEED_HIGH; >> -- >> 2.25.1 >> > > Why is this just a duplicate of the patch previously submitted here: > https://lore.kernel.org/r/20221125092833.74822-1-yuancan@huawei.com > > confused, > > greg k-h Yes, it is the same as mine. As the previous patch had not been merged into the Linux kernel, my tool found the same error and report it. And both of us chose the most concise way to fix the error. That is why the patches are the same. Thanks, Jiang

3 years, 1 month

1
0
0 0

Re: [PATCH v3] usb: gadget: aspeed_udc: Add check for dma_alloc_coherent

by Jiasheng Jiang

Yes, it is the same as mine. As the previous patch had not been merged into the Linux kernel, my tool found the same error and report it. And both of us chose the most concise way to fix the error. That is why the patches are the same. Thanks, Jiang

3 years, 1 month

2
1
0 0

[PATCH v3] usb: gadget: aspeed_udc: Add check for dma_alloc_coherent

by Jiasheng Jiang

Add the check for the return value of dma_alloc_coherent in order to avoid NULL pointer dereference. This flaw was found using an experimental static analysis tool we are developing, APP-Miner, which has not been disclosed. The allyesconfig build using GCC 9.3.0 shows no new warning. As we don't have a UDC device to test with, no runtime testing was able to be performed. Signed-off-by: Jiasheng Jiang <jiasheng(a)iscas.ac.cn> --- Changelog: v2 -> v3: 1. Add information of finding tool and tests to commit message. v1 -> v2: 1. Add "goto err;" when allocation fails. --- drivers/usb/gadget/udc/aspeed_udc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/usb/gadget/udc/aspeed_udc.c b/drivers/usb/gadget/udc/aspeed_udc.c index 01968e2167f9..7dc2457c7460 100644 --- a/drivers/usb/gadget/udc/aspeed_udc.c +++ b/drivers/usb/gadget/udc/aspeed_udc.c @@ -1516,6 +1516,10 @@ static int ast_udc_probe(struct platform_device *pdev) AST_UDC_EP_DMA_SIZE * AST_UDC_NUM_ENDPOINTS, &udc->ep0_buf_dma, GFP_KERNEL); + if (!udc->ep0_buf) { + rc = -ENOMEM; + goto err; + } udc->gadget.speed = USB_SPEED_UNKNOWN; udc->gadget.max_speed = USB_SPEED_HIGH; -- 2.25.1

3 years, 1 month

2
1
0 0

[PATCH v2] usb: gadget: aspeed_udc: Add check for dma_alloc_coherent

by Jiasheng Jiang

Add the check for the return value of dma_alloc_coherent in order to avoid NULL pointer dereference. This flaw was found using an experimental static analysis tool we are developing, APP-Miner, which has not been disclosed. The allyesconfig build using GCC 9.3.0 shows no new warning. As we don't have a UDC device to test with, no runtime testing was able to be performed. Signed-off-by: Jiasheng Jiang <jiasheng(a)iscas.ac.cn> --- Changelog: v1 -> v2: 1. Add "goto err;" when allocation fails. --- drivers/usb/gadget/udc/aspeed_udc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/usb/gadget/udc/aspeed_udc.c b/drivers/usb/gadget/udc/aspeed_udc.c index 01968e2167f9..7dc2457c7460 100644 --- a/drivers/usb/gadget/udc/aspeed_udc.c +++ b/drivers/usb/gadget/udc/aspeed_udc.c @@ -1516,6 +1516,10 @@ static int ast_udc_probe(struct platform_device *pdev) AST_UDC_EP_DMA_SIZE * AST_UDC_NUM_ENDPOINTS, &udc->ep0_buf_dma, GFP_KERNEL); + if (!udc->ep0_buf) { + rc = -ENOMEM; + goto err; + } udc->gadget.speed = USB_SPEED_UNKNOWN; udc->gadget.max_speed = USB_SPEED_HIGH; -- 2.25.1

3 years, 2 months

2
1
0 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Linaro-mm-sig