On 07/26/ , Felix Kuehling wrote:
> Am 2022-07-26 um 07:15 schrieb Lang Yu:
> > The kgd_mem memory allocated in amdgpu_amdkfd_gpuvm_import_dmabuf()
> > is not freed properly.
> >
> > Explicitly free it in amdgpu_amdkfd_gpuvm_free_memory_of_gpu()
> > under condition "mem->bo->kfd_bo != mem".
> >
> > Suggested-by: Felix Kuehling <Felix.Kuehling@xxxxxxx>
> > Signed-off-by: Lang Yu <Lang.Yu@xxxxxxx>
>
> Some suggestions inline to make the code more readable. Other than that, the
> patch is
>
> Reviewed-by: Felix Kuehling <Felix.Kuehling@xxxxxxx>
>
>
> > ---
> > drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 8 ++++++++
> > 1 file changed, 8 insertions(+)
> >
> > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
> > index 6bba6961eee7..086bed40cf34 100644
> > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
> > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
> > @@ -1803,6 +1803,7 @@ int amdgpu_amdkfd_gpuvm_free_memory_of_gpu(
> > uint64_t *size)
> > {
> > struct amdkfd_process_info *process_info = mem->process_info;
> > + struct kgd_mem *tmp_mem = mem->bo->kfd_bo;
>
> Right, you need this because using mem after drm_gem_object_put would be a
> potential use-after-free. Instead of saving this pointer with some obscure
> variable name, you could just save a bool with a more meaningful name. E.g.:
>
> bool use_release_notifier = (mem->bo->kfd_bo == mem);
>
> This way you have the entire condition in one place, and the variable name
> explains the meaning.
Got it. Thanks!
Regards,
Lang
>
> > unsigned long bo_size = mem->bo->tbo.base.size;
> > struct kfd_mem_attachment *entry, *tmp;
> > struct bo_vm_reservation_context ctx;
> > @@ -1895,6 +1896,13 @@ int amdgpu_amdkfd_gpuvm_free_memory_of_gpu(
> > */
> > drm_gem_object_put(&mem->bo->tbo.base);
> > + /*
> > + * For kgd_mem allocated in amdgpu_amdkfd_gpuvm_import_dmabuf(),
> > + * explicitly free it here.
> > + */
> > + if (mem != tmp_mem)
>
> if (!use_release_notifier)
> kfree(mem);
>
> Regards,
> Felix
>
>
> > + kfree(mem);
> > +
> > return ret;
> > }
