- Linux-stable-mirror - lists.linaro.org

[PATCH v4] drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer

by Krzysztof Niemiec

Initialize the eb.vma array with values of 0 when the eb structure is first set up. In particular, this sets the eb->vma[i].vma pointers to NULL, simplifying cleanup and getting rid of the bug described below. During the execution of eb_lookup_vmas(), the eb->vma array is successively filled up with struct eb_vma objects. This process includes calling eb_add_vma(), which might fail; however, even in the event of failure, eb->vma[i].vma is set for the currently processed buffer. If eb_add_vma() fails, eb_lookup_vmas() returns with an error, which prompts a call to eb_release_vmas() to clean up the mess. Since eb_lookup_vmas() might fail during processing any (possibly not first) buffer, eb_release_vmas() checks whether a buffer's vma is NULL to know at what point did the lookup function fail. In eb_lookup_vmas(), eb->vma[i].vma is set to NULL if either the helper function eb_lookup_vma() or eb_validate_vma() fails. eb->vma[i+1].vma is set to NULL in case i915_gem_object_userptr_submit_init() fails; the current one needs to be cleaned up by eb_release_vmas() at this point, so the next one is set. If eb_add_vma() fails, neither the current nor the next vma is nullified, which is a source of a NULL deref bug described in [1]. When entering eb_lookup_vmas(), the vma pointers are set to the slab poison value, instead of NULL. This doesn't matter for the actual lookup, since it gets overwritten anyway, however the eb_release_vmas() function only recognizes NULL as the stopping value, hence the pointers are being nullified as they go in case of intermediate failure. This patch changes the approach to filling them all with NULL at the start instead, rather than handling that manually during failure. Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15062 Fixes: 544460c33821 ("drm/i915: Multi-BB execbuf") Reported-by: Gangmin Kim <km.kim1503(a)gmail.com> Cc: <stable(a)vger.kernel.org> # 5.16.x Signed-off-by: Krzysztof Niemiec <krzysztof.niemiec(a)intel.com> --- I messed up the continuity in previous revisions; the original patch was sent as [1], and the first revision (which I didn't mark as v2 due to the title change) was sent as [2]. This is the full current changelog: v4: - delete an empty line (Janusz), reword the comment a bit (Krzysztof, Janusz) v3: - use memset() to fill the entire eb.vma array with zeros instead of looping through the elements (Janusz) - add a comment clarifying the mechanism of the initial allocation (Janusz) - change the commit log again, including title - rearrange the tags to keep checkpatch happy v2: - set the eb->vma[i].vma pointers to NULL during setup instead of ad-hoc at failure (Janusz) - romanize the reporter's name (Andi, offline) - change the commit log, including title [1] https://patchwork.freedesktop.org/series/156832/ [2] https://patchwork.freedesktop.org/series/158036/ .../gpu/drm/i915/gem/i915_gem_execbuffer.c | 37 +++++++++---------- 1 file changed, 17 insertions(+), 20 deletions(-) diff --git a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c index b057c2fa03a4..348023d13668 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c +++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c @@ -951,13 +951,13 @@ static int eb_lookup_vmas(struct i915_execbuffer *eb) vma = eb_lookup_vma(eb, eb->exec[i].handle); if (IS_ERR(vma)) { err = PTR_ERR(vma); - goto err; + return err; } err = eb_validate_vma(eb, &eb->exec[i], vma); if (unlikely(err)) { i915_vma_put(vma); - goto err; + return err; } err = eb_add_vma(eb, &current_batch, i, vma); @@ -966,19 +966,8 @@ static int eb_lookup_vmas(struct i915_execbuffer *eb) if (i915_gem_object_is_userptr(vma->obj)) { err = i915_gem_object_userptr_submit_init(vma->obj); - if (err) { - if (i + 1 < eb->buffer_count) { - /* - * Execbuffer code expects last vma entry to be NULL, - * since we already initialized this entry, - * set the next value to NULL or we mess up - * cleanup handling. - */ - eb->vma[i + 1].vma = NULL; - } - + if (err) return err; - } eb->vma[i].flags |= __EXEC_OBJECT_USERPTR_INIT; eb->args->flags |= __EXEC_USERPTR_USED; @@ -986,10 +975,6 @@ static int eb_lookup_vmas(struct i915_execbuffer *eb) } return 0; - -err: - eb->vma[i].vma = NULL; - return err; } static int eb_lock_vmas(struct i915_execbuffer *eb) @@ -3375,7 +3360,8 @@ i915_gem_do_execbuffer(struct drm_device *dev, eb.exec = exec; eb.vma = (struct eb_vma *)(exec + args->buffer_count + 1); - eb.vma[0].vma = NULL; + memset(eb.vma, 0x00, args->buffer_count * sizeof(struct eb_vma)); + eb.batch_pool = NULL; eb.invalid_flags = __EXEC_OBJECT_UNKNOWN_FLAGS; @@ -3584,7 +3570,18 @@ i915_gem_execbuffer2_ioctl(struct drm_device *dev, void *data, if (err) return err; - /* Allocate extra slots for use by the command parser */ + /* + * Allocate extra slots for use by the command parser. + * + * Note that this allocation handles two different arrays (the + * exec2_list array, and the eventual eb.vma array introduced in + * i915_gem_do_execubuffer()), that reside in virtually contiguous + * memory. Also note that the allocation intentionally doesn't fill the + * area with zeros (because the exec2_list part doesn't need to be, as + * it's immediately overwritten by user data a few lines below). + * However, the eb.vma part is explicitly zeroed later in + * i915_gem_do_execbuffer(). + */ exec2_list = kvmalloc_array(count + 2, eb_element_size(), __GFP_NOWARN | GFP_KERNEL); if (exec2_list == NULL) { -- 2.45.2

