* [PATCH v2 resend 0/2] gpu: host1x: possible double free and memory leak @ 2022-11-26 7:33 Yang Yingliang 2022-11-26 7:33 ` [PATCH v2 resend 1/2] gpu: host1x: fix potential double free if IOMMU is disabled Yang Yingliang 2022-11-26 7:33 ` [PATCH v2 resend 2/2] gpu: host1x: fix memory leak of device names Yang Yingliang 0 siblings, 2 replies; 6+ messages in thread From: Yang Yingliang @ 2022-11-26 7:33 UTC (permalink / raw) To: linux-tegra, thierry.reding, airlied, daniel, mperttunen, cyndis Cc: yangyingliang This patchset fix two possible problems in the error path in host1x_memory_context_list_init(). v1 -> v2: patch #1 don't return error code, if IOMMU is disabled. patch #2 make error handling code more clean. Put the two patches in one patchset. http://patchwork.ozlabs.org/project/linux-tegra/patch/20221028130300.1133520-1-yangyingliang@huawei.com/ http://patchwork.ozlabs.org/project/linux-tegra/patch/20221124080559.3592650-1-yangyingliang@huawei.com/ Yang Yingliang (2): gpu: host1x: fix potential double free if IOMMU is disabled gpu: host1x: fix memory leak of device names drivers/gpu/host1x/context.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) -- 2.25.1 ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v2 resend 1/2] gpu: host1x: fix potential double free if IOMMU is disabled 2022-11-26 7:33 [PATCH v2 resend 0/2] gpu: host1x: possible double free and memory leak Yang Yingliang @ 2022-11-26 7:33 ` Yang Yingliang 2022-11-28 9:47 ` Mikko Perttunen 2023-04-04 12:25 ` (subset) " Thierry Reding 2022-11-26 7:33 ` [PATCH v2 resend 2/2] gpu: host1x: fix memory leak of device names Yang Yingliang 1 sibling, 2 replies; 6+ messages in thread From: Yang Yingliang @ 2022-11-26 7:33 UTC (permalink / raw) To: linux-tegra, thierry.reding, airlied, daniel, mperttunen, cyndis Cc: yangyingliang If context device has no IOMMU, the 'cdl->devs' is freed in error path, but host1x_memory_context_list_init() doesn't return an error code, so the module can be loaded successfully, when it's unloading, the host1x_memory_context_list_free() is called in host1x_remove(), it will cause double free. Set the 'cdl->devs' to NULL after freeing it to avoid double free. Fixes: 8aa5bcb61612 ("gpu: host1x: Add context device management code") Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- drivers/gpu/host1x/context.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/host1x/context.c b/drivers/gpu/host1x/context.c index b08cf11f9a66..291f34562e2e 100644 --- a/drivers/gpu/host1x/context.c +++ b/drivers/gpu/host1x/context.c @@ -87,6 +87,7 @@ int host1x_memory_context_list_init(struct host1x *host1x) device_del(&cdl->devs[i].dev); kfree(cdl->devs); + cdl->devs = NULL; cdl->len = 0; return err; -- 2.25.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v2 resend 1/2] gpu: host1x: fix potential double free if IOMMU is disabled 2022-11-26 7:33 ` [PATCH v2 resend 1/2] gpu: host1x: fix potential double free if IOMMU is disabled Yang Yingliang @ 2022-11-28 9:47 ` Mikko Perttunen 2023-04-04 12:25 ` (subset) " Thierry Reding 1 sibling, 0 replies; 6+ messages in thread From: Mikko Perttunen @ 2022-11-28 9:47 UTC (permalink / raw) To: Yang Yingliang, linux-tegra, thierry.reding, airlied, daniel, mperttunen On 11/26/22 09:33, Yang Yingliang wrote: > If context device has no IOMMU, the 'cdl->devs' is freed in > error path, but host1x_memory_context_list_init() doesn't > return an error code, so the module can be loaded successfully, > when it's unloading, the host1x_memory_context_list_free() is > called in host1x_remove(), it will cause double free. Set the > 'cdl->devs' to NULL after freeing it to avoid double free. > > Fixes: 8aa5bcb61612 ("gpu: host1x: Add context device management code") > Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> > --- > drivers/gpu/host1x/context.