[PATCH 03/12] drm/v3d: Fix potential memory leak in the performance extension
Maíra Canal
mcanal at igalia.com
Wed Jul 10 17:00:13 UTC 2024
On 7/10/24 10:41, Tvrtko Ursulin wrote:
> From: Tvrtko Ursulin <tvrtko.ursulin at igalia.com>
>
> If fetching of userspace memory fails during the main loop, all drm sync
> objs looked up until that point will be leaked because of the missing
> drm_syncobj_put.
>
> Fix it by exporting and using a common cleanup helper.
>
> Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin at igalia.com>
> Fixes: bae7cb5d6800 ("drm/v3d: Create a CPU job extension for the reset performance query job"
Missing ) at the end of Fixes.
> Cc: Maíra Canal <mcanal at igalia.com>
> Cc: Iago Toral Quiroga <itoral at igalia.com>
> Cc: <stable at vger.kernel.org> # v6.8+
> ---
> drivers/gpu/drm/v3d/v3d_drv.h | 2 ++
> drivers/gpu/drm/v3d/v3d_sched.c | 22 +++++++++++++-----
> drivers/gpu/drm/v3d/v3d_submit.c | 40 +++++++++++++++++++++-----------
> 3 files changed, 44 insertions(+), 20 deletions(-)
>
> diff --git a/drivers/gpu/drm/v3d/v3d_drv.h b/drivers/gpu/drm/v3d/v3d_drv.h
> index 95651c3c926f..38c80168da51 100644
> --- a/drivers/gpu/drm/v3d/v3d_drv.h
> +++ b/drivers/gpu/drm/v3d/v3d_drv.h
> @@ -565,6 +565,8 @@ void v3d_mmu_remove_ptes(struct v3d_bo *bo);
> /* v3d_sched.c */
> void __v3d_timestamp_query_info_free(struct v3d_timestamp_query_info *qinfo,
> unsigned int count);
> +void __v3d_performance_query_info_free(struct v3d_performance_query_info *qinfo,
> + unsigned int count);
Same nits from the previous patch.
> void v3d_job_update_stats(struct v3d_job *job, enum v3d_queue queue);
> int v3d_sched_init(struct v3d_dev *v3d);
> void v3d_sched_fini(struct v3d_dev *v3d);
> diff --git a/drivers/gpu/drm/v3d/v3d_sched.c b/drivers/gpu/drm/v3d/v3d_sched.c
> index e45d3ddc6f82..173801aa54ee 100644
> --- a/drivers/gpu/drm/v3d/v3d_sched.c
> +++ b/drivers/gpu/drm/v3d/v3d_sched.c
> @@ -87,20 +87,30 @@ __v3d_timestamp_query_info_free(struct v3d_timestamp_query_info *qinfo,
> }
> }
>
> +void
> +__v3d_performance_query_info_free(struct v3d_performance_query_info *qinfo,
> + unsigned int count)
> +{
> + if (qinfo->queries) {
> + unsigned int i;
> +
> + for (i = 0; i < count; i++)
> + drm_syncobj_put(qinfo->queries[i].syncobj);
> +
> + kvfree(qinfo->queries);
> + }
> +}
> +
> static void
> v3d_cpu_job_free(struct drm_sched_job *sched_job)
> {
> struct v3d_cpu_job *job = to_cpu_job(sched_job);
> - struct v3d_performance_query_info *performance_query = &job->performance_query;
>
> __v3d_timestamp_query_info_free(&job->timestamp_query,
> job->timestamp_query.count);
>
> - if (performance_query->queries) {
> - for (int i = 0; i < performance_query->count; i++)
> - drm_syncobj_put(performance_query->queries[i].syncobj);
> - kvfree(performance_query->queries);
> - }
> + __v3d_performance_query_info_free(&job->performance_query,
> + job->performance_query.count);
>
> v3d_job_cleanup(&job->base);
> }
> diff --git a/drivers/gpu/drm/v3d/v3d_submit.c b/drivers/gpu/drm/v3d/v3d_submit.c
> index 2818afdd4807..ca1b1ad0a75c 100644
> --- a/drivers/gpu/drm/v3d/v3d_submit.c
> +++ b/drivers/gpu/drm/v3d/v3d_submit.c
