Re: [PATCH 03/12] drm/v3d: Fix potential memory leak in the performance extension

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/10/24 10:41, Tvrtko Ursulin wrote:
From: Tvrtko Ursulin <tvrtko.ursulin@xxxxxxxxxx>

If fetching of userspace memory fails during the main loop, all drm sync
objs looked up until that point will be leaked because of the missing
drm_syncobj_put.

Fix it by exporting and using a common cleanup helper.

Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@xxxxxxxxxx>
Fixes: bae7cb5d6800 ("drm/v3d: Create a CPU job extension for the reset performance query job"

Missing ) at the end of Fixes.

Cc: Maíra Canal <mcanal@xxxxxxxxxx>
Cc: Iago Toral Quiroga <itoral@xxxxxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx> # v6.8+
---
  drivers/gpu/drm/v3d/v3d_drv.h    |  2 ++
  drivers/gpu/drm/v3d/v3d_sched.c  | 22 +++++++++++++-----
  drivers/gpu/drm/v3d/v3d_submit.c | 40 +++++++++++++++++++++-----------
  3 files changed, 44 insertions(+), 20 deletions(-)

diff --git a/drivers/gpu/drm/v3d/v3d_drv.h b/drivers/gpu/drm/v3d/v3d_drv.h
index 95651c3c926f..38c80168da51 100644
--- a/drivers/gpu/drm/v3d/v3d_drv.h
+++ b/drivers/gpu/drm/v3d/v3d_drv.h
@@ -565,6 +565,8 @@ void v3d_mmu_remove_ptes(struct v3d_bo *bo);
  /* v3d_sched.c */
  void __v3d_timestamp_query_info_free(struct v3d_timestamp_query_info *qinfo,
  				     unsigned int count);
+void __v3d_performance_query_info_free(struct v3d_performance_query_info *qinfo,
+				       unsigned int count);

Same nits from the previous patch.

  void v3d_job_update_stats(struct v3d_job *job, enum v3d_queue queue);
  int v3d_sched_init(struct v3d_dev *v3d);
  void v3d_sched_fini(struct v3d_dev *v3d);
diff --git a/drivers/gpu/drm/v3d/v3d_sched.c b/drivers/gpu/drm/v3d/v3d_sched.c
index e45d3ddc6f82..173801aa54ee 100644
--- a/drivers/gpu/drm/v3d/v3d_sched.c
+++ b/drivers/gpu/drm/v3d/v3d_sched.c
@@ -87,20 +87,30 @@ __v3d_timestamp_query_info_free(struct v3d_timestamp_query_info *qinfo,
  	}
  }
+void
+__v3d_performance_query_info_free(struct v3d_performance_query_info *qinfo,
+				  unsigned int count)
+{
+	if (qinfo->queries) {
+		unsigned int i;
+
+		for (i = 0; i < count; i++)
+			drm_syncobj_put(qinfo->queries[i].syncobj);
+
+		kvfree(qinfo->queries);
+	}
+}
+
  static void
  v3d_cpu_job_free(struct drm_sched_job *sched_job)
  {
  	struct v3d_cpu_job *job = to_cpu_job(sched_job);
-	struct v3d_performance_query_info *performance_query = &job->performance_query;
__v3d_timestamp_query_info_free(&job->timestamp_query,
  					job->timestamp_query.count);
- if (performance_query->queries) {
-		for (int i = 0; i < performance_query->count; i++)
-			drm_syncobj_put(performance_query->queries[i].syncobj);
-		kvfree(performance_query->queries);
-	}
+	__v3d_performance_query_info_free(&job->performance_query,
+					  job->performance_query.count);
v3d_job_cleanup(&job->base);
  }
diff --git a/drivers/gpu/drm/v3d/v3d_submit.c b/drivers/gpu/drm/v3d/v3d_submit.c
index 2818afdd4807..ca1b1ad0a75c 100644
--- a/drivers/gpu/drm/v3d/v3d_submit.c
+++ b/drivers/gpu/drm/v3d/v3d_submit.c
@@ -637,6 +637,7 @@ v3d_get_cpu_reset_performance_params(struct drm_file *file_priv,
  	u32 __user *syncs;
  	u64 __user *kperfmon_ids;
  	struct drm_v3d_reset_performance_query reset;
+	int err;
if (!job) {
  		DRM_DEBUG("CPU job extension was attached to a GPU job.\n");
@@ -672,32 +673,36 @@ v3d_get_cpu_reset_performance_params(struct drm_file *file_priv,
  		u32 id;
if (copy_from_user(&sync, syncs++, sizeof(sync))) {
-			kvfree(job->performance_query.queries);
-			return -EFAULT;
+			err = -EFAULT;
+			goto error;
  		}
- job->performance_query.queries[i].syncobj = drm_syncobj_find(file_priv, sync);
-
  		if (copy_from_user(&ids, kperfmon_ids++, sizeof(ids))) {
-			kvfree(job->performance_query.queries);
-			return -EFAULT;
+			err = -EFAULT;
+			goto error;
  		}
ids_pointer = u64_to_user_ptr(ids); for (int j = 0; j < reset.nperfmons; j++) {
  			if (copy_from_user(&id, ids_pointer++, sizeof(id))) {
-				kvfree(job->performance_query.queries);
-				return -EFAULT;
+				err = -EFAULT;
+				goto error;
  			}
job->performance_query.queries[i].kperfmon_ids[j] = id;
  		}
+
+		job->performance_query.queries[i].syncobj = drm_syncobj_find(file_priv, sync);
  	}
  	job->performance_query.count = reset.count;
  	job->performance_query.nperfmons = reset.nperfmons;
return 0;
+
+error > +	__v3d_performance_query_info_free(qinfo, i);

