Linaro-mm-sig

linaro-mm-sig@lists.linaro.org

15 participants
3031 discussions

KMSAN: uninit-value in __dma_map_sg_attrs

by Dipanjan Das

Hi, We would like to report the following bug which has been found by our modified version of syzkaller. ====================================================== description: KMSAN: uninit-value in __dma_map_sg_attrs affected file: kernel/dma/mapping.c kernel version: 6.2.0-rc5 kernel commit: 41c66f47061608dc1fd493eebce198f0e74cc2d7 git tree: kmsan kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=a9a22da1efde3af6 crash reproducer: attached ====================================================== Crash log: ====================================================== BUG: KMSAN: uninit-value in __dma_map_sg_attrs+0x1f3/0x2e0 kernel/dma/mapping.c:200 __dma_map_sg_attrs+0x1f3/0x2e0 kernel/dma/mapping.c:200 dma_map_sg_attrs+0x4a/0x60 kernel/dma/mapping.c:232 ata_sg_setup drivers/ata/libata-core.c:4544 [inline] ata_qc_issue+0x958/0x1480 drivers/ata/libata-core.c:4845 ata_scsi_translate drivers/ata/libata-scsi.c:1745 [inline] __ata_scsi_queuecmd+0x161c/0x16c0 drivers/ata/libata-scsi.c:4023 ata_scsi_queuecmd+0x86d/0x970 drivers/ata/libata-scsi.c:4068 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1517 [inline] scsi_queue_rq+0x478f/0x55c0 drivers/scsi/scsi_lib.c:1758 blk_mq_dispatch_rq_list+0x13e9/0x40f0 block/blk-mq.c:2056 __blk_mq_do_dispatch_sched block/blk-mq-sched.c:173 [inline] blk_mq_do_dispatch_sched+0xd97/0x1630 block/blk-mq-sched.c:187 __blk_mq_sched_dispatch_requests+0x495/0x620 blk_mq_sched_dispatch_requests+0x146/0x2b0 block/blk-mq-sched.c:339 __blk_mq_run_hw_queue+0xf7/0x310 block/blk-mq.c:2174 __blk_mq_delay_run_hw_queue+0x13c/0x6b0 block/blk-mq.c:2250 blk_mq_run_hw_queue+0x527/0x850 block/blk-mq.c:2298 blk_mq_sched_insert_requests+0x50f/0x7d0 block/blk-mq-sched.c:493 blk_mq_dispatch_plug_list block/blk-mq.c:2758 [inline] blk_mq_flush_plug_list+0x752/0x1300 block/blk-mq.c:2800 __blk_flush_plug+0x600/0x680 block/blk-core.c:1137 blk_finish_plug+0x71/0x90 block/blk-core.c:1161 ext4_do_writepages+0x5c84/0x6e40 fs/ext4/inode.c:2928 ext4_writepages+0x2bc/0x660 fs/ext4/inode.c:2965 do_writepages+0x475/0x930 mm/page-writeback.c:2581 filemap_fdatawrite_wbc+0x1c4/0x260 mm/filemap.c:388 __filemap_fdatawrite_range mm/filemap.c:421 [inline] file_write_and_wait_range+0x22f/0x410 mm/filemap.c:777 ext4_sync_file+0x1ef/0x15b0 fs/ext4/fsync.c:151 vfs_fsync_range+0x1ee/0x240 fs/sync.c:188 generic_write_sync include/linux/fs.h:2885 [inline] ext4_buffered_write_iter+0xaa3/0xb90 fs/ext4/file.c:292 ext4_file_write_iter+0xc9c/0x3350 do_iter_write+0x645/0x12e0 fs/read_write.c:861 vfs_writev+0x307/0x750 fs/read_write.c:934 do_pwritev fs/read_write.c:1031 [inline] __do_sys_pwritev2 fs/read_write.c:1090 [inline] __se_sys_pwritev2+0x275/0x480 fs/read_write.c:1081 __x64_sys_pwritev2+0xe0/0x140 fs/read_write.c:1081 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was created at: __alloc_pages+0x767/0xee0 mm/page_alloc.c:5572 alloc_pages+0xa9a/0xd90 mm/mempolicy.c:2286 folio_alloc+0x41/0x100 mm/mempolicy.c:2296 filemap_alloc_folio+0xa5/0x450 mm/filemap.c:972 __filemap_get_folio+0xe7c/0x1960 mm/filemap.c:1966 pagecache_get_page+0x46/0x270 mm/folio-compat.c:98 grab_cache_page_write_begin+0x51/0x70 mm/folio-compat.c:110 ext4_write_begin+0x3d8/0x31d0 fs/ext4/inode.c:1194 ext4_da_write_begin+0x5f4/0x11c0 fs/ext4/inode.c:3058 generic_perform_write+0x376/0xc50 mm/filemap.c:3772 ext4_buffered_write_iter+0x583/0xb90 fs/ext4/file.c:285 ext4_file_write_iter+0xc9c/0x3350 do_iter_write+0x645/0x12e0 fs/read_write.c:861 vfs_writev+0x307/0x750 fs/read_write.c:934 do_pwritev fs/read_write.c:1031 [inline] __do_sys_pwritev2 fs/read_write.c:1090 [inline] __se_sys_pwritev2+0x275/0x480 fs/read_write.c:1081 __x64_sys_pwritev2+0xe0/0x140 fs/read_write.c:1081 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Bytes 0-1279 of 4096 are uninitialized Memory access of size 4096 starts at ffff8880324c6000 CPU: 0 PID: 24178 Comm: syz-executor.4 Not tainted 6.2.0-rc5-00010-g41c66f470616 #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 -- Thanks and Regards, Dipanjan