> @@ -637,6 +637,7 @@ v3d_get_cpu_reset_performance_params(struct drm_file *file_priv,
> u32 __user *syncs;
> u64 __user *kperfmon_ids;
> struct drm_v3d_reset_performance_query reset;
> + int err;
>
> if (!job) {
> DRM_DEBUG("CPU job extension was attached to a GPU job.\n");
> @@ -672,32 +673,36 @@ v3d_get_cpu_reset_performance_params(struct drm_file *file_priv,
> u32 id;
>
> if (copy_from_user(&sync, syncs++, sizeof(sync))) {
> - kvfree(job->performance_query.queries);
> - return -EFAULT;
> + err = -EFAULT;
> + goto error;
> }
>
> - job->performance_query.queries[i].syncobj = drm_syncobj_find(file_priv, sync);
> -
> if (copy_from_user(&ids, kperfmon_ids++, sizeof(ids))) {
> - kvfree(job->performance_query.queries);
> - return -EFAULT;
> + err = -EFAULT;
> + goto error;
> }
>
> ids_pointer = u64_to_user_ptr(ids);
>
> for (int j = 0; j < reset.nperfmons; j++) {
> if (copy_from_user(&id, ids_pointer++, sizeof(id))) {
> - kvfree(job->performance_query.queries);
> - return -EFAULT;
> + err = -EFAULT;
> + goto error;
> }
>
> job->performance_query.queries[i].kperfmon_ids[j] = id;
> }
> +
> + job->performance_query.queries[i].syncobj = drm_syncobj_find(file_priv, sync);
> }
> job->performance_query.count = reset.count;
> job->performance_query.nperfmons = reset.nperfmons;
>
> return 0;
> +
> +error > + __v3d_performance_query_info_free(qinfo, i);
I miss the declaration of `qinfo`.
> + return err;
> }
>
> static int
> @@ -708,6 +713,7 @@ v3d_get_cpu_copy_performance_query_params(struct drm_file *file_priv,
> u32 __user *syncs;
> u64 __user *kperfmon_ids;
> struct drm_v3d_copy_performance_query copy;
> + int err;
>
> if (!job) {
> DRM_DEBUG("CPU job extension was attached to a GPU job.\n");
> @@ -746,27 +752,29 @@ v3d_get_cpu_copy_performance_query_params(struct drm_file *file_priv,
> u32 id;
>
> if (copy_from_user(&sync, syncs++, sizeof(sync))) {
> - kvfree(job->performance_query.queries);
> - return -EFAULT;
> + err = -EFAULT;
> + goto error;
> }
>
> job->performance_query.queries[i].syncobj = drm_syncobj_find(file_priv, sync);
I believe this line should be deleted as it is introduced later in this
patch.
>
> if (copy_from_user(&ids, kperfmon_ids++, sizeof(ids))) {
> - kvfree(job->performance_query.queries);
> - return -EFAULT;
> + err = -EFAULT;
> + goto error;
> }
>
> ids_pointer = u64_to_user_ptr(ids);
>
> for (int j = 0; j < copy.nperfmons; j++) {
> if (copy_from_user(&id, ids_pointer++, sizeof(id))) {
> - kvfree(job->performance_query.queries);
> - return -EFAULT;
> + err = -EFAULT;
> + goto error;
> }
>
> job->performance_query.queries[i].kperfmon_ids[j] = id;
> }
> +
> + job->performance_query.queries[i].syncobj = drm_syncobj_find(file_priv, sync);
> }
> job->performance_query.count = copy.count;
> job->performance_query.nperfmons = copy.nperfmons;
> @@ -779,6 +787,10 @@ v3d_get_cpu_copy_performance_query_params(struct drm_file *file_priv,
> job->copy.stride = copy.stride;
>
> return 0;
> +
> +error:
> + __v3d_performance_query_info_free(qinfo, i);
Missing declaration of `qinfo`.
Best Regards,
- Maíra
> + return err;
> }
>
> /* Whenever userspace sets ioctl extensions, v3d_get_extensions parses data
More information about the dri-devel
mailing list