Hi,
Two x86 fixes in this series.
1) x86/delay: Fix the wrong Assembly constraint in delay_loop() function.
2) x86/MCE/AMD: Fix memory leak when `threshold_create_bank()` fails.
## Changelog
v5:
- Mark patch #1 for stable.
- Commit message improvement for patch #1 and #2.
- Fold in changes from Yazen and Alviro (for patch #2).
v4:
- Address comment from Greg, sha1 commit Fixes only needs
to be 12 chars.
- Add the author of the fixed commit to the CC list.
v3:
- Fold in changes from Alviro, the previous version is still
leaking @bank[n].
v2:
- Fix wrong copy/paste.
Signed-off-by: Alviro Iskandar Setiawan <alviro.iskandar(a)gnuweeb.org>
Signed-off-by: Yazen Ghannam <yazen.ghannam(a)amd.com>
Signed-off-by: Ammar Faizi <ammarfaizi2(a)gnuweeb.org>
---
Ammar Faizi (2):
x86/delay: Fix the wrong asm constraint in `delay_loop()`
x86/MCE/AMD: Fix memory leak when `threshold_create_bank()` fails
arch/x86/kernel/cpu/mce/amd.c | 32 +++++++++++++++++++-------------
arch/x86/lib/delay.c | 4 ++--
2 files changed, 21 insertions(+), 15 deletions(-)
base-commit: 7e57714cd0ad2d5bb90e50b5096a0e671dec1ef3
--
Ammar Faizi
The below memory leak information is caught:
unreferenced object 0xffff997dd4e3b240 (size 64):
comm "gem_tiled_fence", pid 10332, jiffies 4294959326 (age
220778.420s)
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 be f2 d4 7d 99 ff ff ............}...
backtrace:
[<ffffffffa0f04365>] kmem_cache_alloc_trace+0x2e5/0x450
[<ffffffffc062f3ac>] drm_vma_node_allow+0x2c/0xe0 [drm]
[<ffffffffc13149ea>] __assign_mmap_offset_handle+0x1da/0x4a0 [i915]
[<ffffffffc1315235>] i915_gem_mmap_offset_ioctl+0x55/0xb0 [i915]
[<ffffffffc06207e4>] drm_ioctl_kernel+0xb4/0x140 [drm]
[<ffffffffc0620ac7>] drm_ioctl+0x257/0x410 [drm]
[<ffffffffa0f553ae>] __x64_sys_ioctl+0x8e/0xc0
[<ffffffffa1821128>] do_syscall_64+0x38/0xc0
[<ffffffffa1a0007c>] entry_SYSCALL_64_after_hwframe+0x44/0xae
The issue is always reproduced with the test:
gem_tiled_fence_blits --run-subtest basic
It tries to mmap_gtt the same object several times, it is like:
create BO
mmap_gtt BO
unmap BO
mmap_gtt BO <== second time mmap_gtt
unmap
close BO
The leak happens at the second time mmap_gtt in function
mmap_offset_attach(),it will simply increase the reference
count to 2 by calling drm_vma_node_allow() directly since
the mmo has been created at the first time.
However the driver just revokes the vma_node only one time
when closing the object, it leads to memory leak easily.
This patch is to fix the memory leak by calling drm_vma_node_allow() one
time also.
V2: add "Fixes and Cc stable". (Tvrtko Ursulin)
Fixes: 786555987207 ("drm/i915/gem: Store mmap_offsets in an rbtree
rather than a plain list")
Cc: <stable(a)vger.kernel.org> # v5.7+
Cc: Chris Wilson <chris(a)chris-wilson.co.uk>
Cc: Tvrtko Ursulin <tvrtko.ursulin(a)intel.com>
Signed-off-by: Chuansheng Liu <chuansheng.liu(a)intel.com>
---
drivers/gpu/drm/i915/gem/i915_gem_mman.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/gem/i915_gem_mman.c b/drivers/gpu/drm/i915/gem/i915_gem_mman.c
index c3ea243d414d..fda346d687fd 100644
--- a/drivers/gpu/drm/i915/gem/i915_gem_mman.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_mman.c
@@ -680,7 +680,7 @@ mmap_offset_attach(struct drm_i915_gem_object *obj,
mmo = insert_mmo(obj, mmo);
GEM_BUG_ON(lookup_mmo(obj, mmap_type) != mmo);
out:
- if (file)
+ if (file && !drm_vma_node_is_allowed(&mmo->vma_node, file))
drm_vma_node_allow(&mmo->vma_node, file);
return mmo;
--
2.25.0.rc2
On Sat, Mar 26, 2022 at 11:39:35AM +0100, Luna Jernberg wrote:
> Works on my i7 4790k with EndeavourOS
>
>
> Tested-by: Luna Jernberg <droidbittin(a)gmail.com>
Please do not send html email to the lists, nor top post.
thanks for testing!
greg k-h
The bug is here:
if (!rdev || rdev->desc_nr != nr) {
The list iterator value 'rdev' will *always* be set and non-NULL
by rdev_for_each_rcu(), so it is incorrect to assume that the
iterator value will be NULL if the list is empty or no element
found (In fact, it will be a bogus pointer to an invalid struct
object containing the HEAD). Otherwise it will bypass the check
and lead to invalid memory access passing the check.
To fix the bug, use a new variable 'iter' as the list iterator,
while use the original variable 'pdev' as a dedicated pointer to
point to the found element.
Cc: stable(a)vger.kernel.org
Fixes: 70bcecdb1534 ("amd-cluster: Improve md_reload_sb to be less error prone")
Signed-off-by: Xiaomeng Tong <xiam0nd.tong(a)gmail.com>
---
drivers/md/md.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 7476fc204172..f156678c08bc 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -9794,16 +9794,18 @@ static int read_rdev(struct mddev *mddev, struct md_rdev *rdev)
void md_reload_sb(struct mddev *mddev, int nr)
{
- struct md_rdev *rdev;
+ struct md_rdev *rdev = NULL, *iter;
int err;
/* Find the rdev */
- rdev_for_each_rcu(rdev, mddev) {
- if (rdev->desc_nr == nr)
+ rdev_for_each_rcu(iter, mddev) {
+ if (iter->desc_nr == nr) {
+ rdev = iter;
break;
+ }
}
- if (!rdev || rdev->desc_nr != nr) {
+ if (!rdev) {
pr_warn("%s: %d Could not find rdev with nr %d\n", __func__, __LINE__, nr);
return;
}
--
2.17.1
Dzień dobry,
chciałbym zaprosić Państwa na bezpłatne profesjonalne warsztaty z wykorzystania pakietów biurowych Microsoft 365, które podwyższają efektywność pracy kadry.
Duża dawka praktycznej wiedzy i poznanie nowych funkcji pozwala pracownikom wykonywać swoje zadania szybciej i wydajniej.
Jesteśmy partnerem Microsoft i znajdujemy się w międzynarodowej czołówce firm certyfikowanych, z aż 16 złotymi kompetencjami producenta.
Jeżeli są Państwo zainteresowani podniesieniem kwalifikacji swoich współpracowników w tym zakresie, proszę o kontakt.
Pozdrawiam
Paweł Kodura
The bug is here:
if (s->len != flen) {
The list iterator 's' will point to a bogus position containing
HEAD if the list is empty or no element is found. This case must
be checked before any use of the iterator, otherwise it may bpass
the 'if (s->len != flen) {' in theory iif s->len's value is flen.
To fix this bug, use a new variable 'iter' as the list iterator,
while use the origin variable 's' as a dedicated pointer to
point to the found element.
Cc: stable(a)vger.kernel.org
Fixes: ^1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xiaomeng Tong <xiam0nd.tong(a)gmail.com>
---
drivers/s390/char/tty3270.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/s390/char/tty3270.c b/drivers/s390/char/tty3270.c
index 5c83f71c1d0e..030e9a098d11 100644
--- a/drivers/s390/char/tty3270.c
+++ b/drivers/s390/char/tty3270.c
@@ -1111,7 +1111,7 @@ tty3270_convert_line(struct tty3270 *tp, int line_nr)
{
struct tty3270_line *line;
struct tty3270_cell *cell;
- struct string *s, *n;
+ struct string *s = NULL, *n, *iter;
unsigned char highlight;
unsigned char f_color;
char *cp;
@@ -1142,13 +1142,15 @@ tty3270_convert_line(struct tty3270 *tp, int line_nr)
/* Find the line in the list. */
i = tp->view.rows - 2 - line_nr;
- list_for_each_entry_reverse(s, &tp->lines, list)
- if (--i <= 0)
+ list_for_each_entry_reverse(iter, &tp->lines, list)
+ if (--i <= 0) {
+ s = iter;
break;
+ }
/*
* Check if the line needs to get reallocated.
*/
- if (s->len != flen) {
+ if (!s || s->len != flen) {
/* Reallocate string. */
n = tty3270_alloc_string(tp, flen);
list_add(&n->list, &s->list);
--
2.17.1