Stable Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] drm/etnaviv: fix memory leak when mapping prime imported buffers
@ 2020-05-20 10:10 Martin Fuzzey
  2020-05-20 10:29 ` Lucas Stach
  2020-05-22  0:12 ` Sasha Levin
  0 siblings, 2 replies; 4+ messages in thread
From: Martin Fuzzey @ 2020-05-20 10:10 UTC (permalink / raw)
  To: Lucas Stach; +Cc: stable, Christian Gmeiner, etnaviv, linux-kernel

When using mmap() on a prime imported buffer allocated by a
different driver (such as imx-drm) the later munmap() does
not correctly decrement the refcount of the original enaviv_gem_object,
leading to a leak.

Signed-off-by: Martin Fuzzey <martin.fuzzey@flowbird.group>
Cc: stable@vger.kernel.org
---
 drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c b/drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c
index f24dd21..28a01b8 100644
--- a/drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c
+++ b/drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c
@@ -93,7 +93,25 @@ static void *etnaviv_gem_prime_vmap_impl(struct etnaviv_gem_object *etnaviv_obj)
 static int etnaviv_gem_prime_mmap_obj(struct etnaviv_gem_object *etnaviv_obj,
 		struct vm_area_struct *vma)
 {
-	return dma_buf_mmap(etnaviv_obj->base.dma_buf, vma, 0);
+	int ret;
+
+	ret = dma_buf_mmap(etnaviv_obj->base.dma_buf, vma, 0);
+
+	/* drm_gem_mmap_obj() has already been called before this function
+	 * and has incremented our refcount, expecting it to be decremented
+	 * on unmap() via drm_gem_vm_close().
+	 * However dma_buf_mmap() invokes drm_gem_cma_prime_mmap()
+	 * that ends up updating the vma->vma_private_data to point to the
+	 * dma_buf's gem object.
+	 * Hence our gem object here will not have its refcount decremented
+	 * when userspace does unmap().
+	 * So decrement the refcount here to avoid a memory leak if the dma
+	 * buf mapping was successful.
+	 */
+	if (!ret)
+		drm_gem_object_put_unlocked(&etnaviv_obj->base);
+
+	return ret;
 }
 
 static const struct etnaviv_gem_ops etnaviv_gem_prime_ops = {
-- 
1.9.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] drm/etnaviv: fix memory leak when mapping prime imported buffers
  2020-05-20 10:10 [PATCH] drm/etnaviv: fix memory leak when mapping prime imported buffers Martin Fuzzey
@ 2020-05-20 10:29 ` Lucas Stach
  2020-05-20 11:15   ` Fuzzey, Martin
  2020-05-22  0:12 ` Sasha Levin
  1 sibling, 1 reply; 4+ messages in thread
From: Lucas Stach @ 2020-05-20 10:29 UTC (permalink / raw)
  To: Martin Fuzzey; +Cc: stable, Christian Gmeiner, etnaviv, linux-kernel

Hi Martin,

Am Mittwoch, den 20.05.2020, 12:10 +0200 schrieb Martin Fuzzey:
> When using mmap() on a prime imported buffer allocated by a
> different driver (such as imx-drm) the later munmap() does
> not correctly decrement the refcount of the original enaviv_gem_object,
> leading to a leak.
> 
> Signed-off-by: Martin Fuzzey <martin.fuzzey@flowbird.group>
> Cc: stable@vger.kernel.org

What's the use-case where you did hit this issue? mmap'ing of imported
buffers through the etnaviv DRM device is currently not well defined
and I was pondering the idea of forbidding it completely by not
returning a mmap offset for those objects.

Regards,
Lucas

> ---
>  drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c | 20 +++++++++++++++++++-
>  1 file changed, 19 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c b/drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c
> index f24dd21..28a01b8 100644
> --- a/drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c
> +++ b/drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c
> @@ -93,7 +93,25 @@ static void *etnaviv_gem_prime_vmap_impl(struct etnaviv_gem_object *etnaviv_obj)
>  static int etnaviv_gem_prime_mmap_obj(struct etnaviv_gem_object *etnaviv_obj,
>  		struct vm_area_struct *vma)
>  {
> -	return dma_buf_mmap(etnaviv_obj->base.dma_buf, vma, 0);
> +	int ret;
> +
> +	ret = dma_buf_mmap(etnaviv_obj->base.dma_buf, vma, 0);
> +
> +	/* drm_gem_mmap_obj() has already been called before this function
> +	 * and has incremented our refcount, expecting it to be decremented
> +	 * on unmap() via drm_gem_vm_close().
> +	 * However dma_buf_mmap() invokes drm_gem_cma_prime_mmap()
> +	 * that ends up updating the vma->vma_private_data to point to the
> +	 * dma_buf's gem object.
> +	 * Hence our gem object here will not have its refcount decremented
> +	 * when userspace does unmap().
> +	 * So decrement the refcount here to avoid a memory leak if the dma
> +	 * buf mapping was successful.
> +	 */
> +	if (!ret)
> +		drm_gem_object_put_unlocked(&etnaviv_obj->base);
> +
> +	return ret;
>  }
>  
>  static const struct etnaviv_gem_ops etnaviv_gem_prime_ops = {


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] drm/etnaviv: fix memory leak when mapping prime imported buffers
  2020-05-20 10:29 ` Lucas Stach
@ 2020-05-20 11:15   ` Fuzzey, Martin
  0 siblings, 0 replies; 4+ messages in thread
From: Fuzzey, Martin @ 2020-05-20 11:15 UTC (permalink / raw)
  To: Lucas Stach
  Cc: stable, Christian Gmeiner, The etnaviv authors,
	Linux-Kernel@Vger. Kernel. Org

Hi Lucas,

> Am Mittwoch, den 20.05.2020, 12:10 +0200 schrieb Martin Fuzzey:
> What's the use-case where you did hit this issue? mmap'ing of imported
> buffers through the etnaviv DRM device is currently not well defined
> and I was pondering the idea of forbidding it completely by not
> returning a mmap offset for those objects.
>

I hit this on Android 8 (on i.MX6 using mesa 20.0.6 with gbm gralloc
and drm hwcomposer)  and had a memory leak every time an activity was
started.
I'm not sure exactly why but Android does a gralloc.lock() and
gralloc.unlock() on every activity startup.
Those map and unmap the buffer.

Under Android (at least in 8+) the actual graphics buffer allocations
are done by a dedicated process
(android.hardware.graphics.allocator@2.0-service)
because it uses a "binderized HAL" for the allocation
[https://source.android.com/devices/architecture/hal-types]
This means that buffers are *always* imported (though they are usually
only mmaped for SW rendering or screen shots).

Regards,

Martin

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] drm/etnaviv: fix memory leak when mapping prime imported buffers
  2020-05-20 10:10 [PATCH] drm/etnaviv: fix memory leak when mapping prime imported buffers Martin Fuzzey
  2020-05-20 10:29 ` Lucas Stach
@ 2020-05-22  0:12 ` Sasha Levin
  1 sibling, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2020-05-22  0:12 UTC (permalink / raw)
  To: Sasha Levin, Martin Fuzzey, Lucas Stach; +Cc: stable, stable, stable

Hi

[This is an automated email]

This commit has been processed because it contains a -stable tag.
The stable tag indicates that it's relevant for the following trees: all

The bot has tested the following trees: v5.6.13, v5.4.41, v4.19.123, v4.14.180, v4.9.223, v4.4.223.

v5.6.13: Build OK!
v5.4.41: Build OK!
v4.19.123: Build OK!
v4.14.180: Build OK!
v4.9.223: Build OK!
v4.4.223: Failed to apply! Possible dependencies:
    0e7f26e6b950 ("drm/etnaviv: take etnaviv_gem_obj in etnaviv_gem_mmap_obj")
    9f07bb0d4ada ("drm/etnaviv: fix get pages error path in etnaviv_gem_vaddr")
    a0a5ab3e99b8 ("drm/etnaviv: call correct function when trying to vmap a DMABUF")
    a10e2bde5d91 ("drm/etnaviv: fix mmap operations for userptr and dma-buf objects")
    a8c21a5451d8 ("drm/etnaviv: add initial etnaviv DRM driver")


NOTE: The patch will not be queued to stable trees until it is upstream.

How should we proceed with this patch?

-- 
Thanks
Sasha

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-20 10:10 [PATCH] drm/etnaviv: fix memory leak when mapping prime imported buffers Martin Fuzzey
2020-05-20 10:29 ` Lucas Stach
2020-05-20 11:15   ` Fuzzey, Martin
2020-05-22  0:12 ` Sasha Levin

Stable Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/stable/0 stable/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 stable stable/ https://lore.kernel.org/stable \
		stable@vger.kernel.org
	public-inbox-index stable

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.stable


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git