From: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
To: "Christian König" <christian.koenig@amd.com>
Cc: linaro-mm-sig@lists.linaro.org, intel-gfx@lists.freedesktop.org,
Sumit Semwal <sumit.semwal@linaro.org>,
dri-devel@lists.freedesktop.org, linux-media@vger.kernel.org
Subject: Re: [Intel-gfx] [PATCH] dma-buf/dma-resv: Stop leaking on krealloc() failure
Date: Fri, 14 Jul 2023 21:42:24 +0300 [thread overview]
Message-ID: <ZLGXEMdvBAVaNICJ@intel.com> (raw)
In-Reply-To: <defcbed9-7cfc-9499-9e08-02a06390cc8f@amd.com>
On Fri, Jul 14, 2023 at 08:56:15AM +0200, Christian König wrote:
> Am 13.07.23 um 21:47 schrieb Ville Syrjala:
> > From: Ville Syrjälä <ville.syrjala@linux.intel.com>
> >
> > Currently dma_resv_get_fences() will leak the previously
> > allocated array if the fence iteration got restarted and
> > the krealloc_array() fails.
> >
> > Free the old array by hand, and make sure we still clear
> > the returned *fences so the caller won't end up accessing
> > freed memory. Some (but not all) of the callers of
> > dma_resv_get_fences() seem to still trawl through the
> > array even when dma_resv_get_fences() failed. And let's
> > zero out *num_fences as well for good measure.
> >
> > Cc: Sumit Semwal <sumit.semwal@linaro.org>
> > Cc: Christian König <christian.koenig@amd.com>
> > Cc: linux-media@vger.kernel.org
> > Cc: dri-devel@lists.freedesktop.org
> > Cc: linaro-mm-sig@lists.linaro.org
> > Fixes: d3c80698c9f5 ("dma-buf: use new iterator in dma_resv_get_fences v3")
> > Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
>
> Good catch, Reviewed-by: Christian König <christian.koenig@amd.com>
>
> Should I add a CC: stable and push to drm-misc-fixes?
Sure, if you don't mind. Thanks.
>
> Thanks,
> Christian.
>
> > ---
> > drivers/dma-buf/dma-resv.c | 13 +++++++++----
> > 1 file changed, 9 insertions(+), 4 deletions(-)
> >
> > diff --git a/drivers/dma-buf/dma-resv.c b/drivers/dma-buf/dma-resv.c
> > index b6f71eb00866..38b4110378de 100644
> > --- a/drivers/dma-buf/dma-resv.c
> > +++ b/drivers/dma-buf/dma-resv.c
> > @@ -571,6 +571,7 @@ int dma_resv_get_fences(struct dma_resv *obj, enum dma_resv_usage usage,
> > dma_resv_for_each_fence_unlocked(&cursor, fence) {
> >
> > if (dma_resv_iter_is_restarted(&cursor)) {
> > + struct dma_fence **new_fences;
> > unsigned int count;
> >
> > while (*num_fences)
> > @@ -579,13 +580,17 @@ int dma_resv_get_fences(struct dma_resv *obj, enum dma_resv_usage usage,
> > count = cursor.num_fences + 1;
> >
> > /* Eventually re-allocate the array */
> > - *fences = krealloc_array(*fences, count,
> > - sizeof(void *),
> > - GFP_KERNEL);
> > - if (count && !*fences) {
> > + new_fences = krealloc_array(*fences, count,
> > + sizeof(void *),
> > + GFP_KERNEL);
> > + if (count && !new_fences) {
> > + kfree(*fences);
> > + *fences = NULL;
> > + *num_fences = 0;
> > dma_resv_iter_end(&cursor);
> > return -ENOMEM;
> > }
> > + *fences = new_fences;
> > }
> >
> > (*fences)[(*num_fences)++] = dma_fence_get(fence);
--
Ville Syrjälä
Intel
WARNING: multiple messages have this Message-ID (diff)
From: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
To: "Christian König" <christian.koenig@amd.com>
Cc: linaro-mm-sig@lists.linaro.org, intel-gfx@lists.freedesktop.org,
Sumit Semwal <sumit.semwal@linaro.org>,
dri-devel@lists.freedesktop.org, linux-media@vger.kernel.org
Subject: Re: [PATCH] dma-buf/dma-resv: Stop leaking on krealloc() failure
Date: Fri, 14 Jul 2023 21:42:24 +0300 [thread overview]
Message-ID: <ZLGXEMdvBAVaNICJ@intel.com> (raw)
In-Reply-To: <defcbed9-7cfc-9499-9e08-02a06390cc8f@amd.com>
On Fri, Jul 14, 2023 at 08:56:15AM +0200, Christian König wrote:
> Am 13.07.23 um 21:47 schrieb Ville Syrjala:
> > From: Ville Syrjälä <ville.syrjala@linux.intel.com>
> >
> > Currently dma_resv_get_fences() will leak the previously
> > allocated array if the fence iteration got restarted and
> > the krealloc_array() fails.