I miss the declaration of `qinfo`.

+	return err;
  }
static int
@@ -708,6 +713,7 @@ v3d_get_cpu_copy_performance_query_params(struct drm_file *file_priv,
  	u32 __user *syncs;
  	u64 __user *kperfmon_ids;
  	struct drm_v3d_copy_performance_query copy;
+	int err;
if (!job) {
  		DRM_DEBUG("CPU job extension was attached to a GPU job.\n");
@@ -746,27 +752,29 @@ v3d_get_cpu_copy_performance_query_params(struct drm_file *file_priv,
  		u32 id;
if (copy_from_user(&sync, syncs++, sizeof(sync))) {
-			kvfree(job->performance_query.queries);
-			return -EFAULT;
+			err = -EFAULT;
+			goto error;
  		}
job->performance_query.queries[i].syncobj = drm_syncobj_find(file_priv, sync);

I believe this line should be deleted as it is introduced later in this
patch.

if (copy_from_user(&ids, kperfmon_ids++, sizeof(ids))) {
-			kvfree(job->performance_query.queries);
-			return -EFAULT;
+			err = -EFAULT;
+			goto error;
  		}
ids_pointer = u64_to_user_ptr(ids); for (int j = 0; j < copy.nperfmons; j++) {
  			if (copy_from_user(&id, ids_pointer++, sizeof(id))) {
-				kvfree(job->performance_query.queries);
-				return -EFAULT;
+				err = -EFAULT;
+				goto error;
  			}
job->performance_query.queries[i].kperfmon_ids[j] = id;
  		}
+
+		job->performance_query.queries[i].syncobj = drm_syncobj_find(file_priv, sync);
  	}
  	job->performance_query.count = copy.count;
  	job->performance_query.nperfmons = copy.nperfmons;
@@ -779,6 +787,10 @@ v3d_get_cpu_copy_performance_query_params(struct drm_file *file_priv,
  	job->copy.stride = copy.stride;
return 0;
+
+error:
+	__v3d_performance_query_info_free(qinfo, i);

Missing declaration of `qinfo`.

Best Regards,
- Maíra

+	return err;
  }
/* Whenever userspace sets ioctl extensions, v3d_get_extensions parses data



[Index of Archives]     [Linux DRI Users]     [Linux Intel Graphics]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux