1. Patchew
  2. linux
  3. [PATCH V2 0/2] Fix two memory leaks in rproc_attach()
  4. View patch

[PATCH V2 2/2] remoteproc: core: release rproc->clean_table after rproc_attach() fails

Xiaolei Wang posted 2 patches 9 months, 2 weeks ago
There is a newer version of this series
[PATCH V2 2/2] remoteproc: core: release rproc->clean_table after rproc_attach() fails
Posted by Xiaolei Wang 9 months, 2 weeks ago 
When rproc->state = RPROC_DETACHED is attached to remote processor
through rproc_attach(), if rproc_handle_resources() returns failure,
then the clean table should be released, otherwise the following
memory leak will occur.

unreferenced object 0xffff000086a99800 (size 1024):
comm "kworker/u12:3", pid 59, jiffies 4294893670 (age 121.140s)
hex dump (first 32 bytes):
00 00 00 00 00 80 00 00 00 00 00 00 00 00 10 00 ............
00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 ............
backtrace:
 [<000000008bbe4ca8>] slab_post_alloc_hook+0x98/0x3fc
 [<000000003b8a272b>] __kmem_cache_alloc_node+0x13c/0x230
 [<000000007a507c51>] __kmalloc_node_track_caller+0x5c/0x260
 [<0000000037818dae>] kmemdup+0x34/0x60
 [<00000000610f7f57>] rproc_boot+0x35c/0x56c
 [<0000000065f8871a>] rproc_add+0x124/0x17c
 [<00000000497416ee>] imx_rproc_probe+0x4ec/0x5d4
 [<000000003bcaa37d>] platform_probe+0x68/0xd8
 [<00000000771577f9>] really_probe+0x110/0x27c
 [<00000000531fea59>] __driver_probe_device+0x78/0x12c
 [<0000000080036a04>] driver_probe_device+0x3c/0x118
 [<000000007e0bddcb>] __device_attach_driver+0xb8/0xf8
 [<000000000cf1fa33>] bus_for_each_drv+0x84/0xe4
 [<000000001a53b53e>] __device_attach+0xfc/0x18c
 [<00000000d1a2a32c>] device_initial_probe+0x14/0x20
 [<00000000d8f8b7ae>] bus_probe_device+0xb0/0xb4
 unreferenced object 0xffff0000864c9690 (size 16):

Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
---
 drivers/remoteproc/remoteproc_core.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c
index b21eedefff87..6226e2d12a97 100644
--- a/drivers/remoteproc/remoteproc_core.c
+++ b/drivers/remoteproc/remoteproc_core.c
@@ -1656,6 +1656,7 @@ static int rproc_attach(struct rproc *rproc)
 unprepare_device:
 	/* release HW resources if needed */
 	rproc_unprepare_device(rproc);
+	kfree(rproc->clean_table);
 disable_iommu:
 	rproc_disable_iommu(rproc);
 	return ret;
-- 
2.25.1
Re: [PATCH V2 2/2] remoteproc: core: release rproc->clean_table after rproc_attach() fails
Posted by Xiaolei Wang 9 months, 2 weeks ago 
On 4/26/25 14:53, Xiaolei Wang wrote:
> When rproc->state = RPROC_DETACHED is attached to remote processor
> through rproc_attach(), if rproc_handle_resources() returns failure,
> then the clean table should be released, otherwise the following
> memory leak will occur.
>
> unreferenced object 0xffff000086a99800 (size 1024):
> comm "kworker/u12:3", pid 59, jiffies 4294893670 (age 121.140s)
> hex dump (first 32 bytes):
> 00 00 00 00 00 80 00 00 00 00 00 00 00 00 10 00 ............
> 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 ............
> backtrace:
>   [<000000008bbe4ca8>] slab_post_alloc_hook+0x98/0x3fc
>   [<000000003b8a272b>] __kmem_cache_alloc_node+0x13c/0x230
>   [<000000007a507c51>] __kmalloc_node_track_caller+0x5c/0x260
>   [<0000000037818dae>] kmemdup+0x34/0x60
>   [<00000000610f7f57>] rproc_boot+0x35c/0x56c
>   [<0000000065f8871a>] rproc_add+0x124/0x17c
>   [<00000000497416ee>] imx_rproc_probe+0x4ec/0x5d4
>   [<000000003bcaa37d>] platform_probe+0x68/0xd8
>   [<00000000771577f9>] really_probe+0x110/0x27c
>   [<00000000531fea59>] __driver_probe_device+0x78/0x12c
>   [<0000000080036a04>] driver_probe_device+0x3c/0x118
>   [<000000007e0bddcb>] __device_attach_driver+0xb8/0xf8
>   [<000000000cf1fa33>] bus_for_each_drv+0x84/0xe4
>   [<000000001a53b53e>] __device_attach+0xfc/0x18c
>   [<00000000d1a2a32c>] device_initial_probe+0x14/0x20
>   [<00000000d8f8b7ae>] bus_probe_device+0xb0/0xb4
>   unreferenced object 0xffff0000864c9690 (size 16):
>
> Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
> ---
>   drivers/remoteproc/remoteproc_core.c | 1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c
> index b21eedefff87..6226e2d12a97 100644
> --- a/drivers/remoteproc/remoteproc_core.c
> +++ b/drivers/remoteproc/remoteproc_core.c
> @@ -1656,6 +1656,7 @@ static int rproc_attach(struct rproc *rproc)
>   unprepare_device:
>   	/* release HW resources if needed */
>   	rproc_unprepare_device(rproc);
> +	kfree(rproc->clean_table);
>   disable_iommu:
>   	rproc_disable_iommu(rproc);
>   	return ret;

Hi Mathieu

For this patch, if I use devm_kmemdup() instead of kmemdup()

in rproc_set_rsc_table() function, is it better? Also delete

kfree(rproc->clean_table) in rproc_set_rsc_table()

thanks

xiaolei
Re: [PATCH V2 2/2] remoteproc: core: release rproc->clean_table after rproc_attach() fails
Posted by Mathieu Poirier 9 months, 1 week ago 
On Mon, 28 Apr 2025 at 20:20, Xiaolei Wang <xiaolei.wang@windriver.com> wrote:
>
>
> On 4/26/25 14:53, Xiaolei Wang wrote:
> > When rproc->state = RPROC_DETACHED is attached to remote processor
> > through rproc_attach(), if rproc_handle_resources() returns failure,
> > then the clean table should be released, otherwise the following
> > memory leak will occur.
> >
> > unreferenced object 0xffff000086a99800 (size 1024):
> > comm "kworker/u12:3", pid 59, jiffies 4294893670 (age 121.140s)
> > hex dump (first 32 bytes):
> > 00 00 00 00 00 80 00 00 00 00 00 00 00 00 10 00 ............
> > 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 ............
> > backtrace:
> >   [<000000008bbe4ca8>] slab_post_alloc_hook+0x98/0x3fc
> >   [<000000003b8a272b>] __kmem_cache_alloc_node+0x13c/0x230
> >   [<000000007a507c51>] __kmalloc_node_track_caller+0x5c/0x260
> >   [<0000000037818dae>] kmemdup+0x34/0x60
> >   [<00000000610f7f57>] rproc_boot+0x35c/0x56c
> >   [<0000000065f8871a>] rproc_add+0x124/0x17c
> >   [<00000000497416ee>] imx_rproc_probe+0x4ec/0x5d4
> >   [<000000003bcaa37d>] platform_probe+0x68/0xd8
> >   [<00000000771577f9>] really_probe+0x110/0x27c
> >   [<00000000531fea59>] __driver_probe_device+0x78/0x12c
> >   [<0000000080036a04>] driver_probe_device+0x3c/0x118
> >   [<000000007e0bddcb>] __device_attach_driver+0xb8/0xf8
> >   [<000000000cf1fa33>] bus_for_each_drv+0x84/0xe4
> >   [<000000001a53b53e>] __device_attach+0xfc/0x18c
> >   [<00000000d1a2a32c>] device_initial_probe+0x14/0x20
> >   [<00000000d8f8b7ae>] bus_probe_device+0xb0/0xb4
> >   unreferenced object 0xffff0000864c9690 (size 16):
> >
> > Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
> > ---
> >   drivers/remoteproc/remoteproc_core.c | 1 +
> >   1 file changed, 1 insertion(+)
> >
> > diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c
> > index b21eedefff87..6226e2d12a97 100644
> > --- a/drivers/remoteproc/remoteproc_core.c
> > +++ b/drivers/remoteproc/remoteproc_core.c
> > @@ -1656,6 +1656,7 @@ static int rproc_attach(struct rproc *rproc)
> >   unprepare_device:
> >       /* release HW resources if needed */
> >       rproc_unprepare_device(rproc);
> > +     kfree(rproc->clean_table);
> >   disable_iommu:
> >       rproc_disable_iommu(rproc);
> >       return ret;
>
> Hi Mathieu
>
> For this patch, if I use devm_kmemdup() instead of kmemdup()

I don't think using devm_kmemdup() would work in this case since the
memory is only free'd when rproc->dev is released.  So if you have
Attach()->detach()->attach(), we'd only keep accumulating memory that
is no longer used.

>
> in rproc_set_rsc_table() function, is it better? Also delete
>
> kfree(rproc->clean_table) in rproc_set_rsc_table()
>
> thanks
>
> xiaolei
>
Re: [PATCH V2 2/2] remoteproc: core: release rproc->clean_table after rproc_attach() fails
Posted by xiaolei wang 9 months, 1 week ago 
On 4/30/25 01:30, Mathieu Poirier wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> On Mon, 28 Apr 2025 at 20:20, Xiaolei Wang <xiaolei.wang@windriver.com> wrote:
>>
>> On 4/26/25 14:53, Xiaolei Wang wrote:
>>> When rproc->state = RPROC_DETACHED is attached to remote processor
>>> through rproc_attach(), if rproc_handle_resources() returns failure,
>>> then the clean table should be released, otherwise the following
>>> memory leak will occur.
>>>
>>> unreferenced object 0xffff000086a99800 (size 1024):
>>> comm "kworker/u12:3", pid 59, jiffies 4294893670 (age 121.140s)
>>> hex dump (first 32 bytes):
>>> 00 00 00 00 00 80 00 00 00 00 00 00 00 00 10 00 ............
>>> 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 ............
>>> backtrace:
>>>    [<000000008bbe4ca8>] slab_post_alloc_hook+0x98/0x3fc
>>>    [<000000003b8a272b>] __kmem_cache_alloc_node+0x13c/0x230
>>>    [<000000007a507c51>] __kmalloc_node_track_caller+0x5c/0x260
>>>    [<0000000037818dae>] kmemdup+0x34/0x60
>>>    [<00000000610f7f57>] rproc_boot+0x35c/0x56c
>>>    [<0000000065f8871a>] rproc_add+0x124/0x17c
>>>    [<00000000497416ee>] imx_rproc_probe+0x4ec/0x5d4
>>>    [<000000003bcaa37d>] platform_probe+0x68/0xd8
>>>    [<00000000771577f9>] really_probe+0x110/0x27c
>>>    [<00000000531fea59>] __driver_probe_device+0x78/0x12c
>>>    [<0000000080036a04>] driver_probe_device+0x3c/0x118
>>>    [<000000007e0bddcb>] __device_attach_driver+0xb8/0xf8
>>>    [<000000000cf1fa33>] bus_for_each_drv+0x84/0xe4
>>>    [<000000001a53b53e>] __device_attach+0xfc/0x18c
>>>    [<00000000d1a2a32c>] device_initial_probe+0x14/0x20
>>>    [<00000000d8f8b7ae>] bus_probe_device+0xb0/0xb4
>>>    unreferenced object 0xffff0000864c9690 (size 16):
>>>
>>> Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
>>> ---
>>>    drivers/remoteproc/remoteproc_core.c | 1 +
>>>    1 file changed, 1 insertion(+)
>>>
>>> diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c
>>> index b21eedefff87..6226e2d12a97 100644
>>> --- a/drivers/remoteproc/remoteproc_core.c
>>> +++ b/drivers/remoteproc/remoteproc_core.c
>>> @@ -1656,6 +1656,7 @@ static int rproc_attach(struct rproc *rproc)
>>>    unprepare_device:
>>>        /* release HW resources if needed */
>>>        rproc_unprepare_device(rproc);
>>> +     kfree(rproc->clean_table);
>>>    disable_iommu:
>>>        rproc_disable_iommu(rproc);
>>>        return ret;
>> Hi Mathieu
>>
>> For this patch, if I use devm_kmemdup() instead of kmemdup()
> I don't think using devm_kmemdup() would work in this case since the
> memory is only free'd when rproc->dev is released.  So if you have
> Attach()->detach()->attach(), we'd only keep accumulating memory that
> is no longer used.

Got it, thanks for the explanation, I will send a new version

thanks

xiaolei

>
>> in rproc_set_rsc_table() function, is it better? Also delete
>>
>> kfree(rproc->clean_table) in rproc_set_rsc_table()
>>
>> thanks
>>
>> xiaolei
>>

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.