> >
> > Free the old array by hand, and make sure we still clear
> > the returned *fences so the caller won't end up accessing
> > freed memory. Some (but not all) of the callers of
> > dma_resv_get_fences() seem to still trawl through the
> > array even when dma_resv_get_fences() failed. And let's
> > zero out *num_fences as well for good measure.
> >
> > Cc: Sumit Semwal <sumit.semwal@linaro.org>
> > Cc: Christian König <christian.koenig@amd.com>
> > Cc: linux-media@vger.kernel.org
> > Cc: dri-devel@lists.freedesktop.org
> > Cc: linaro-mm-sig@lists.linaro.org
> > Fixes: d3c80698c9f5 ("dma-buf: use new iterator in dma_resv_get_fences v3")
> > Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
>
> Good catch, Reviewed-by: Christian König <christian.koenig@amd.com>
>
> Should I add a CC: stable and push to drm-misc-fixes?
Sure, if you don't mind. Thanks.
>
> Thanks,
> Christian.
>
> > ---
> > drivers/dma-buf/dma-resv.c | 13 +++++++++----
> > 1 file changed, 9 insertions(+), 4 deletions(-)
> >
> > diff --git a/drivers/dma-buf/dma-resv.c b/drivers/dma-buf/dma-resv.c
> > index b6f71eb00866..38b4110378de 100644
> > --- a/drivers/dma-buf/dma-resv.c
> > +++ b/drivers/dma-buf/dma-resv.c
> > @@ -571,6 +571,7 @@ int dma_resv_get_fences(struct dma_resv *obj, enum dma_resv_usage usage,
> > dma_resv_for_each_fence_unlocked(&cursor, fence) {
> >
> > if (dma_resv_iter_is_restarted(&cursor)) {
> > + struct dma_fence **new_fences;
> > unsigned int count;
> >
> > while (*num_fences)
> > @@ -579,13 +580,17 @@ int dma_resv_get_fences(struct dma_resv *obj, enum dma_resv_usage usage,
> > count = cursor.num_fences + 1;
> >
> > /* Eventually re-allocate the array */
> > - *fences = krealloc_array(*fences, count,
> > - sizeof(void *),
> > - GFP_KERNEL);
> > - if (count && !*fences) {
> > + new_fences = krealloc_array(*fences, count,
> > + sizeof(void *),
> > + GFP_KERNEL);
> > + if (count && !new_fences) {
> > + kfree(*fences);
> > + *fences = NULL;
> > + *num_fences = 0;
> > dma_resv_iter_end(&cursor);
> > return -ENOMEM;
> > }
> > + *fences = new_fences;
> > }
> >
> > (*fences)[(*num_fences)++] = dma_fence_get(fence);
--
Ville Syrjälä
Intel
WARNING: multiple messages have this Message-ID (diff)
From: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
To: "Christian König" <christian.koenig@amd.com>
Cc: dri-devel@lists.freedesktop.org, intel-gfx@lists.freedesktop.org,
Sumit Semwal <sumit.semwal@linaro.org>,
linux-media@vger.kernel.org, linaro-mm-sig@lists.linaro.org
Subject: Re: [PATCH] dma-buf/dma-resv: Stop leaking on krealloc() failure
Date: Fri, 14 Jul 2023 21:42:24 +0300 [thread overview]
Message-ID: <ZLGXEMdvBAVaNICJ@intel.com> (raw)
In-Reply-To: <defcbed9-7cfc-9499-9e08-02a06390cc8f@amd.com>
On Fri, Jul 14, 2023 at 08:56:15AM +0200, Christian König wrote:
> Am 13.07.23 um 21:47 schrieb Ville Syrjala:
> > From: Ville Syrjälä <ville.syrjala@linux.intel.com>
> >
> > Currently dma_resv_get_fences() will leak the previously
> > allocated array if the fence iteration got restarted and
> > the krealloc_array() fails.