15 hours, 39 minutes

1
0
0 0

[PATCH v2] PCI: Fix incorrect unlocking in pci_slot_trylock()

by Jinhui Guo

Commit a4e772898f8b ("PCI: Add missing bridge lock to pci_bus_lock()") delegates the bridge device's pci_dev_trylock() to pci_bus_trylock() in pci_slot_trylock(), but it forgets to remove the corresponding pci_dev_unlock() when pci_bus_trylock() fails. Before the commit, the code did: if (!pci_dev_trylock(dev)) /* <- lock bridge device */ goto unlock; if (dev->subordinate) { if (!pci_bus_trylock(dev->subordinate)) { pci_dev_unlock(dev); /* <- unlock bridge device */ goto unlock; } } After the commit the bridge-device lock is no longer taken, but the pci_dev_unlock(dev) on the failure path was left in place, leading to the bug. This yields one of two errors: 1. A warning that the lock is being unlocked when no one holds it. 2. An incorrect unlock of a lock that belongs to another thread. Fix it by removing the now-redundant pci_dev_unlock(dev) on the failure path. Fixes: a4e772898f8b ("PCI: Add missing bridge lock to pci_bus_lock()") Cc: stable(a)vger.kernel.org Signed-off-by: Jinhui Guo <guojinhui.liam(a)bytedance.com> Acked-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> --- Hi, all v1: https://lore.kernel.org/all/20251211123635.2215-1-guojinhui.liam@bytedance.… Changelog in v1 -> v2 - The v1 commit message was too brief, so I’ve sent v2 with more detail. - Remove the braces from the if (!pci_bus_trylock(dev->subordinate)) statement. Sorry for the noise. Best Regards, Jinhui drivers/pci/pci.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c index 13dbb405dc31..59319e08fca6 100644 --- a/drivers/pci/pci.c +++ b/drivers/pci/pci.c @@ -5346,10 +5346,8 @@ static int pci_slot_trylock(struct pci_slot *slot) if (!dev->slot || dev->slot != slot) continue; if (dev->subordinate) { - if (!pci_bus_trylock(dev->subordinate)) { - pci_dev_unlock(dev); + if (!pci_bus_trylock(dev->subordinate)) goto unlock; - } } else if (!pci_dev_trylock(dev)) goto unlock; } -- 2.20.1