2 years, 7 months

[PATCH] dma-buf: make kobj_type structure constant

by Thomas Weißschuh

Since commit ee6d3dd4ed48 ("driver core: make kobj_type constant.") the driver core allows the usage of const struct kobj_type. Take advantage of this to constify the structure definition to prevent modification at runtime. Signed-off-by: Thomas Weißschuh <linux(a)weissschuh.net> --- drivers/dma-buf/dma-buf-sysfs-stats.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma-buf/dma-buf-sysfs-stats.c b/drivers/dma-buf/dma-buf-sysfs-stats.c index fbf725fae7c1..6cfbbf0720bd 100644 --- a/drivers/dma-buf/dma-buf-sysfs-stats.c +++ b/drivers/dma-buf/dma-buf-sysfs-stats.c @@ -112,7 +112,7 @@ static void dma_buf_sysfs_release(struct kobject *kobj) kfree(sysfs_entry); } -static struct kobj_type dma_buf_ktype = { +static const struct kobj_type dma_buf_ktype = { .sysfs_ops = &dma_buf_stats_sysfs_ops, .release = dma_buf_sysfs_release, .default_groups = dma_buf_stats_default_groups, --- base-commit: 3ac88fa4605ec98e545fb3ad0154f575fda2de5f change-id: 20230217-kobj_type-dma-buf-a2ea6a8a1de3 Best regards, -- Thomas Weißschuh <linux(a)weissschuh.net>

2 years, 7 months

[PATCH v2 0/1] tee: Add tee_shm_register_fd

by Olivier Masse

Add a new ioctl called TEE_IOC_SHM_REGISTER_FD to register a shared memory from a dmabuf file descriptor. This new ioctl will allow the Linux Kernel to register a buffer to be used by the Secure Data Path OPTEE OS feature. Please find more information here: https://static.linaro.org/connect/san19/presentations/san19-107.pdf Patch tested on Hikey 6220. Etienne Carriere (1): tee: new ioctl to a register tee_shm from a dmabuf file descriptor drivers/tee/tee_core.c | 38 +++++++++++++++ drivers/tee/tee_shm.c | 99 +++++++++++++++++++++++++++++++++++++++- include/linux/tee_drv.h | 11 +++++ include/uapi/linux/tee.h | 29 ++++++++++++ 4 files changed, 175 insertions(+), 2 deletions(-) -- 2.25.0

2 years, 7 months

[PATCH] Fix drm documentation warning

by Taichi Nishimura

Sorry to re-send this patch again. I forgot to attach description. When running make htmldocs, I found that drm_accel_node does not exist. The documents do not have any links to acceleration nodes, so I removed them. This patch is an extra credit for documentation task in the Linux kernel Bug Fixing Spring unpaid 2023. Best, Taichi Signed-off-by: Taichi Nishimura <awkrail01(a)gmail.com> --- include/drm/drm_file.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/include/drm/drm_file.h b/include/drm/drm_file.h index 0d1f853092ab..cffccf6b94de 100644 --- a/include/drm/drm_file.h +++ b/include/drm/drm_file.h @@ -407,8 +407,6 @@ static inline bool drm_is_render_client(const struct drm_file *file_priv) * * Returns true if this is an open file of the compute acceleration node, i.e. * &drm_file.minor of @file_priv is a accel minor. - * - * See also the :ref:`section on accel nodes <drm_accel_node>`. */ static inline bool drm_is_accel_client(const struct drm_file *file_priv) { -- 2.25.1