> >
> > Free the old array by hand, and make sure we still clear
> > the returned *fences so the caller won't end up accessing
> > freed memory. Some (but not all) of the callers of
> > dma_resv_get_fences() seem to still trawl through the
> > array even when dma_resv_get_fences() failed. And let's
> > zero out *num_fences as well for good measure.
> >
> > Cc: Sumit Semwal <sumit.semwal@linaro.org>
> > Cc: Christian König <christian.koenig@amd.com>
> > Cc: linux-media@vger.kernel.org
> > Cc: dri-devel@lists.freedesktop.org
> > Cc: linaro-mm-sig@lists.linaro.org
> > Fixes: d3c80698c9f5 ("dma-buf: use new iterator in dma_resv_get_fences v3")
> > Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
>
> Good catch, Reviewed-by: Christian König <christian.koenig@amd.com>
>
> Should I add a CC: stable and push to drm-misc-fixes?
Sure, if you don't mind. Thanks.
>
> Thanks,
> Christian.
>
> > ---
> > drivers/dma-buf/dma-resv.c | 13 +++++++++----
> > 1 file changed, 9 insertions(+), 4 deletions(-)
> >
> > diff --git a/drivers/dma-buf/dma-resv.c b/drivers/dma-buf/dma-resv.c
> > index b6f71eb00866..38b4110378de 100644
> > --- a/drivers/dma-buf/dma-resv.c
> > +++ b/drivers/dma-buf/dma-resv.c
> > @@ -571,6 +571,7 @@ int dma_resv_get_fences(struct dma_resv *obj, enum dma_resv_usage usage,
> > dma_resv_for_each_fence_unlocked(&cursor, fence) {
> >
> > if (dma_resv_iter_is_restarted(&cursor)) {
> > + struct dma_fence **new_fences;
> > unsigned int count;
> >
> > while (*num_fences)
> > @@ -579,13 +580,17 @@ int dma_resv_get_fences(struct dma_resv *obj, enum dma_resv_usage usage,
> > count = cursor.num_fences + 1;
> >
> > /* Eventually re-allocate the array */
> > - *fences = krealloc_array(*fences, count,
> > - sizeof(void *),
> > - GFP_KERNEL);
> > - if (count && !*fences) {
> > + new_fences = krealloc_array(*fences, count,
> > + sizeof(void *),
> > + GFP_KERNEL);
> > + if (count && !new_fences) {
> > + kfree(*fences);
> > + *fences = NULL;
> > + *num_fences = 0;
> > dma_resv_iter_end(&cursor);
> > return -ENOMEM;
> > }
> > + *fences = new_fences;
> > }
> >
> > (*fences)[(*num_fences)++] = dma_fence_get(fence);
--
Ville Syrjälä
Intel
next prev parent reply other threads:[~2023-07-14 18:42 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-13 19:47 [Intel-gfx] [PATCH] dma-buf/dma-resv: Stop leaking on krealloc() failure Ville Syrjala
2023-07-13 19:47 ` Ville Syrjala
2023-07-13 19:47 ` Ville Syrjala
2023-07-13 20:50 ` [Intel-gfx] ✓ Fi.CI.BAT: success for " Patchwork
2023-07-14 1:38 ` [Intel-gfx] ✗ Fi.CI.IGT: failure " Patchwork
2023-07-14 6:56 ` [Intel-gfx] [PATCH] " Christian König
2023-07-14 6:56 ` Christian König
2023-07-14 6:56 ` Christian König
2023-07-14 18:42 ` Ville Syrjälä [this message]
2023-07-14 18:42 ` Ville Syrjälä
2023-07-14 18:42 ` Ville Syrjälä
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZLGXEMdvBAVaNICJ@intel.com \
--to=ville.syrjala@linux.intel.com \
--cc=christian.koenig@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=intel-gfx@lists.freedesktop.org \
--cc=linaro-mm-sig@lists.linaro.org \
--cc=linux-media@vger.kernel.org \
--cc=sumit.semwal@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.