15 hours, 50 minutes

2
2
0 0

[PATCH 0/4] drm: Revert and fix enable/disable sequence

by Tomi Valkeinen

Changing the enable/disable sequence in commit c9b1150a68d9 ("drm/atomic-helper: Re-order bridge chain pre-enable and post-disable") has caused regressions on multiple platforms: R-Car, MCDE, Rockchip. This is an alternate series to Linus' series: https://lore.kernel.org/all/20251202-mcde-drm-regression-thirdfix-v6-0-f1bf… This series first reverts the original commit and reverts a fix for mediatek which is no longer needed. It then exposes helper functions from DRM core, and finally implements the new sequence only in the tidss driver. There is one more fix in upstream for the original commit, commit 5d91394f2361 ("drm/exynos: fimd: Guard display clock control with runtime PM calls"), but I have not reverted that one as it looks like a valid patch in its own. I added Cc stable v6.17+ to all patches, but I didn't add Fixes tags, as I wasn't sure what should they point to. But I could perhaps add Fixes: <original commit> to all of these. Signed-off-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> --- Linus Walleij (1): drm/atomic-helper: Export and namespace some functions Tomi Valkeinen (3): Revert "drm/atomic-helper: Re-order bridge chain pre-enable and post-disable" Revert "drm/mediatek: dsi: Fix DSI host and panel bridge pre-enable order" drm/tidss: Fix enable/disable order drivers/gpu/drm/drm_atomic_helper.c | 122 ++++++++++++++---- drivers/gpu/drm/mediatek/mtk_dsi.c | 6 - drivers/gpu/drm/tidss/tidss_kms.c | 30 ++++- include/drm/drm_atomic_helper.h | 22 ++++ include/drm/drm_bridge.h | 249 ++++++++++-------------------------- 5 files changed, 214 insertions(+), 215 deletions(-) --- base-commit: 88e721ab978a86426aa08da520de77430fa7bb84 change-id: 20251205-drm-seq-fix-b4ed1f56604b Best regards, -- Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com>

16 hours, 24 minutes

5
11
0 0

[6.12.60 lts] [amdgpu]: regression: broken multi-monitor USB4 dock on Ryzen 7840U