2 years, 7 months

[PATCH] Fix drm documentation warning

by Taichi Nishimura

Signed-off-by: Taichi Nishimura <awkrail01(a)gmail.com> --- include/drm/drm_file.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/include/drm/drm_file.h b/include/drm/drm_file.h index 0d1f853092ab..cffccf6b94de 100644 --- a/include/drm/drm_file.h +++ b/include/drm/drm_file.h @@ -407,8 +407,6 @@ static inline bool drm_is_render_client(const struct drm_file *file_priv) * * Returns true if this is an open file of the compute acceleration node, i.e. * &drm_file.minor of @file_priv is a accel minor. - * - * See also the :ref:`section on accel nodes <drm_accel_node>`. */ static inline bool drm_is_accel_client(const struct drm_file *file_priv) { -- 2.25.1

2 years, 7 months

[PATCH v2 0/4] Track exported dma-buffers with memcg

by T.J. Mercier

Based on discussions at LPC, this series adds a memory.stat counter for exported dmabufs. This counter allows us to continue tracking system-wide total exported buffer sizes which there is no longer any way to get without DMABUF_SYSFS_STATS, and adds a new capability to track per-cgroup exported buffer sizes. The total (root counter) is helpful for accounting in-kernel dmabuf use (by comparing with the sum of child nodes or with the sum of sizes of mapped buffers or FD references in procfs) in addition to helping identify driver memory leaks when in-kernel use continually increases over time. With per-application cgroups, the per-cgroup counter allows us to quickly see how much dma-buf memory an application has caused to be allocated. This avoids the need to read through all of procfs which can be a lengthy process, and causes the charge to "stick" to the allocating process/cgroup as long as the buffer is alive, regardless of how the buffer is shared (unless the charge is transferred). The first patch adds the counter to memcg. The next two patches allow the charge for a buffer to be transferred across cgroups which is necessary because of the way most dmabufs are allocated from a central process on Android. The fourth patch adds the binder object flags to the existing selinux_binder_transfer_file LSM hook and a SELinux permission for charge transfers. [1] https://lore.kernel.org/all/20220617085702.4298-1-christian.koenig@amd.com/ v2: Actually charge memcg vs just mutate the stat counter per Shakeel Butt and Michal Hocko. Shakeel pointed me at the skmem functions which turned out to be very similar to how I was thinking the dmabuf tracking should work. So I've added a pair of dmabuf functions that do essentially the same thing, except conditionally implemented behind CONFIG_MEMCG alongside the other charge/uncharge functions. Drop security_binder_transfer_charge per Casey Schaufler and Paul Moore Drop BINDER_FDA_FLAG_XFER_CHARGE (and fix commit message) per Carlos Llamas Don't expose is_dma_buf_file for use by binder per Hillf Danton Call dma_buf_stats_teardown in dma_buf_export error handling Rebase onto v6.2-rc5 Hridya Valsaraju (1): binder: Add flags to relinquish ownership of fds T.J. Mercier (3): memcg: Track exported dma-buffers dmabuf: Add cgroup charge transfer function security: binder: Add binder object flags to selinux_binder_transfer_file Documentation/admin-guide/cgroup-v2.rst | 5 ++ drivers/android/binder.c | 27 ++++++++-- drivers/dma-buf/dma-buf.c | 69 +++++++++++++++++++++++++ include/linux/dma-buf.h | 4 ++ include/linux/lsm_hook_defs.h | 2 +- include/linux/lsm_hooks.h | 5 +- include/linux/memcontrol.h | 43 +++++++++++++++ include/linux/security.h | 6 ++- include/uapi/linux/android/binder.h | 19 +++++-- mm/memcontrol.c | 19 +++++++ security/security.c | 4 +- security/selinux/hooks.c | 13 ++++- security/selinux/include/classmap.h | 2 +- 13 files changed, 201 insertions(+), 17 deletions(-) base-commit: 2241ab53cbb5cdb08a6b2d4688feb13971058f65 -- 2.39.0.246.g2a6d74b583-goog

2 years, 7 months

[PATCH] dma-buf: Add "dma-buf" to title of documentation

by Jonathan Neuschäfer

To make it easier to find the dma-buf documentation when looking through tables-of-contents etc., put the name "dma-buf" in the title. Signed-off-by: Jonathan Neuschäfer <j.neuschaefer(a)gmx.net> --- Documentation/driver-api/dma-buf.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Documentation/driver-api/dma-buf.rst b/Documentation/driver-api/dma-buf.rst index 622b8156d2127..61b6f42ed0f18 100644 --- a/Documentation/driver-api/dma-buf.rst +++ b/Documentation/driver-api/dma-buf.rst @@ -1,5 +1,5 @@ -Buffer Sharing and Synchronization -================================== +Buffer Sharing and Synchronization (dma-buf) +============================================ The dma-buf subsystem provides the framework for sharing buffers for hardware (DMA) access across multiple device drivers and subsystems, and -- 2.39.0

2 years, 7 months

DMA-heap driver hints

by Christian König

Hi guys, this is just an RFC! The last time we discussed the DMA-buf coherency problem [1] we concluded that DMA-heap first needs a better way to communicate to userspace which heap to use for a certain device. As far as I know userspace currently just hard codes that information which is certainly not desirable considering that we should have this inside the kernel as well. So what those two patches here do is to first add some dma_heap_create_device_link() and dma_heap_remove_device_link() function and then demonstrating the functionality with uvcvideo driver. The preferred DMA-heap is represented with a symlink in sysfs between the device and the virtual DMA-heap device node. What's still missing is certainly matching userspace for this since I wanted to discuss the initial kernel approach first. Please take a look and comment. Thanks, Christian. [1] https://lore.kernel.org/all/11a6f97c-e45f-f24b-8a73-48d5a388a2cc@gmail.com/…

2 years, 7 months

[PATCH 10/15] serial: ambarella: add support for Ambarella uart_port

by lchen＠ambarella.com

The content of this message was lost. It was probably cross-posted to multiple lists and previously handled on another list.

2 years, 7 months

[PATCH 0/4] Track exported dma-buffers with memcg

by T.J. Mercier

Based on discussions at LPC, this series adds a memory.stat counter for exported dmabufs. This counter allows us to continue tracking system-wide total exported buffer sizes which there is no longer any way to get without DMABUF_SYSFS_STATS, and adds a new capability to track per-cgroup exported buffer sizes. The total (root counter) is helpful for accounting in-kernel dmabuf use (by comparing with the sum of child nodes or with the sum of sizes of mapped buffers or FD references in procfs) in addition to helping identify driver memory leaks when in-kernel use continually increases over time. With per-application cgroups, the per-cgroup counter allows us to quickly see how much dma-buf memory an application has caused to be allocated. This avoids the need to read through all of procfs which can be a lengthy process, and causes the charge to "stick" to the allocating process/cgroup as long as the buffer is alive, regardless of how the buffer is shared (unless the charge is transferred). The first patch adds the counter to memcg. The next two patches allow the charge for a buffer to be transferred across cgroups which is necessary because of the way most dmabufs are allocated from a central process on Android. The fourth patch adds a SELinux hook to binder in order to control who is allowed to transfer buffer charges. [1] https://lore.kernel.org/all/20220617085702.4298-1-christian.koenig@amd.com/ Hridya Valsaraju (1): binder: Add flags to relinquish ownership of fds T.J. Mercier (3): memcg: Track exported dma-buffers dmabuf: Add cgroup charge transfer function security: binder: Add transfer_charge SElinux hook Documentation/admin-guide/cgroup-v2.rst | 5 +++ drivers/android/binder.c | 36 +++++++++++++++-- drivers/dma-buf/dma-buf.c | 54 +++++++++++++++++++++++-- include/linux/dma-buf.h | 5 +++ include/linux/lsm_hook_defs.h | 2 + include/linux/lsm_hooks.h | 6 +++ include/linux/memcontrol.h | 7 ++++ include/linux/security.h | 2 + include/uapi/linux/android/binder.h | 23 +++++++++-- mm/memcontrol.c | 4 ++ security/security.c | 6 +++ security/selinux/hooks.c | 9 +++++ security/selinux/include/classmap.h | 2 +- 13 files changed, 149 insertions(+), 12 deletions(-) base-commit: b7bfaa761d760e72a969d116517eaa12e404c262 -- 2.39.0.314.g84b9a713c41-goog

2 years, 8 months

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Linaro-mm-sig