[PATCH] powerpc/iommu: Memory leak in TCE table userspace view

linuxppc-dev.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] powerpc/iommu: Memory leak in TCE table userspace view
@ 2025-04-25 17:08 Gaurav Batra
  2025-05-02 10:23 ` Nilay Shroff
  2025-05-02 19:53 ` Ritesh Harjani
  0 siblings, 2 replies; 3+ messages in thread
From: Gaurav Batra @ 2025-04-25 17:08 UTC (permalink / raw)
  To: linuxppc-dev, maddy; +Cc: Gaurav Batra

When a device is opened by a userspace driver, via VFIO interface, DMA
window is created. This DMA window has TCE Table and a corresponding
data for userview of
TCE table.

When the userspace driver closes the device, all the above infrastructure
is free'ed and the device control given back to kernel. Both DMA window
and TCE table is getting free'ed. But due to a code bug, userview of the
TCE table is not getting free'ed. This is resulting in a memory leak.

Befow is the information from KMEMLEAK

unreferenced object 0xc008000022af0000 (size 16777216):
  comm "senlib_unit_tes", pid 9346, jiffies 4294983174
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 0):
    kmemleak_vmalloc+0xc8/0x1a0
    __vmalloc_node_range+0x284/0x340
    vzalloc+0x58/0x70
    spapr_tce_create_table+0x4b0/0x8d0
    tce_iommu_create_table+0xcc/0x170 [vfio_iommu_spapr_tce]
    tce_iommu_create_window+0x144/0x2f0 [vfio_iommu_spapr_tce]
    tce_iommu_ioctl.part.0+0x59c/0xc90 [vfio_iommu_spapr_tce]
    vfio_fops_unl_ioctl+0x88/0x280 [vfio]
    sys_ioctl+0xf4/0x160
    system_call_exception+0x164/0x310
    system_call_vectored_common+0xe8/0x278
unreferenced object 0xc008000023b00000 (size 4194304):
  comm "senlib_unit_tes", pid 9351, jiffies 4294984116
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 0):
    kmemleak_vmalloc+0xc8/0x1a0
    __vmalloc_node_range+0x284/0x340
    vzalloc+0x58/0x70
    spapr_tce_create_table+0x4b0/0x8d0
    tce_iommu_create_table+0xcc/0x170 [vfio_iommu_spapr_tce]
    tce_iommu_create_window+0x144/0x2f0 [vfio_iommu_spapr_tce]
    tce_iommu_create_default_window+0x88/0x120 [vfio_iommu_spapr_tce]
    tce_iommu_ioctl.part.0+0x57c/0xc90 [vfio_iommu_spapr_tce]
    vfio_fops_unl_ioctl+0x88/0x280 [vfio]
    sys_ioctl+0xf4/0x160
    system_call_exception+0x164/0x310
    system_call_vectored_common+0xe8/0x278

Fixes: f431a8cde7f1 ("powerpc/iommu: Reimplement the iommu_table_group_ops for pSeries")
Signed-off-by: Gaurav Batra <gbatra@linux.ibm.com>
---
 arch/powerpc/platforms/pseries/iommu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/powerpc/platforms/pseries/iommu.c b/arch/powerpc/platforms/pseries/iommu.c
index d6ebc19fb99c..eec333dd2e59 100644
--- a/arch/powerpc/platforms/pseries/iommu.c
+++ b/arch/powerpc/platforms/pseries/iommu.c
@@ -197,7 +197,7 @@ static void tce_iommu_userspace_view_free(struct iommu_table *tbl)
 
 static void tce_free_pSeries(struct iommu_table *tbl)
 {
-	if (!tbl->it_userspace)
+	if (tbl->it_userspace)
 		tce_iommu_userspace_view_free(tbl);
 }
 

base-commit: 02ddfb981de88a2c15621115dd7be2431252c568
-- 
2.39.3 (Apple Git-146)



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] powerpc/iommu: Memory leak in TCE table userspace view
  2025-04-25 17:08 [PATCH] powerpc/iommu: Memory leak in TCE table userspace view Gaurav Batra
@ 2025-05-02 10:23 ` Nilay Shroff
  2025-05-02 19:53 ` Ritesh Harjani
  1 sibling, 0 replies; 3+ messages in thread
From: Nilay Shroff @ 2025-05-02 10:23 UTC (permalink / raw)
  To: Gaurav Batra, linuxppc-dev, maddy



On 4/25/25 10:38 PM, Gaurav Batra wrote:
> When a device is opened by a userspace driver, via VFIO interface, DMA
> window is created. This DMA window has TCE Table and a corresponding
> data for userview of
> TCE table.

nitpick: Please consider folding the above line into the previous one.
Otherwise, changes look good to me:

Reviewed-by: Nilay Shroff <nilay@linux.ibm.com>



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] powerpc/iommu: Memory leak in TCE table userspace view
  2025-04-25 17:08 [PATCH] powerpc/iommu: Memory leak in TCE table userspace view Gaurav Batra
  2025-05-02 10:23 ` Nilay Shroff
@ 2025-05-02 19:53 ` Ritesh Harjani
  1 sibling, 0 replies; 3+ messages in thread
From: Ritesh Harjani @ 2025-05-02 19:53 UTC (permalink / raw)
  To: Gaurav Batra, linuxppc-dev, maddy; +Cc: Gaurav Batra

Gaurav Batra <gbatra@linux.ibm.com> writes:

> When a device is opened by a userspace driver, via VFIO interface, DMA
> window is created. This DMA window has TCE Table and a corresponding
> data for userview of
> TCE table.
>
> When the userspace driver closes the device, all the above infrastructure
> is free'ed and the device control given back to kernel. Both DMA window
> and TCE table is getting free'ed. But due to a code bug, userview of the
> TCE table is not getting free'ed. This is resulting in a memory leak.
>
> Befow is the information from KMEMLEAK
>
> unreferenced object 0xc008000022af0000 (size 16777216):
>   comm "senlib_unit_tes", pid 9346, jiffies 4294983174
>   hex dump (first 32 bytes):
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace (crc 0):
>     kmemleak_vmalloc+0xc8/0x1a0
>     __vmalloc_node_range+0x284/0x340
>     vzalloc+0x58/0x70
>     spapr_tce_create_table+0x4b0/0x8d0
>     tce_iommu_create_table+0xcc/0x170 [vfio_iommu_spapr_tce]
>     tce_iommu_create_window+0x144/0x2f0 [vfio_iommu_spapr_tce]
>     tce_iommu_ioctl.part.0+0x59c/0xc90 [vfio_iommu_spapr_tce]
>     vfio_fops_unl_ioctl+0x88/0x280 [vfio]
>     sys_ioctl+0xf4/0x160
>     system_call_exception+0x164/0x310
>     system_call_vectored_common+0xe8/0x278
> unreferenced object 0xc008000023b00000 (size 4194304):
>   comm "senlib_unit_tes", pid 9351, jiffies 4294984116
>   hex dump (first 32 bytes):
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace (crc 0):
>     kmemleak_vmalloc+0xc8/0x1a0
>     __vmalloc_node_range+0x284/0x340
>     vzalloc+0x58/0x70
>     spapr_tce_create_table+0x4b0/0x8d0
>     tce_iommu_create_table+0xcc/0x170 [vfio_iommu_spapr_tce]
>     tce_iommu_create_window+0x144/0x2f0 [vfio_iommu_spapr_tce]
>     tce_iommu_create_default_window+0x88/0x120 [vfio_iommu_spapr_tce]
>     tce_iommu_ioctl.part.0+0x57c/0xc90 [vfio_iommu_spapr_tce]
>     vfio_fops_unl_ioctl+0x88/0x280 [vfio]
>     sys_ioctl+0xf4/0x160
>     system_call_exception+0x164/0x310
>     system_call_vectored_common+0xe8/0x278
>
> Fixes: f431a8cde7f1 ("powerpc/iommu: Reimplement the iommu_table_group_ops for pSeries")
> Signed-off-by: Gaurav Batra <gbatra@linux.ibm.com>
> ---
>  arch/powerpc/platforms/pseries/iommu.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/powerpc/platforms/pseries/iommu.c b/arch/powerpc/platforms/pseries/iommu.c
> index d6ebc19fb99c..eec333dd2e59 100644
> --- a/arch/powerpc/platforms/pseries/iommu.c
> +++ b/arch/powerpc/platforms/pseries/iommu.c
> @@ -197,7 +197,7 @@ static void tce_iommu_userspace_view_free(struct iommu_table *tbl)
>
>  static void tce_free_pSeries(struct iommu_table *tbl)
>  {
> -	if (!tbl->it_userspace)
> +	if (tbl->it_userspace)
>  		tce_iommu_userspace_view_free(tbl);
>  }

Gr8 catch. That clearly looks like a miss in the original code.

vfree() can be called even directly and it says no operation is
performed if addr passed to vfree is NULL. However I don't really see
any value add in doing that except maybe we can kill tce_free_pSeries()
function. But vfree() still does few checks in there. So we may as well
check for a non-null address before calling vfree().

nitpick: I might have re-pharsed the commit msg as:
     powerpc/pseries/iommu: Fix kmemleak in TCE table userspace view

The patch looks good to me purely from the kmemleak bug perspective.
So feel free to take: 
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>


-ritesh


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-05-02 20:15 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-25 17:08 [PATCH] powerpc/iommu: Memory leak in TCE table userspace view Gaurav Batra
2025-05-02 10:23 ` Nilay Shroff
2025-05-02 19:53 ` Ritesh Harjani

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).