by Péter Bohner

upgrading from 6.12.59 to 6.12.60 broke my USB4 (Dynabook Thunderbolt 4 Dock)'s video output with my Framework 13 (AMD Ryzen 7840U / Radeom 780M igpu) . With two monitors plugged in, only one of them works, the other (always the one on the 'video 2' output) remains blank (but receives signal). relevant dmesg [note: tainted by ZFS] (full output at: https://gist.github.com/x-zvf/128d45d028230438b8777c40759fa997): [drm:amdgpu_dm_process_dmub_aux_transfer_sync [amdgpu]] *ERROR* wait_for_completion_timeout timeout! ------------[ cut here ]------------ WARNING: CPU: 15 PID: 3064 at drivers/gpu/drm/amd/amdgpu/../display/dc/link/hwss/link_hwss_dpia.c:49 update_dpia_stream_allocation_table+0xf2/0x100 [amdgpu] Modules linked in: hid_logitech_hidpp hid_logitech_dj snd_seq_midi snd_seq_midi_event uvcvideo videobuf2_vmalloc uvc videobuf2_memops snd_usb_audio videobuf2_v4l2 videobuf2_common snd_usbmidi_lib snd_ump videodev snd_rawmidi mc cdc_ether usbnet mii uas usb_storage ccm snd_seq_dummy rfcomm snd_hrtimer snd_seq snd_seq_device tun ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_multiport xt_cgroup xt_mark xt_owner xt_tcpudp ip6table_raw iptable_raw ip6table_mangle iptable_mangle ip6table_nat iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c crc32c_generic ip6table_filter ip6_tables iptable_filter uhid cmac algif_hash algif_skcipher af_alg bnep vfat fat amd_atl intel_rapl_msr intel_rapl_common snd_sof_amd_acp70 snd_sof_amd_acp63 snd_soc_acpi_amd_match snd_sof_amd_vangogh snd_sof_amd_rembrandt snd_sof_amd_renoir snd_sof_amd_acp snd_sof_pci snd_sof_xtensa_dsp snd_sof mt7921e snd_sof_utils mt7921_common snd_pci_ps mt792x_lib snd_hda_codec_realtek snd_amd_sdw_acpi soundwire_amd kvm_amd mt76_connac_lib snd_hda_codec_generic soundwire_generic_allocation snd_hda_scodec_component snd_hda_codec_hdmi mousedev mt76 soundwire_bus snd_hda_intel kvm snd_soc_core snd_intel_dspcfg irqbypass snd_intel_sdw_acpi mac80211 snd_compress ac97_bus crct10dif_pclmul hid_sensor_als snd_pcm_dmaengine snd_hda_codec crc32_pclmul hid_sensor_trigger crc32c_intel snd_rpl_pci_acp6x industrialio_triggered_buffer snd_acp_pci polyval_clmulni kfifo_buf snd_hda_core snd_acp_legacy_common polyval_generic libarc4 hid_sensor_iio_common industrialio ghash_clmulni_intel leds_cros_ec cros_ec_sysfs cros_ec_hwmon cros_kbd_led_backlight cros_charge_control led_class_multicolor gpio_cros_ec cros_ec_chardev cros_ec_debugfs sha512_ssse3 snd_hwdep snd_pci_acp6x hid_multitouch joydev spd5118 hid_sensor_hub cros_ec_dev sha256_ssse3 snd_pcm btusb cfg80211 sha1_ssse3 btrtl aesni_intel snd_pci_acp5x btintel snd_timer snd_rn_pci_acp3x sp5100_tco gf128mul ucsi_acpi crypto_simd btbcm snd_acp_config snd amd_pmf typec_ucsi cryptd snd_soc_acpi i2c_piix4 btmtk bluetooth rapl wmi_bmof pcspkr typec k10temp thunderbolt amdtee soundcore ccp snd_pci_acp3x i2c_smbus rfkill roles cros_ec_lpcs i2c_hid_acpi amd_sfh cros_ec platform_profile i2c_hid tee amd_pmc mac_hid i2c_dev crypto_user dm_mod loop nfnetlink bpf_preload ip_tables x_tables hid_generic usbhid amdgpu zfs(POE) crc16 amdxcp spl(OE) i2c_algo_bit drm_ttm_helper ttm serio_raw drm_exec atkbd gpu_sched libps2 vivaldi_fmap drm_suballoc_helper nvme drm_buddy i8042 drm_display_helper nvme_core video serio cec nvme_auth wmi CPU: 15 UID: 1000 PID: 3064 Comm: kwin_wayland Tainted: P OE 6.12.60-1-lts #1 9b11292f14ae477e878a6bb6a5b5efc27ccf021d Tainted: [P]=PROPRIETARY_MODULE, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: Framework Laptop 13 (AMD Ryzen 7040Series)/FRANMDCP07, BIOS 03.16 07/25/2025 RIP: 0010:update_dpia_stream_allocation_table+0xf2/0x100 [amdgpu] Code: d0 0f 1f 00 48 8b 44 24 08 65 48 2b 04 25 28 00 00 00 75 1a 48 83 c4 10 5b 5d 41 5c 41 5d e9 10 ec e3 d9 31 db e9 6f ff ff ff <0f> 0b eb 8a e8 05 09 c3 d9 0f 1f 44 00 00 90 90 90 90 90 90 90 90 RSP: 0018:ffffd26fe3473248 EFLAGS: 00010282 RAX: 00000000ffffffff RBX: 0000000000000025 RCX: 0000000000001140 RDX: 00000000ffffffff RSI: ffffd26fe34731f0 RDI: ffff8bb78c7bb608 RBP: ffff8bb7982c3b88 R08: 00000000ffffffff R09: 0000000000001100 R10: ffffd27000ef9900 R11: ffff8bb78c7bb400 R12: ffff8bb7982ed600 R13: ffff8bb7982c3800 R14: ffff8bb984e402a8 R15: ffff8bb7982c38c8 FS: 000073883c086b80(0000) GS:ffff8bc51e180000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00002020005ba004 CR3: 000000014396e000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: <TASK> ? link_set_dpms_on+0x7a5/0xc70 [amdgpu d75f7e51e39957084964278ab74da83065554c01] link_set_dpms_on+0x806/0xc70 [amdgpu d75f7e51e39957084964278ab74da83065554c01] dce110_apply_single_controller_ctx_to_hw+0x300/0x480 [amdgpu d75f7e51e39957084964278ab74da83065554c01] dce110_apply_ctx_to_hw+0x24c/0x2e0 [amdgpu d75f7e51e39957084964278ab74da83065554c01] ? dcn10_setup_stereo+0x160/0x170 [amdgpu d75f7e51e39957084964278ab74da83065554c01] dc_commit_state_no_check+0x63d/0xeb0 [amdgpu d75f7e51e39957084964278ab74da83065554c01] dc_commit_streams+0x296/0x490 [amdgpu d75f7e51e39957084964278ab74da83065554c01] ? srso_alias_return_thunk+0x5/0xfbef5 ? schedule_timeout+0x133/0x170 amdgpu_dm_atomic_commit_tail+0x6a1/0x3a10 [amdgpu d75f7e51e39957084964278ab74da83065554c01] ? srso_alias_return_thunk+0x5/0xfbef5 ? psi_task_switch+0x113/0x2a0 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? schedule+0x27/0xf0 ? srso_alias_return_thunk+0x5/0xfbef5 ? schedule_timeout+0x133/0x170 ? srso_alias_return_thunk+0x5/0xfbef5 ? dma_fence_default_wait+0x8b/0x230 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? wait_for_completion_timeout+0x12e/0x180 commit_tail+0xae/0x140 drm_atomic_helper_commit+0x13c/0x180 drm_atomic_commit+0xa6/0xe0 ? __pfx___drm_printfn_info+0x10/0x10 drm_mode_atomic_ioctl+0xa60/0xcd0 ? sock_poll+0x51/0x110 ? __pfx_drm_mode_atomic_ioctl+0x10/0x10 drm_ioctl_kernel+0xad/0x100 drm_ioctl+0x286/0x500 ? __pfx_drm_mode_atomic_ioctl+0x10/0x10 amdgpu_drm_ioctl+0x4a/0x80 [amdgpu d75f7e51e39957084964278ab74da83065554c01] __x64_sys_ioctl+0x91/0xd0 do_syscall_64+0x7b/0x190 ? srso_alias_return_thunk+0x5/0xfbef5 ? __x64_sys_ppoll+0xf8/0x180 ? srso_alias_return_thunk+0x5/0xfbef5 ? syscall_exit_to_user_mode+0x37/0x1c0 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_syscall_64+0x87/0x190 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_syscall_64+0x87/0x190 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_syscall_64+0x87/0x190 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_syscall_64+0x87/0x190 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_syscall_64+0x87/0x190 ? srso_alias_return_thunk+0x5/0xfbef5 ? irqentry_exit_to_user_mode+0x2c/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x738842d9b70d Code: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1a 48 8b 45 c8 64 48 2b 04 25 28 00 00 00 RSP: 002b:00007ffe3c7ed230 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000634abd49c210 RCX: 0000738842d9b70d RDX: 00007ffe3c7ed320 RSI: 00000000c03864bc RDI: 0000000000000013 RBP: 00007ffe3c7ed280 R08: 0000634abc4049bc R09: 0000634abce43e80 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe3c7ed320 R13: 00000000c03864bc R14: 0000000000000013 R15: 0000634abc404840 </TASK> ---[ end trace 0000000000000000 ]--- regards, ~ Peter

16 hours, 56 minutes

4
7
0 0

[PATCH] PCI: Remove redundant pci_dev_unlock() in pci_slot_trylock()

by Jinhui Guo

Commit a4e772898f8b ("PCI: Add missing bridge lock to pci_bus_lock()") delegates the bridge device's pci_dev_trylock() to pci_bus_trylock() in pci_slot_trylock(), but it leaves a redundant pci_dev_unlock() when pci_bus_trylock() fails. Remove the redundant bridge-device pci_dev_unlock() in pci_slot_trylock(), since that lock is no longer taken there. Fixes: a4e772898f8b ("PCI: Add missing bridge lock to pci_bus_lock()") Cc: stable(a)vger.kernel.org Signed-off-by: Jinhui Guo <guojinhui.liam(a)bytedance.com> --- drivers/pci/pci.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c index 13dbb405dc31..75a98819db6f 100644 --- a/drivers/pci/pci.c +++ b/drivers/pci/pci.c @@ -5347,7 +5347,6 @@ static int pci_slot_trylock(struct pci_slot *slot) continue; if (dev->subordinate) { if (!pci_bus_trylock(dev->subordinate)) { - pci_dev_unlock(dev); goto unlock; } } else if (!pci_dev_trylock(dev)) -- 2.20.1

16 hours, 58 minutes

2
2
0 0

[PATCH v3] drm: Fix object leak in DRM_IOCTL_GEM_CHANGE_HANDLE

by Karol Wachowski

Add missing drm_gem_object_put() call when drm_gem_object_lookup() successfully returns an object. This fixes a GEM object reference leak that can prevent driver modules from unloading when using prime buffers. Fixes: 53096728b891 ("drm: Add DRM prime interface to reassign GEM handle") Cc: <stable(a)vger.kernel.org> # v6.18+ Signed-off-by: Karol Wachowski <karol.wachowski(a)linux.intel.com> --- Changes between v3 and v2: - correctly add CC: tag this time Changes between v1 and v2: - move setting ret value under if branch as suggested in review - add Cc: stable 6.18+ --- drivers/gpu/drm/drm_gem.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index ca1956608261..bcc08a6aebf8 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -1010,8 +1010,10 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, void *data, if (!obj) return -ENOENT; - if (args->handle == args->new_handle) - return 0; + if (args->handle == args->new_handle) { + ret = 0; + goto out; + } mutex_lock(&file_priv->prime.lock); @@ -1043,6 +1045,8 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, void *data, out_unlock: mutex_unlock(&file_priv->prime.lock); +out: + drm_gem_object_put(obj); return ret; } -- 2.43.0

17 hours, 1 minute

2
1
0 0

[PATCH v2] drm: Fix object leak in DRM_IOCTL_GEM_CHANGE_HANDLE

by Karol Wachowski

Add missing drm_gem_object_put() call when drm_gem_object_lookup() successfully returns an object. This fixes a GEM object reference leak that can prevent driver modules from unloading when using prime buffers. Fixes: 53096728b891 ("drm: Add DRM prime interface to reassign GEM handle") Signed-off-by: Karol Wachowski <karol.wachowski(a)linux.intel.com> --- Changes between v1 and v2: - move setting ret value under if branch as suggested in review - add Cc: stable 6.18+ --- drivers/gpu/drm/drm_gem.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index ca1956608261..bcc08a6aebf8 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -1010,8 +1010,10 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, void *data, if (!obj) return -ENOENT; - if (args->handle == args->new_handle) - return 0; + if (args->handle == args->new_handle) { + ret = 0; + goto out; + } mutex_lock(&file_priv->prime.lock); @@ -1043,6 +1045,8 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, void *data, out_unlock: mutex_unlock(&file_priv->prime.lock); +out: + drm_gem_object_put(obj); return ret; } -- 2.43.0

17 hours, 22 minutes

2
1
0 0

[PATCH] drm: Fix object leak in DRM_IOCTL_GEM_CHANGE_HANDLE

by Karol Wachowski

Add missing drm_gem_object_put() call when drm_gem_object_lookup() successfully returns an object. This fixes a GEM object reference leak that can prevent driver modules from unloading when using prime buffers. Fixes: 53096728b891 ("drm: Add DRM prime interface to reassign GEM handle") Signed-off-by: Karol Wachowski <karol.wachowski(a)linux.intel.com> --- drivers/gpu/drm/drm_gem.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index ca1956608261..e150bc1ce65a 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -1001,7 +1001,7 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, void *data, { struct drm_gem_change_handle *args = data; struct drm_gem_object *obj; - int ret; + int ret = 0; if (!drm_core_check_feature(dev, DRIVER_GEM)) return -EOPNOTSUPP; @@ -1011,7 +1011,7 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, void *data, return -ENOENT; if (args->handle == args->new_handle) - return 0; + goto out; mutex_lock(&file_priv->prime.lock); @@ -1043,6 +1043,8 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, void *data, out_unlock: mutex_unlock(&file_priv->prime.lock); +out: + drm_gem_object_put(obj); return ret; } -- 2.43.0

17 hours, 24 minutes

3
3
0 0

[PATCH net 0/2] mptcp: fix warn on bad status

by Matthieu Baerts (NGI0)

Two somewhat related fixes addressing different issues found by syzkaller, and producing the exact same splat: a WARNING in subflow_data_ready(). - Patch 1: fallback earlier on simultaneous connections to avoid a warning. A fix for v5.19. - Patch 2: ensure context reset on disconnect, also to avoid a similar warning. A fix for v6.2. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Paolo Abeni (2): mptcp: fallback earlier on simult connection mptcp: ensure context reset on disconnect() net/mptcp/options.c | 10 ++++++++++ net/mptcp/protocol.c | 8 +++++--- net/mptcp/protocol.h | 9 ++++----- net/mptcp/subflow.c | 6 ------ 4 files changed, 19 insertions(+), 14 deletions(-) --- base-commit: 885bebac9909994050bbbeed0829c727e42bd1b7 change-id: 20251212-net-mptcp-subflow_data_ready-warn-fd8126208c90 Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

