Message ID | 20231002092051.555479-1-wenst@chromium.org |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2a8e:b0:403:3b70:6f57 with SMTP id in14csp1300651vqb; Mon, 2 Oct 2023 02:26:33 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEvcuiAUe96Ffz4Htczh6CuMLkaMiY/yTCwQuV9XZ39i660LMJvOvmbhmOEKmP4iD8n03sg X-Received: by 2002:a05:6102:d6:b0:452:6780:a6d1 with SMTP id u22-20020a05610200d600b004526780a6d1mr8562350vsp.1.1696238793313; Mon, 02 Oct 2023 02:26:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696238793; cv=none; d=google.com; s=arc-20160816; b=KEHwK6+u91p57kxoyM6iZT9WdSy31BFvT+4/9rUEBC0JpkfKm0Aiboe5+2TnKUR1bi 8vJVVJwvbG907T8/jNB+GcpR28D605gDyCJx4a4gsxhcNeGkspKr5tcCkelQDBikrJSL 9TuLu5RG6L0JCGmm0eZ6ANEBGpsQoDLRzPmDq1fjOsa1pFJFP8vX8WrOzV67JTrKxGOu kkOk6HWwx9+267ssfbw1I3OF1ICOcAzjx3iAhT+/acVclMwICzcnNf88pJHugtL+c+18 LEvVOTrvYmLue1VhjM9LoMgoBSNwX2t2GL8RqAvfvyp2KirWqjl3/FtCUAJUXsmC5HII usAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=HZEAIvCKjKxg1y/mOTHgOyfszBWrD2m6dpbpnehzSJo=; fh=S9kMgFYTitj0t3pIoEsDFBhZkUHSo3J3I5egD6kFrm4=; b=ldvZP8WlVf+ahBjBg3d+gpHz5mbeB/aQpiUwiiDAIqD00u8flV6gbn4ybJeTBcj6D8 wMhmJTalHbKCrpaLMrgyDREPjYuHmTYMq+6EMIAl+67gjhBkeJlFvUZzx0NUp+I5Z2ik 51T61tIzvNYK+qLQEhlrUY6j4GNLKXYmlMov3JfT2R7SoUoyHlu2tkKQaEtKTuFQyV3r KLcTaAnSGDccH1zxMUMoN48KkVicXMyqeq+4hRra5MmJ4pA/8TdNfaeY4gRRruUq5udk vINF85kJieYF8NlOD5wzQxXOnBeoWWm/Wrm2yRRKzdbgznbBRrl6SH7PY1qzHvClaVPH G95A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=ZqfyTGpd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33]) by mx.google.com with ESMTPS id f16-20020a63e310000000b005740e906e46si22586076pgh.358.2023.10.02.02.26.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Oct 2023 02:26:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=ZqfyTGpd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 4C25080697D3; Mon, 2 Oct 2023 02:21:20 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236014AbjJBJVD (ORCPT <rfc822;pwkd43@gmail.com> + 17 others); Mon, 2 Oct 2023 05:21:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40282 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235974AbjJBJVB (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Mon, 2 Oct 2023 05:21:01 -0400 Received: from mail-pf1-x42a.google.com (mail-pf1-x42a.google.com [IPv6:2607:f8b0:4864:20::42a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E442591 for <linux-kernel@vger.kernel.org>; Mon, 2 Oct 2023 02:20:57 -0700 (PDT) Received: by mail-pf1-x42a.google.com with SMTP id d2e1a72fcca58-694ed84c981so444839b3a.3 for <linux-kernel@vger.kernel.org>; Mon, 02 Oct 2023 02:20:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1696238457; x=1696843257; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=HZEAIvCKjKxg1y/mOTHgOyfszBWrD2m6dpbpnehzSJo=; b=ZqfyTGpdx4cHBBaywa94Vq5fo/UHc4MRsJHY09S/5912GoLcdtLmSe3N7PRJwCn9kE o/uDZyntDBH4mKf/4gdLOEy0A8YUPwHkWDNmxomViV4egb5RlJVnoFTP4hBqpn4iluPp 6gGFszHq+DwHXK3zjg0VmHzRrX0lUjBgdG+jo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696238457; x=1696843257; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=HZEAIvCKjKxg1y/mOTHgOyfszBWrD2m6dpbpnehzSJo=; b=a1ljrjRkZn/X5+1s0tGA/acm3gvUPZr1DptRKz4M9PquR6zrA7JExrRjRi2CeMWZQB kyYE8WD6IUhBNsw6LPHWG8aH9DZlNDr6UH0zLx+pEnJiOY6/BX7vWJEx99BpsZmVmkbA Na6x/3OcKttWwgdwMb+oeCbbVJVzwrtngtg0WCjPRUVM0BRyZhMr8RX5N4ca+Ja7aC7F egUoQCSimxPx36Jj+aiQtifwDM0BQKyyuhWvWd/HLc6GND+XrfzL3BoCGNpn/aSv+DQg JWy9PC6OUtvY2VAKOtpJb7ceS9/i+aNauMxoFiTjhjk5eZLfGEolWSP5pv2egHyaqUFw WNcQ== X-Gm-Message-State: AOJu0YysdWc+4rQZ54/9GZMuyUFeExEsgO0ammgJBDSY/n4XJrpEHHu2 yQ0pvcGHdCClzX/yNNp+mH0p9A== X-Received: by 2002:a05:6a00:21ce:b0:68f:c865:5ba8 with SMTP id t14-20020a056a0021ce00b0068fc8655ba8mr10744096pfj.18.1696238457377; Mon, 02 Oct 2023 02:20:57 -0700 (PDT) Received: from wenstp920.tpe.corp.google.com ([2401:fa00:1:10:16ed:daa5:ae8c:12dd]) by smtp.gmail.com with ESMTPSA id x26-20020aa784da000000b0068c0fcb40d3sm19164936pfn.211.2023.10.02.02.20.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Oct 2023 02:20:57 -0700 (PDT) From: Chen-Yu Tsai <wenst@chromium.org> To: Chun-Kuang Hu <chunkuang.hu@kernel.org>, Philipp Zabel <p.zabel@pengutronix.de>, David Airlie <airlied@gmail.com>, Daniel Vetter <daniel@ffwll.ch>, Matthias Brugger <matthias.bgg@gmail.com>, AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com> Cc: Chen-Yu Tsai <wenst@chromium.org>, dri-devel@lists.freedesktop.org, linux-mediatek@lists.infradead.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, stable@vger.kernel.org Subject: [PATCH] drm/mediatek: Correctly free sg_table in gem prime vmap Date: Mon, 2 Oct 2023 17:20:48 +0800 Message-ID: <20231002092051.555479-1-wenst@chromium.org> X-Mailer: git-send-email 2.42.0.582.g8ccd20d70d-goog MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Mon, 02 Oct 2023 02:21:20 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1778635289231681464 X-GMAIL-MSGID: 1778635289231681464 |
Series |
drm/mediatek: Correctly free sg_table in gem prime vmap
|
|
Commit Message
Chen-Yu Tsai
Oct. 2, 2023, 9:20 a.m. UTC
The MediaTek DRM driver implements GEM PRIME vmap by fetching the
sg_table for the object, iterating through the pages, and then
vmapping them. In essence, unlike the GEM DMA helpers which vmap
when the object is first created or imported, the MediaTek version
does it on request.
Unfortunately, the code never correctly frees the sg_table contents.
This results in a kernel memory leak. On a Hayato device with a text
console on the internal display, this results in the system running
out of memory in a few days from all the console screen cursor updates.
Add sg_free_table() to correctly free the contents of the sg_table. This
was missing despite explicitly required by mtk_gem_prime_get_sg_table().
Fixes: 3df64d7b0a4f ("drm/mediatek: Implement gem prime vmap/vunmap function")
Cc: <stable@vger.kernel.org>
Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
---
Please merge for v6.6 fixes.
Also, I was wondering why the MediaTek DRM driver implements a lot of
the GEM functionality itself, instead of using the GEM DMA helpers.
From what I could tell, the code closely follows the DMA helpers, except
that it vmaps the buffers only upon request.
drivers/gpu/drm/mediatek/mtk_drm_gem.c | 3 +++
1 file changed, 3 insertions(+)
Comments
Il 02/10/23 11:20, Chen-Yu Tsai ha scritto: > The MediaTek DRM driver implements GEM PRIME vmap by fetching the > sg_table for the object, iterating through the pages, and then > vmapping them. In essence, unlike the GEM DMA helpers which vmap > when the object is first created or imported, the MediaTek version > does it on request. > > Unfortunately, the code never correctly frees the sg_table contents. > This results in a kernel memory leak. On a Hayato device with a text > console on the internal display, this results in the system running > out of memory in a few days from all the console screen cursor updates. > > Add sg_free_table() to correctly free the contents of the sg_table. This > was missing despite explicitly required by mtk_gem_prime_get_sg_table(). > > Fixes: 3df64d7b0a4f ("drm/mediatek: Implement gem prime vmap/vunmap function") > Cc: <stable@vger.kernel.org> > Signed-off-by: Chen-Yu Tsai <wenst@chromium.org> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Hi, On Mon, Oct 2, 2023 at 5:21 PM Chen-Yu Tsai <wenst@chromium.org> wrote: > > The MediaTek DRM driver implements GEM PRIME vmap by fetching the > sg_table for the object, iterating through the pages, and then > vmapping them. In essence, unlike the GEM DMA helpers which vmap > when the object is first created or imported, the MediaTek version > does it on request. > > Unfortunately, the code never correctly frees the sg_table contents. > This results in a kernel memory leak. On a Hayato device with a text > console on the internal display, this results in the system running > out of memory in a few days from all the console screen cursor updates. > > Add sg_free_table() to correctly free the contents of the sg_table. This > was missing despite explicitly required by mtk_gem_prime_get_sg_table(). > > Fixes: 3df64d7b0a4f ("drm/mediatek: Implement gem prime vmap/vunmap function") > Cc: <stable@vger.kernel.org> > Signed-off-by: Chen-Yu Tsai <wenst@chromium.org> > --- > Please merge for v6.6 fixes. > > Also, I was wondering why the MediaTek DRM driver implements a lot of > the GEM functionality itself, instead of using the GEM DMA helpers. > From what I could tell, the code closely follows the DMA helpers, except > that it vmaps the buffers only upon request. > > > drivers/gpu/drm/mediatek/mtk_drm_gem.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c > index 9f364df52478..297ee090e02e 100644 > --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c > +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c > @@ -239,6 +239,7 @@ int mtk_drm_gem_prime_vmap(struct drm_gem_object *obj, struct iosys_map *map) > npages = obj->size >> PAGE_SHIFT; > mtk_gem->pages = kcalloc(npages, sizeof(*mtk_gem->pages), GFP_KERNEL); > if (!mtk_gem->pages) { > + sg_free_table(sgt); > kfree(sgt); > return -ENOMEM; > } > @@ -248,11 +249,13 @@ int mtk_drm_gem_prime_vmap(struct drm_gem_object *obj, struct iosys_map *map) > mtk_gem->kvaddr = vmap(mtk_gem->pages, npages, VM_MAP, > pgprot_writecombine(PAGE_KERNEL)); > if (!mtk_gem->kvaddr) { > + sg_free_table(sgt); > kfree(sgt); > kfree(mtk_gem->pages); > return -ENOMEM; > } > out: > + sg_free_table(sgt); I think this will cause invalid access from the "goto out" path - sg_free_table() accesses the provided sg table pointer, but it doesn't handle NULL pointers like kfree() does. Regards, Fei > kfree(sgt); > iosys_map_set_vaddr(map, mtk_gem->kvaddr); > > -- > 2.42.0.582.g8ccd20d70d-goog > >
On Tue, Oct 3, 2023 at 11:14 PM Fei Shao <fshao@chromium.org> wrote: > > Hi, > > On Mon, Oct 2, 2023 at 5:21 PM Chen-Yu Tsai <wenst@chromium.org> wrote: > > > > The MediaTek DRM driver implements GEM PRIME vmap by fetching the > > sg_table for the object, iterating through the pages, and then > > vmapping them. In essence, unlike the GEM DMA helpers which vmap > > when the object is first created or imported, the MediaTek version > > does it on request. > > > > Unfortunately, the code never correctly frees the sg_table contents. > > This results in a kernel memory leak. On a Hayato device with a text > > console on the internal display, this results in the system running > > out of memory in a few days from all the console screen cursor updates. > > > > Add sg_free_table() to correctly free the contents of the sg_table. This > > was missing despite explicitly required by mtk_gem_prime_get_sg_table(). > > > > Fixes: 3df64d7b0a4f ("drm/mediatek: Implement gem prime vmap/vunmap function") > > Cc: <stable@vger.kernel.org> > > Signed-off-by: Chen-Yu Tsai <wenst@chromium.org> > > --- > > Please merge for v6.6 fixes. > > > > Also, I was wondering why the MediaTek DRM driver implements a lot of > > the GEM functionality itself, instead of using the GEM DMA helpers. > > From what I could tell, the code closely follows the DMA helpers, except > > that it vmaps the buffers only upon request. > > > > > > drivers/gpu/drm/mediatek/mtk_drm_gem.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c > > index 9f364df52478..297ee090e02e 100644 > > --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c > > +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c > > @@ -239,6 +239,7 @@ int mtk_drm_gem_prime_vmap(struct drm_gem_object *obj, struct iosys_map *map) > > npages = obj->size >> PAGE_SHIFT; > > mtk_gem->pages = kcalloc(npages, sizeof(*mtk_gem->pages), GFP_KERNEL); > > if (!mtk_gem->pages) { > > + sg_free_table(sgt); > > kfree(sgt); > > return -ENOMEM; > > } > > @@ -248,11 +249,13 @@ int mtk_drm_gem_prime_vmap(struct drm_gem_object *obj, struct iosys_map *map) > > mtk_gem->kvaddr = vmap(mtk_gem->pages, npages, VM_MAP, > > pgprot_writecombine(PAGE_KERNEL)); > > if (!mtk_gem->kvaddr) { > > + sg_free_table(sgt); > > kfree(sgt); > > kfree(mtk_gem->pages); > > return -ENOMEM; > > } > > out: > > + sg_free_table(sgt); > > I think this will cause invalid access from the "goto out" path - > sg_free_table() accesses the provided sg table pointer, but it doesn't > handle NULL pointers like kfree() does. You're right. I'll send a new version fixing this.
diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c index 9f364df52478..297ee090e02e 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c @@ -239,6 +239,7 @@ int mtk_drm_gem_prime_vmap(struct drm_gem_object *obj, struct iosys_map *map) npages = obj->size >> PAGE_SHIFT; mtk_gem->pages = kcalloc(npages, sizeof(*mtk_gem->pages), GFP_KERNEL); if (!mtk_gem->pages) { + sg_free_table(sgt); kfree(sgt); return -ENOMEM; } @@ -248,11 +249,13 @@ int mtk_drm_gem_prime_vmap(struct drm_gem_object *obj, struct iosys_map *map) mtk_gem->kvaddr = vmap(mtk_gem->pages, npages, VM_MAP, pgprot_writecombine(PAGE_KERNEL)); if (!mtk_gem->kvaddr) { + sg_free_table(sgt); kfree(sgt); kfree(mtk_gem->pages); return -ENOMEM; } out: + sg_free_table(sgt); kfree(sgt); iosys_map_set_vaddr(map, mtk_gem->kvaddr);