1. Patchew
  2. linux
  3. View series

[PATCH] drm/mediatek: Correctly free sg_table in gem prime vmap

Chen-Yu Tsai posted 1 patch 11 months, 3 weeks ago
There is a newer version of this series
drivers/gpu/drm/mediatek/mtk_drm_gem.c | 3 +++
1 file changed, 3 insertions(+)
[PATCH] drm/mediatek: Correctly free sg_table in gem prime vmap
Posted by Chen-Yu Tsai 11 months, 3 weeks ago 
The MediaTek DRM driver implements GEM PRIME vmap by fetching the
sg_table for the object, iterating through the pages, and then
vmapping them. In essence, unlike the GEM DMA helpers which vmap
when the object is first created or imported, the MediaTek version
does it on request.

Unfortunately, the code never correctly frees the sg_table contents.
This results in a kernel memory leak. On a Hayato device with a text
console on the internal display, this results in the system running
out of memory in a few days from all the console screen cursor updates.

Add sg_free_table() to correctly free the contents of the sg_table. This
was missing despite explicitly required by mtk_gem_prime_get_sg_table().

Fixes: 3df64d7b0a4f ("drm/mediatek: Implement gem prime vmap/vunmap function")
Cc: <stable@vger.kernel.org>
Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
---
Please merge for v6.6 fixes.

Also, I was wondering why the MediaTek DRM driver implements a lot of
the GEM functionality itself, instead of using the GEM DMA helpers.
From what I could tell, the code closely follows the DMA helpers, except
that it vmaps the buffers only upon request.


 drivers/gpu/drm/mediatek/mtk_drm_gem.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
index 9f364df52478..297ee090e02e 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
@@ -239,6 +239,7 @@ int mtk_drm_gem_prime_vmap(struct drm_gem_object *obj, struct iosys_map *map)
 	npages = obj->size >> PAGE_SHIFT;
 	mtk_gem->pages = kcalloc(npages, sizeof(*mtk_gem->pages), GFP_KERNEL);
 	if (!mtk_gem->pages) {
+		sg_free_table(sgt);
 		kfree(sgt);
 		return -ENOMEM;
 	}
@@ -248,11 +249,13 @@ int mtk_drm_gem_prime_vmap(struct drm_gem_object *obj, struct iosys_map *map)
 	mtk_gem->kvaddr = vmap(mtk_gem->pages, npages, VM_MAP,
 			       pgprot_writecombine(PAGE_KERNEL));
 	if (!mtk_gem->kvaddr) {
+		sg_free_table(sgt);
 		kfree(sgt);
 		kfree(mtk_gem->pages);
 		return -ENOMEM;
 	}
 out:
+	sg_free_table(sgt);
 	kfree(sgt);
 	iosys_map_set_vaddr(map, mtk_gem->kvaddr);
 
-- 
2.42.0.582.g8ccd20d70d-goog
Re: [PATCH] drm/mediatek: Correctly free sg_table in gem prime vmap
Posted by Fei Shao 11 months, 3 weeks ago 
Hi,

On Mon, Oct 2, 2023 at 5:21 PM Chen-Yu Tsai <wenst@chromium.org> wrote:
>
> The MediaTek DRM driver implements GEM PRIME vmap by fetching the
> sg_table for the object, iterating through the pages, and then
> vmapping them. In essence, unlike the GEM DMA helpers which vmap
> when the object is first created or imported, the MediaTek version
> does it on request.
>
> Unfortunately, the code never correctly frees the sg_table contents.
> This results in a kernel memory leak. On a Hayato device with a text
> console on the internal display, this results in the system running
> out of memory in a few days from all the console screen cursor updates.
>
> Add sg_free_table() to correctly free the contents of the sg_table. This
> was missing despite explicitly required by mtk_gem_prime_get_sg_table().
>
> Fixes: 3df64d7b0a4f ("drm/mediatek: Implement gem prime vmap/vunmap function")
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
> ---
> Please merge for v6.6 fixes.
>
> Also, I was wondering why the MediaTek DRM driver implements a lot of
> the GEM functionality itself, instead of using the GEM DMA helpers.
> From what I could tell, the code closely follows the DMA helpers, except
> that it vmaps the buffers only upon request.
>
>
>  drivers/gpu/drm/mediatek/mtk_drm_gem.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> index 9f364df52478..297ee090e02e 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> @@ -239,6 +239,7 @@ int mtk_drm_gem_prime_vmap(struct drm_gem_object *obj, struct iosys_map *map)
>         npages = obj->size >> PAGE_SHIFT;
>         mtk_gem->pages = kcalloc(npages, sizeof(*mtk_gem->pages), GFP_KERNEL);
>         if (!mtk_gem->pages) {
> +               sg_free_table(sgt);
>                 kfree(sgt);
>                 return -ENOMEM;
>         }
> @@ -248,11 +249,13 @@ int mtk_drm_gem_prime_vmap(struct drm_gem_object *obj, struct iosys_map *map)
>         mtk_gem->kvaddr = vmap(mtk_gem->pages, npages, VM_MAP,
>                                pgprot_writecombine(PAGE_KERNEL));
>         if (!mtk_gem->kvaddr) {
> +               sg_free_table(sgt);
>                 kfree(sgt);
>                 kfree(mtk_gem->pages);
>                 return -ENOMEM;
>         }
>  out:
> +       sg_free_table(sgt);

I think this will cause invalid access from the "goto out" path -
sg_free_table() accesses the provided sg table pointer, but it doesn't
handle NULL pointers like kfree() does.

Regards,
Fei


>         kfree(sgt);
>         iosys_map_set_vaddr(map, mtk_gem->kvaddr);
>
> --
> 2.42.0.582.g8ccd20d70d-goog
>
>
Re: [PATCH] drm/mediatek: Correctly free sg_table in gem prime vmap
Posted by Chen-Yu Tsai 11 months, 3 weeks ago 
On Tue, Oct 3, 2023 at 11:14 PM Fei Shao <fshao@chromium.org> wrote:
>
> Hi,
>
> On Mon, Oct 2, 2023 at 5:21 PM Chen-Yu Tsai <wenst@chromium.org> wrote:
> >
> > The MediaTek DRM driver implements GEM PRIME vmap by fetching the
> > sg_table for the object, iterating through the pages, and then
> > vmapping them. In essence, unlike the GEM DMA helpers which vmap
> > when the object is first created or imported, the MediaTek version
> > does it on request.
> >
> > Unfortunately, the code never correctly frees the sg_table contents.
> > This results in a kernel memory leak. On a Hayato device with a text
> > console on the internal display, this results in the system running
> > out of memory in a few days from all the console screen cursor updates.
> >
> > Add sg_free_table() to correctly free the contents of the sg_table. This
> > was missing despite explicitly required by mtk_gem_prime_get_sg_table().
> >
> > Fixes: 3df64d7b0a4f ("drm/mediatek: Implement gem prime vmap/vunmap function")
> > Cc: <stable@vger.kernel.org>
> > Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
> > ---
> > Please merge for v6.6 fixes.
> >
> > Also, I was wondering why the MediaTek DRM driver implements a lot of
> > the GEM functionality itself, instead of using the GEM DMA helpers.
> > From what I could tell, the code closely follows the DMA helpers, except
> > that it vmaps the buffers only upon request.
> >
> >
> >  drivers/gpu/drm/mediatek/mtk_drm_gem.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> > index 9f364df52478..297ee090e02e 100644
> > --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> > +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> > @@ -239,6 +239,7 @@ int mtk_drm_gem_prime_vmap(struct drm_gem_object *obj, struct iosys_map *map)
> >         npages = obj->size >> PAGE_SHIFT;
> >         mtk_gem->pages = kcalloc(npages, sizeof(*mtk_gem->pages), GFP_KERNEL);
> >         if (!mtk_gem->pages) {
> > +               sg_free_table(sgt);
> >                 kfree(sgt);
> >                 return -ENOMEM;
> >         }
> > @@ -248,11 +249,13 @@ int mtk_drm_gem_prime_vmap(struct drm_gem_object *obj, struct iosys_map *map)
> >         mtk_gem->kvaddr = vmap(mtk_gem->pages, npages, VM_MAP,
> >                                pgprot_writecombine(PAGE_KERNEL));
> >         if (!mtk_gem->kvaddr) {
> > +               sg_free_table(sgt);
> >                 kfree(sgt);
> >                 kfree(mtk_gem->pages);
> >                 return -ENOMEM;
> >         }
> >  out:
> > +       sg_free_table(sgt);
>
> I think this will cause invalid access from the "goto out" path -
> sg_free_table() accesses the provided sg table pointer, but it doesn't
> handle NULL pointers like kfree() does.

You're right. I'll send a new version fixing this.
Re: [PATCH] drm/mediatek: Correctly free sg_table in gem prime vmap
Posted by AngeloGioacchino Del Regno 11 months, 3 weeks ago 
Il 02/10/23 11:20, Chen-Yu Tsai ha scritto:
> The MediaTek DRM driver implements GEM PRIME vmap by fetching the
> sg_table for the object, iterating through the pages, and then
> vmapping them. In essence, unlike the GEM DMA helpers which vmap
> when the object is first created or imported, the MediaTek version
> does it on request.
> 
> Unfortunately, the code never correctly frees the sg_table contents.
> This results in a kernel memory leak. On a Hayato device with a text
> console on the internal display, this results in the system running
> out of memory in a few days from all the console screen cursor updates.
> 
> Add sg_free_table() to correctly free the contents of the sg_table. This
> was missing despite explicitly required by mtk_gem_prime_get_sg_table().
> 
> Fixes: 3df64d7b0a4f ("drm/mediatek: Implement gem prime vmap/vunmap function")
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>

Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>

Patchew 2.1-devel-b67e4c2

© 2016 - 2024 Red Hat, Inc.