17 hours, 51 minutes

1
2
0 0

[PATCH] i2c: riic: Move suspend handling to NOIRQ phase

by Tommaso Merciai

Commit 53326135d0e0 ("i2c: riic: Add suspend/resume support") added suspend support for the Renesas I2C driver and following this change on RZ/G3E the following WARNING is seen on entering suspend ... [ 134.275704] Freezing remaining freezable tasks completed (elapsed 0.001 seconds) [ 134.285536] ------------[ cut here ]------------ [ 134.290298] i2c i2c-2: Transfer while suspended [ 134.295174] WARNING: drivers/i2c/i2c-core.h:56 at __i2c_smbus_xfer+0x1e4/0x214, CPU#0: systemd-sleep/388 [ 134.365507] Tainted: [W]=WARN [ 134.368485] Hardware name: Renesas SMARC EVK version 2 based on r9a09g047e57 (DT) [ 134.375961] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 134.382935] pc : __i2c_smbus_xfer+0x1e4/0x214 [ 134.387329] lr : __i2c_smbus_xfer+0x1e4/0x214 [ 134.391717] sp : ffff800083f23860 [ 134.395040] x29: ffff800083f23860 x28: 0000000000000000 x27: ffff800082ed5d60 [ 134.402226] x26: 0000001f4395fd74 x25: 0000000000000007 x24: 0000000000000001 [ 134.409408] x23: 0000000000000000 x22: 000000000000006f x21: ffff800083f23936 [ 134.416589] x20: ffff0000c090e140 x19: ffff0000c090e0d0 x18: 0000000000000006 [ 134.423771] x17: 6f63657320313030 x16: 2e30206465737061 x15: ffff800083f23280 [ 134.430953] x14: 0000000000000000 x13: ffff800082b16ce8 x12: 0000000000000f09 [ 134.438134] x11: 0000000000000503 x10: ffff800082b6ece8 x9 : ffff800082b16ce8 [ 134.445315] x8 : 00000000ffffefff x7 : ffff800082b6ece8 x6 : 80000000fffff000 [ 134.452495] x5 : 0000000000000504 x4 : 0000000000000000 x3 : 0000000000000000 [ 134.459672] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c9ee9e80 [ 134.466851] Call trace: [ 134.469311] __i2c_smbus_xfer+0x1e4/0x214 (P) [ 134.473715] i2c_smbus_xfer+0xbc/0x120 [ 134.477507] i2c_smbus_read_byte_data+0x4c/0x84 [ 134.482077] isl1208_i2c_read_time+0x44/0x178 [rtc_isl1208] [ 134.487703] isl1208_rtc_read_time+0x14/0x20 [rtc_isl1208] [ 134.493226] __rtc_read_time+0x44/0x88 [ 134.497012] rtc_read_time+0x3c/0x68 [ 134.500622] rtc_suspend+0x9c/0x170 The warning is triggered because I2C transfers can still be attempted while the controller is already suspended, due to inappropriate ordering of the system sleep callbacks. Fix this by moving the system sleep suspend/resume callbacks to the NOIRQ phase, ensuring the adapter is fully quiesced after late suspend and properly resumed before the early resume phase. To support NOIRQ resume, the hardware initialization path must not invoke runtime PM APIs. Split the init code so that the low-level hardware setup can be executed without pm_runtime_get/put(). This avoids violating the constraint introduced by commit 1e2ef05bb8cf ("PM: Limit race conditions between runtime PM and system sleep (v2)"), which forbids runtime PM calls during early resume. Cc: stable(a)vger.kernel.org Fixes: 53326135d0e0 ("i2c: riic: Add suspend/resume support") Signed-off-by: Tommaso Merciai <tommaso.merciai.xr(a)bp.renesas.com> --- drivers/i2c/busses/i2c-riic.c | 65 ++++++++++++++++++++++------------- 1 file changed, 41 insertions(+), 24 deletions(-) diff --git a/drivers/i2c/busses/i2c-riic.c b/drivers/i2c/busses/i2c-riic.c index 3e8f126cb7f7..9acc8936cdf7 100644 --- a/drivers/i2c/busses/i2c-riic.c +++ b/drivers/i2c/busses/i2c-riic.c @@ -349,9 +349,8 @@ static const struct i2c_algorithm riic_algo = { .functionality = riic_func, }; -static int riic_init_hw(struct riic_dev *riic) +static int __riic_init_hw(struct riic_dev *riic) { - int ret; unsigned long rate; unsigned long ns_per_tick; int total_ticks, cks, brl, brh; @@ -431,10 +430,6 @@ static int riic_init_hw(struct riic_dev *riic) rate / total_ticks, ((brl + 3) * 100) / (brl + brh + 6), t->scl_fall_ns / ns_per_tick, t->scl_rise_ns / ns_per_tick, cks, brl, brh); - ret = pm_runtime_resume_and_get(dev); - if (ret) - return ret; - /* Changing the order of accessing IICRST and ICE may break things! */ riic_writeb(riic, ICCR1_IICRST | ICCR1_SOWP, RIIC_ICCR1); riic_clear_set_bit(riic, 0, ICCR1_ICE, RIIC_ICCR1); @@ -451,10 +446,25 @@ static int riic_init_hw(struct riic_dev *riic) riic_clear_set_bit(riic, ICCR1_IICRST, 0, RIIC_ICCR1); - pm_runtime_put_autosuspend(dev); return 0; } +static int riic_init_hw(struct riic_dev *riic) +{ + struct device *dev = riic->adapter.dev.parent; + int ret; + + ret = pm_runtime_resume_and_get(dev); + if (ret) + return ret; + + ret = __riic_init_hw(riic); + + pm_runtime_put_autosuspend(dev); + + return ret; +} + static int riic_get_scl(struct i2c_adapter *adap) { struct riic_dev *riic = i2c_get_adapdata(adap); @@ -572,6 +582,8 @@ static int riic_i2c_probe(struct platform_device *pdev) i2c_parse_fw_timings(dev, &riic->i2c_t, true); + platform_set_drvdata(pdev, riic); + /* Default 0 to save power. Can be overridden via sysfs for lower latency. */ pm_runtime_set_autosuspend_delay(dev, 0); pm_runtime_use_autosuspend(dev); @@ -585,8 +597,6 @@ static int riic_i2c_probe(struct platform_device *pdev) if (ret) goto out; - platform_set_drvdata(pdev, riic); - dev_info(dev, "registered with %dHz bus speed\n", riic->i2c_t.bus_freq_hz); return 0; @@ -668,27 +678,17 @@ static const struct riic_of_data riic_rz_t2h_info = { .num_irqs = ARRAY_SIZE(riic_rzt2h_irqs), }; -static int riic_i2c_suspend(struct device *dev) +static int riic_i2c_runtime_suspend(struct device *dev) { struct riic_dev *riic = dev_get_drvdata(dev); - int ret; - - ret = pm_runtime_resume_and_get(dev); - if (ret) - return ret; - - i2c_mark_adapter_suspended(&riic->adapter); /* Disable output on SDA, SCL pins. */ riic_clear_set_bit(riic, ICCR1_ICE, 0, RIIC_ICCR1); - pm_runtime_mark_last_busy(dev); - pm_runtime_put_sync(dev); - return reset_control_assert(riic->rstc); } -static int riic_i2c_resume(struct device *dev) +static int riic_i2c_runtime_resume(struct device *dev) { struct riic_dev *riic = dev_get_drvdata(dev); int ret; @@ -697,7 +697,7 @@ static int riic_i2c_resume(struct device *dev) if (ret) return ret; - ret = riic_init_hw(riic); + ret = __riic_init_hw(riic); if (ret) { /* * In case this happens there is no way to recover from this @@ -708,13 +708,30 @@ static int riic_i2c_resume(struct device *dev) return ret; } + return 0; +} + +static int riic_i2c_suspend(struct device *dev) +{ + struct riic_dev *riic = dev_get_drvdata(dev); + + i2c_mark_adapter_suspended(&riic->adapter); + + return pm_runtime_force_suspend(dev); +} + +static int riic_i2c_resume(struct device *dev) +{ + struct riic_dev *riic = dev_get_drvdata(dev); + i2c_mark_adapter_resumed(&riic->adapter); - return 0; + return pm_runtime_force_resume(dev); } static const struct dev_pm_ops riic_i2c_pm_ops = { - SYSTEM_SLEEP_PM_OPS(riic_i2c_suspend, riic_i2c_resume) + NOIRQ_SYSTEM_SLEEP_PM_OPS(riic_i2c_suspend, riic_i2c_resume) + RUNTIME_PM_OPS(riic_i2c_runtime_suspend, riic_i2c_runtime_resume, NULL) }; static const struct of_device_id riic_i2c_dt_ids[] = { -- 2.43.0

18 hours, 46 minutes

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror