From: Weihao Li <[email protected]>
[ Upstream commit c6c5a5580dcb6631aa6369dabe12ef3ce784d1d2 ]
The HCLK_OTG gate control is in CRU_CLKGATE5_CON, not CRU_CLKGATE3_CON.
Signed-off-by: Weihao Li <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Heiko Stuebner <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/clk/rockchip/clk-rk3128.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/rockchip/clk-rk3128.c b/drivers/clk/rockchip/clk-rk3128.c
index 5970a50671b9a..83c7eb18321f4 100644
--- a/drivers/clk/rockchip/clk-rk3128.c
+++ b/drivers/clk/rockchip/clk-rk3128.c
@@ -497,7 +497,7 @@ static struct rockchip_clk_branch common_clk_branches[] __initdata = {
GATE(HCLK_I2S_2CH, "hclk_i2s_2ch", "hclk_peri", 0, RK2928_CLKGATE_CON(7), 2, GFLAGS),
GATE(0, "hclk_usb_peri", "hclk_peri", CLK_IGNORE_UNUSED, RK2928_CLKGATE_CON(9), 13, GFLAGS),
GATE(HCLK_HOST2, "hclk_host2", "hclk_peri", 0, RK2928_CLKGATE_CON(7), 3, GFLAGS),
- GATE(HCLK_OTG, "hclk_otg", "hclk_peri", 0, RK2928_CLKGATE_CON(3), 13, GFLAGS),
+ GATE(HCLK_OTG, "hclk_otg", "hclk_peri", 0, RK2928_CLKGATE_CON(5), 13, GFLAGS),
GATE(0, "hclk_peri_ahb", "hclk_peri", CLK_IGNORE_UNUSED, RK2928_CLKGATE_CON(9), 14, GFLAGS),
GATE(HCLK_SPDIF, "hclk_spdif", "hclk_peri", 0, RK2928_CLKGATE_CON(10), 9, GFLAGS),
GATE(HCLK_TSP, "hclk_tsp", "hclk_peri", 0, RK2928_CLKGATE_CON(10), 12, GFLAGS),
--
2.43.0
From: "Steven Rostedt (Google)" <[email protected]>
[ Upstream commit b55b0a0d7c4aa2dac3579aa7e6802d1f57445096 ]
If a large event was added to the ring buffer that is larger than what the
trace_seq can handle, it just drops the output:
~# cat /sys/kernel/tracing/trace
# tracer: nop
#
# entries-in-buffer/entries-written: 2/2 #P:8
#
# _-----=> irqs-off/BH-disabled
# / _----=> need-resched
# | / _---=> hardirq/softirq
# || / _--=> preempt-depth
# ||| / _-=> migrate-disable
# |||| / delay
# TASK-PID CPU# ||||| TIMESTAMP FUNCTION
# | | | ||||| | |
<...>-859 [001] ..... 141.118951: tracing_mark_write <...>-859 [001] ..... 141.148201: tracing_mark_write: 78901234
Instead, catch this case and add some context:
~# cat /sys/kernel/tracing/trace
# tracer: nop
#
# entries-in-buffer/entries-written: 2/2 #P:8
#
# _-----=> irqs-off/BH-disabled
# / _----=> need-resched
# | / _---=> hardirq/softirq
# || / _--=> preempt-depth
# ||| / _-=> migrate-disable
# |||| / delay
# TASK-PID CPU# ||||| TIMESTAMP FUNCTION
# | | | ||||| | |
<...>-852 [001] ..... 121.550551: tracing_mark_write[LINE TOO BIG]
<...>-852 [001] ..... 121.550581: tracing_mark_write: 78901234
This now emulates the same output as trace_pipe.
Link: https://lore.kernel.org/linux-trace-kernel/[email protected]
Cc: Mark Rutland <[email protected]>
Cc: Mathieu Desnoyers <[email protected]>
Reviewed-by: Masami Hiramatsu (Google) <[email protected]>
Signed-off-by: Steven Rostedt (Google) <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
kernel/trace/trace.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index c5fe020336bea..755d6146c738c 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -3826,7 +3826,11 @@ static int s_show(struct seq_file *m, void *v)
iter->leftover = ret;
} else {
- print_trace_line(iter);
+ ret = print_trace_line(iter);
+ if (ret == TRACE_TYPE_PARTIAL_LINE) {
+ iter->seq.full = 0;
+ trace_seq_puts(&iter->seq, "[LINE TOO BIG]\n");
+ }
ret = trace_print_seq(m, &iter->seq);
/*
* If we overflow the seq_file buffer, then it will
--
2.43.0
From: "Steven Rostedt (Google)" <[email protected]>
[ Upstream commit 712292308af2265cd9b126aedfa987f10f452a33 ]
As the ring buffer recording requires cmpxchg() to work, if the
architecture does not support cmpxchg in NMI, then do not do any recording
within an NMI.
Link: https://lore.kernel.org/linux-trace-kernel/[email protected]
Cc: Masami Hiramatsu <[email protected]>
Cc: Mark Rutland <[email protected]>
Cc: Mathieu Desnoyers <[email protected]>
Signed-off-by: Steven Rostedt (Google) <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
kernel/trace/ring_buffer.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index f0d4ff2db2ef0..b1acec3e4dc3b 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -2774,6 +2774,12 @@ rb_reserve_next_event(struct ring_buffer *buffer,
int nr_loops = 0;
u64 diff;
+ /* ring buffer does cmpxchg, make sure it is safe in NMI context */
+ if (!IS_ENABLED(CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG) &&
+ (unlikely(in_nmi()))) {
+ return NULL;
+ }
+
rb_start_commit(cpu_buffer);
#ifdef CONFIG_RING_BUFFER_ALLOW_SWAP
--
2.43.0
From: Ziqi Zhao <[email protected]>
[ Upstream commit 3823119b9c2b5f9e9b760336f75bc989b805cde6 ]
The connector_set contains uninitialized values when allocated with
kmalloc_array. However, in the "out" branch, the logic assumes that any
element in connector_set would be equal to NULL if failed to
initialize, which causes the bug reported by Syzbot. The fix is to use
an extra variable to keep track of how many connectors are initialized
indeed, and use that variable to decrease any refcounts in the "out"
branch.
Reported-by: [email protected]
Signed-off-by: Ziqi Zhao <[email protected]>
Reported-and-tested-by: [email protected]
Tested-by: Harshit Mogalapalli <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Maxime Ripard <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/gpu/drm/drm_crtc.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
index 5af25ce5bf7c2..5ae3adfbc5e80 100644
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -556,8 +556,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
struct drm_mode_set set;
uint32_t __user *set_connectors_ptr;
struct drm_modeset_acquire_ctx ctx;
- int ret;
- int i;
+ int ret, i, num_connectors;
if (!drm_core_check_feature(dev, DRIVER_MODESET))
return -EINVAL;
@@ -672,6 +671,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
goto out;
}
+ num_connectors = 0;
for (i = 0; i < crtc_req->count_connectors; i++) {
connector_set[i] = NULL;
set_connectors_ptr = (uint32_t __user *)(unsigned long)crtc_req->set_connectors_ptr;
@@ -692,6 +692,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
connector->name);
connector_set[i] = connector;
+ num_connectors++;
}
}
@@ -700,7 +701,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
set.y = crtc_req->y;
set.mode = mode;
set.connectors = connector_set;
- set.num_connectors = crtc_req->count_connectors;
+ set.num_connectors = num_connectors;
set.fb = fb;
ret = __drm_mode_set_config_internal(&set, &ctx);
@@ -709,7 +710,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
drm_framebuffer_put(fb);
if (connector_set) {
- for (i = 0; i < crtc_req->count_connectors; i++) {
+ for (i = 0; i < num_connectors; i++) {
if (connector_set[i])
drm_connector_put(connector_set[i]);
}
--
2.43.0
From: "Steven Rostedt (Google)" <[email protected]>
[ Upstream commit 60be76eeabb3d83858cc6577fc65c7d0f36ffd42 ]
If for some reason the trace_marker write does not have a nul byte for the
string, it will overflow the print:
trace_seq_printf(s, ": %s", field->buf);
The field->buf could be missing the nul byte. To prevent overflow, add the
max size that the buf can be by using the event size and the field
location.
int max = iter->ent_size - offsetof(struct print_entry, buf);
trace_seq_printf(s, ": %*.s", max, field->buf);
Link: https://lore.kernel.org/linux-trace-kernel/[email protected]
Cc: Mark Rutland <[email protected]>
Cc: Mathieu Desnoyers <[email protected]>
Reviewed-by: Masami Hiramatsu (Google) <[email protected]>
Signed-off-by: Steven Rostedt (Google) <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
kernel/trace/trace_output.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
index e3ab66e6fd85c..3ca9ddfef2b8f 100644
--- a/kernel/trace/trace_output.c
+++ b/kernel/trace/trace_output.c
@@ -1319,11 +1319,12 @@ static enum print_line_t trace_print_print(struct trace_iterator *iter,
{
struct print_entry *field;
struct trace_seq *s = &iter->seq;
+ int max = iter->ent_size - offsetof(struct print_entry, buf);
trace_assign_type(field, iter->ent);
seq_print_ip_sym(s, field->ip, flags);
- trace_seq_printf(s, ": %s", field->buf);
+ trace_seq_printf(s, ": %.*s", max, field->buf);
return trace_handle_return(s);
}
@@ -1332,10 +1333,11 @@ static enum print_line_t trace_print_raw(struct trace_iterator *iter, int flags,
struct trace_event *event)
{
struct print_entry *field;
+ int max = iter->ent_size - offsetof(struct print_entry, buf);
trace_assign_type(field, iter->ent);
- trace_seq_printf(&iter->seq, "# %lx %s", field->ip, field->buf);
+ trace_seq_printf(&iter->seq, "# %lx %.*s", field->ip, max, field->buf);
return trace_handle_return(&iter->seq);
}
--
2.43.0
On Mon, 18 Dec 2023, Sasha Levin <[email protected]> wrote:
> From: Ziqi Zhao <[email protected]>
>
> [ Upstream commit 3823119b9c2b5f9e9b760336f75bc989b805cde6 ]
>
> The connector_set contains uninitialized values when allocated with
> kmalloc_array. However, in the "out" branch, the logic assumes that any
> element in connector_set would be equal to NULL if failed to
> initialize, which causes the bug reported by Syzbot. The fix is to use
> an extra variable to keep track of how many connectors are initialized
> indeed, and use that variable to decrease any refcounts in the "out"
> branch.
>
> Reported-by: [email protected]
> Signed-off-by: Ziqi Zhao <[email protected]>
> Reported-and-tested-by: [email protected]
> Tested-by: Harshit Mogalapalli <[email protected]>
> Link: https://lore.kernel.org/r/[email protected]
> Signed-off-by: Maxime Ripard <[email protected]>
> Signed-off-by: Sasha Levin <[email protected]>
This commit fixes an uninitialized value, but introduces a new
one. Please backport 6e455f5dcdd1 ("drm/crtc: fix uninitialized variable
use") from v6.7-rc6 to go with it.
Thanks,
Jani.
> ---
> drivers/gpu/drm/drm_crtc.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
> index 5af25ce5bf7c2..5ae3adfbc5e80 100644
> --- a/drivers/gpu/drm/drm_crtc.c
> +++ b/drivers/gpu/drm/drm_crtc.c
> @@ -556,8 +556,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
> struct drm_mode_set set;
> uint32_t __user *set_connectors_ptr;
> struct drm_modeset_acquire_ctx ctx;
> - int ret;
> - int i;
> + int ret, i, num_connectors;
>
> if (!drm_core_check_feature(dev, DRIVER_MODESET))
> return -EINVAL;
> @@ -672,6 +671,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
> goto out;
> }
>
> + num_connectors = 0;
> for (i = 0; i < crtc_req->count_connectors; i++) {
> connector_set[i] = NULL;
> set_connectors_ptr = (uint32_t __user *)(unsigned long)crtc_req->set_connectors_ptr;
> @@ -692,6 +692,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
> connector->name);
>
> connector_set[i] = connector;
> + num_connectors++;
> }
> }
>
> @@ -700,7 +701,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
> set.y = crtc_req->y;
> set.mode = mode;
> set.connectors = connector_set;
> - set.num_connectors = crtc_req->count_connectors;
> + set.num_connectors = num_connectors;
> set.fb = fb;
> ret = __drm_mode_set_config_internal(&set, &ctx);
>
> @@ -709,7 +710,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
> drm_framebuffer_put(fb);
>
> if (connector_set) {
> - for (i = 0; i < crtc_req->count_connectors; i++) {
> + for (i = 0; i < num_connectors; i++) {
> if (connector_set[i])
> drm_connector_put(connector_set[i]);
> }
--
Jani Nikula, Intel
On Tue, Dec 19, 2023 at 10:44:02AM +0200, Jani Nikula wrote:
>On Mon, 18 Dec 2023, Sasha Levin <[email protected]> wrote:
>> From: Ziqi Zhao <[email protected]>
>>
>> [ Upstream commit 3823119b9c2b5f9e9b760336f75bc989b805cde6 ]
>>
>> The connector_set contains uninitialized values when allocated with
>> kmalloc_array. However, in the "out" branch, the logic assumes that any
>> element in connector_set would be equal to NULL if failed to
>> initialize, which causes the bug reported by Syzbot. The fix is to use
>> an extra variable to keep track of how many connectors are initialized
>> indeed, and use that variable to decrease any refcounts in the "out"
>> branch.
>>
>> Reported-by: [email protected]
>> Signed-off-by: Ziqi Zhao <[email protected]>
>> Reported-and-tested-by: [email protected]
>> Tested-by: Harshit Mogalapalli <[email protected]>
>> Link: https://lore.kernel.org/r/[email protected]
>> Signed-off-by: Maxime Ripard <[email protected]>
>> Signed-off-by: Sasha Levin <[email protected]>
>
>This commit fixes an uninitialized value, but introduces a new
>one. Please backport 6e455f5dcdd1 ("drm/crtc: fix uninitialized variable
>use") from v6.7-rc6 to go with it.
I'll take 6e455f5dcdd1 too, thanks!
--
Thanks,
Sasha
Hi!
> > > From: Ziqi Zhao <[email protected]>
> > >
> > > [ Upstream commit 3823119b9c2b5f9e9b760336f75bc989b805cde6 ]
> > >
> > > The connector_set contains uninitialized values when allocated with
> > > kmalloc_array. However, in the "out" branch, the logic assumes that any
> > > element in connector_set would be equal to NULL if failed to
> > > initialize, which causes the bug reported by Syzbot. The fix is to use
> > > an extra variable to keep track of how many connectors are initialized
> > > indeed, and use that variable to decrease any refcounts in the "out"
> > > branch.
> > >
> > > Reported-by: [email protected]
> > > Signed-off-by: Ziqi Zhao <[email protected]>
> > > Reported-and-tested-by: [email protected]
> > > Tested-by: Harshit Mogalapalli <[email protected]>
> > > Link: https://lore.kernel.org/r/[email protected]
> > > Signed-off-by: Maxime Ripard <[email protected]>
> > > Signed-off-by: Sasha Levin <[email protected]>
> >
> > This commit fixes an uninitialized value, but introduces a new
> > one. Please backport 6e455f5dcdd1 ("drm/crtc: fix uninitialized variable
> > use") from v6.7-rc6 to go with it.
>
> I'll take 6e455f5dcdd1 too, thanks!
So, what is the status of 4.14-stable? Last one was
marked. .. well. .. as last one, so perhaps AUTOSEL should start
ignoring it, too?
Best regards,
Pavel
--
People of Russia, stop Putin before his war on Ukraine escalates.