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/gpu/host1x/context.c b/drivers/gpu/host1x/context.c > index b08cf11f9a66..291f34562e2e 100644 > --- a/drivers/gpu/host1x/context.c > +++ b/drivers/gpu/host1x/context.c > @@ -87,6 +87,7 @@ int host1x_memory_context_list_init(struct host1x *host1x) > device_del(&cdl->devs[i].dev); > > kfree(cdl->devs); > + cdl->devs = NULL; > cdl->len = 0; > > return err; Thanks! Reviewed-by: Mikko Perttunen <mperttunen@nvidia.com> ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: (subset) [PATCH v2 resend 1/2] gpu: host1x: fix potential double free if IOMMU is disabled 2022-11-26 7:33 ` [PATCH v2 resend 1/2] gpu: host1x: fix potential double free if IOMMU is disabled Yang Yingliang 2022-11-28 9:47 ` Mikko Perttunen @ 2023-04-04 12:25 ` Thierry Reding 1 sibling, 0 replies; 6+ messages in thread From: Thierry Reding @ 2023-04-04 12:25 UTC (permalink / raw) To: airlied, Yang Yingliang, thierry.reding, cyndis, mperttunen, daniel, linux-tegra From: Thierry Reding <treding@nvidia.com> On Sat, 26 Nov 2022 15:33:14 +0800, Yang Yingliang wrote: > If context device has no IOMMU, the 'cdl->devs' is freed in > error path, but host1x_memory_context_list_init() doesn't > return an error code, so the module can be loaded successfully, > when it's unloading, the host1x_memory_context_list_free() is > called in host1x_remove(), it will cause double free. Set the > 'cdl->devs' to NULL after freeing it to avoid double free. > > [...] Applied, thanks! [1/2] gpu: host1x: fix potential double free if IOMMU is disabled (no commit info) Best regards, -- Thierry Reding <treding@nvidia.com> ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v2 resend 2/2] gpu: host1x: fix memory leak of device names 2022-11-26 7:33 [PATCH v2 resend 0/2] gpu: host1x: possible double free and memory leak Yang Yingliang 2022-11-26 7:33 ` [PATCH v2 resend 1/2] gpu: host1x: fix potential double free if IOMMU is disabled Yang Yingliang @ 2022-11-26 7:33 ` Yang Yingliang 2022-11-28 9:53 ` Mikko Perttunen 1 sibling, 1 reply; 6+ messages in thread From: Yang Yingliang @ 2022-11-26 7:33 UTC (permalink / raw) To: linux-tegra, thierry.reding, airlied, daniel, mperttunen, cyndis Cc: yangyingliang The device names allocated by dev_set_name() need be freed before module unloading, but they can not be freed because the kobject's refcount which was set in device_initialize() has not be decreased to 0. As comment of device_add() says, if it fails, use only put_device() drop the refcount, then the name will be freed in kobejct_cleanup(). device_del() and put_device() can be replaced with device_unregister(), so call it to unregister the added successfully devices, and just call put_device() to the not added device. Add a release() function to device to avoid null release() function WARNING in device_release(), it's empty, because the context devices are freed together in host1x_memory_context_list_free(). Fixes: 8aa5bcb61612 ("gpu: host1x: Add context device management code") Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- drivers/gpu/host1x/context.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/drivers/gpu/host1x/context.c b/drivers/gpu/host1x/context.c index 291f34562e2e..047696432eb2 100644 --- a/drivers/gpu/host1x/context.c +++ b/drivers/gpu/host1x/context.c @@ -13,6 +13,11 @@ #include "context.h" #include "dev.h" +static void host1x_memory_context_release(struct device *dev) +{ + /* context device is freed in host1x_memory_context_list_free() */ +} + int host1x_memory_context_list_init(struct host1x *host1x) { struct host1x_memory_context_list *cdl = &host1x->context_list; @@ -53,28 +58,30 @@ int host1x_memory_context_list_init(struct host1x *host1x) dev_set_name(&ctx->dev, "host1x-ctx.%d", i); ctx->dev.bus = &host1x_context_device_bus_type; ctx->dev.parent = host1x->dev; + ctx->dev.release = host1x_memory_context_release; dma_set_max_seg_size(&ctx->dev, UINT_MAX); err = device_add(&ctx->dev); if (err) { dev_err(host1x->dev, "could not add context device %d: %d\n", i, err); - goto del_devices; + put_device(&ctx->dev); + goto unreg_devices; } err = of_dma_configure_id(&ctx->dev, node, true, &i); if (err) { dev_err(host1x->dev, "IOMMU configuration failed for context device %d: %d\n", i, err); - device_del(&ctx->dev); - goto del_devices; + device_unregister(&ctx->dev); + goto unreg_devices; } fwspec = dev_iommu_fwspec_get(&ctx->dev); if (!fwspec || !device_iommu_mapped(&ctx->dev)) { dev_err(host1x->dev, "Context device %d has no IOMMU!\n", i); - device_del(&ctx->dev); - goto del_devices; + device_unregister(&ctx->dev); + goto unreg_devices; } ctx->stream_id = fwspec->ids[0] & 0xffff; @@ -82,9 +89,9 @@ int host1x_memory_context_list_init(struct host1x *host1x) return 0; -del_devices: +unreg_devices: while (i--) - device_del(&cdl->devs[i].dev); + device_unregister(&cdl->devs[i].dev); kfree(cdl->devs); cdl->devs = NULL; @@ -98,7 +105,7 @@ void host1x_memory_context_list_free(struct host1x_memory_context_list *cdl) unsigned int i; for (i = 0; i < cdl->len; i++) - device_del(&cdl->devs[i].dev); + device_unregister(&cdl->devs[i].dev); kfree(cdl->devs); cdl->len = 0; -- 2.25.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v2 resend 2/2] gpu: host1x: fix memory leak of device names 2022-11-26 7:33 ` [PATCH v2 resend 2/2] gpu: host1x: fix memory leak of device names Yang Yingliang @ 2022-11-28 9:53 ` Mikko Perttunen 0 siblings, 0 replies; 6+ messages in thread From: Mikko Perttunen @ 2022-11-28 9:53 UTC (permalink / raw) To: Yang Yingliang, linux-tegra, thierry.reding, airlied, daniel, mperttunen On 11/26/22 09:33, Yang Yingliang wrote: > The device names allocated by dev_set_name() need be freed > before module unloading, but they can not be freed because > the kobject's refcount which was set in device_initialize() > has not be decreased to 0. > > As comment of device_add() says, if it fails, use only > put_device() drop the refcount, then the name will be > freed in kobejct_cleanup(). > > device_del() and put_device() can be replaced with > device_unregister(), so call it to unregister the added > successfully devices, and just call put_device() to the > not added device. > > Add a release() function to device to avoid null release() > function WARNING in device_release(), it's empty, because > the context devices are freed together in > host1x_memory_context_list_free(). > > Fixes: 8aa5bcb61612 ("gpu: host1x: Add context device management code") > Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> > --- > drivers/gpu/host1x/context.c | 23 +++++++++++++++-------- > 1 file changed, 15 insertions(+), 8 deletions(-) > > diff --git a/drivers/gpu/host1x/context.c b/drivers/gpu/host1x/context.c > index 291f34562e2e..047696432eb2 100644 > --- a/drivers/gpu/host1x/context.c > +++ b/drivers/gpu/host1x/context.c > @@ -13,6 +13,11 @@ > #include "context.h" > #include "dev.h" > > +static void host1x_memory_context_release(struct device *dev) > +{ > + /* context device is freed in host1x_memory_context_list_free() */ > +} > + > int host1x_memory_context_list_init(struct host1x *host1x) > { > struct host1x_memory_context_list *cdl = &host1x->context_list; > @@ -53,28 +58,30 @@ int host1x_memory_context_list_init(struct host1x *host1x) > dev_set_name(&ctx->dev, "host1x-ctx.%d", i); > ctx->dev.bus = &host1x_context_device_bus_type; > ctx->dev.parent = host1x->dev; > + ctx->dev.release = host1x_memory_context_release; > > dma_set_max_seg_size(&ctx->dev, UINT_MAX); > > err = device_add(&ctx->dev); > if (err) { > dev_err(host1x->dev, "could not add context device %d: %d\n", i, err); > - goto del_devices; > + put_device(&ctx->dev); > + goto unreg_devices; > } > > err = of_dma_configure_id(&ctx->dev, node, true, &i); > if (err) { > dev_err(host1x->dev, "IOMMU configuration failed for context device %d: %d\n", > i, err); > - device_del(&ctx->dev); > - goto del_devices; > + device_unregister(&ctx->dev); > + goto unreg_devices; > } > > fwspec = dev_iommu_fwspec_get(&ctx->dev); > if (!fwspec || !device_iommu_mapped(&ctx->dev)) { > dev_err(host1x->dev, "Context device %d has no IOMMU!\n", i); > - device_del(&ctx->dev); > - goto del_devices; > + device_unregister(&ctx->dev); > + goto unreg_devices; > } > > ctx->stream_id = fwspec->ids[0] & 0xffff; > @@ -82,9 +89,9 @@ int host1x_memory_context_list_init(struct host1x *host1x) > > return 0; > > -del_devices: > +unreg_devices: > while (i--) > - device_del(&cdl->devs[i].dev); > + device_unregister(&cdl->devs[i].dev); > > kfree(cdl->devs); > cdl->devs = NULL; > @@ -98,7 +105,7 @@ void host1x_memory_context_list_free(struct host1x_memory_context_list *cdl) > unsigned int i; > > for (i = 0; i < cdl->len; i++) > - device_del(&cdl->devs[i].dev); > + device_unregister(&cdl->devs[i].dev); > > kfree(cdl->devs); > cdl->len = 0; Reviewed-by: Mikko Perttunen <mperttunen@nvidia.com> ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-04-04 12:26 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2022-11-26 7:33 [PATCH v2 resend 0/2] gpu: host1x: possible double free and memory leak Yang Yingliang 2022-11-26 7:33 ` [PATCH v2 resend 1/2] gpu: host1x: fix potential double free if IOMMU is disabled Yang Yingliang 2022-11-28 9:47 ` Mikko Perttunen 2023-04-04 12:25 ` (subset) " Thierry Reding 2022-11-26 7:33 ` [PATCH v2 resend 2/2] gpu: host1x: fix memory leak of device names Yang Yingliang 2022-11-28 9:53 ` Mikko Perttunen
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox