LinuxLists.cc - [PATCH] gpu/drm: fix potential memory leak

2021-10-22 06:33:10

Subject: [PATCH] gpu/drm: fix potential memory leak

This patch try to fix memory leak reported by syzbot:
BUG: memory leak
unreferenced object 0xffff888127338180 (size 64):
comm "syz-executor.6", pid 11434, jiffies 4294961165 (age 15.480s)
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 4a 0d 28 81 88 ff ff .........J.(....
backtrace:
[<ffffffff825b2892>] kmalloc include/linux/slab.h:591 [inline]
[<ffffffff825b2892>] drm_vma_node_allow+0x32/0x120 drivers/gpu/drm/drm_vma_manager.c:274
[<ffffffff825983b7>] drm_gem_handle_create_tail+0x107/0x250 drivers/gpu/drm/drm_gem.c:390
[<ffffffff826271bd>] vgem_gem_create drivers/gpu/drm/vgem/vgem_drv.c:203 [inline]
[<ffffffff826271bd>] vgem_gem_dumb_create+0x8d/0x240 drivers/gpu/drm/vgem/vgem_drv.c:223
[<ffffffff825c72f1>] drm_mode_create_dumb+0x121/0x150 drivers/gpu/drm/drm_dumb_buffers.c:96
[<ffffffff82599660>] drm_ioctl_kernel+0xf0/0x160 drivers/gpu/drm/drm_ioctl.c:795
[<ffffffff82599c7a>] drm_ioctl+0x2ea/0x4f0 drivers/gpu/drm/drm_ioctl.c:898
[<ffffffff8158e45c>] vfs_ioctl fs/ioctl.c:51 [inline]
[<ffffffff8158e45c>] __do_sys_ioctl fs/ioctl.c:1069 [inline]
[<ffffffff8158e45c>] __se_sys_ioctl fs/ioctl.c:1055 [inline]
[<ffffffff8158e45c>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:1055
[<ffffffff843b6675>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff843b6675>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff84400068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
The link is:
https://syzkaller.appspot.com/bug?id=bd059c6ee8aee1d3af51cff3a2849b8c0027b822

Signed-off-by: Bernard Zhao <[email protected]>
---
drivers/gpu/drm/drm_vma_manager.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_vma_manager.c b/drivers/gpu/drm/drm_vma_manager.c
index 7de37f8c68fd..870d5bc7f1fa 100644
--- a/drivers/gpu/drm/drm_vma_manager.c
+++ b/drivers/gpu/drm/drm_vma_manager.c
@@ -300,11 +300,11 @@ int drm_vma_node_allow(struct drm_vma_offset_node *node, struct drm_file *tag)
new->vm_count = 1;
rb_link_node(&new->vm_rb, parent, iter);
rb_insert_color(&new->vm_rb, &node->vm_files);
- new = NULL;

unlock:
write_unlock(&node->vm_lock);
kfree(new);
+ new = NULL;
return ret;
}
EXPORT_SYMBOL(drm_vma_node_allow);
--
2.33.1

2021-10-31 14:19:23

by Oliver Sang

[permalink] [raw]

Subject: [gpu/drm] 0af38d64f2: stack_segment:#[##]

Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 0af38d64f2971d2bd2b990301d27faa5026cf795 ("[PATCH] gpu/drm: fix potential memory leak")
url: https://github.com/0day-ci/linux/commits/Bernard-Zhao/gpu-drm-fix-potential-memory-leak/20211022-143137
base: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git 64222515138e43da1fcf288f0289ef1020427b87
patch link: https://lore.kernel.org/dri-devel/[email protected]

in testcase: igt
version: igt-x86_64-51792e98-1_20211019
with following parameters:

group: group-03
ucode: 0x28

on test machine: 8 threads 1 sockets Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz with 8G memory

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):

If you fix the issue, kindly add following tag
Reported-by: kernel test robot <[email protected]>

[ 30.641897][ T1049] [IGT] gem_set_tiling_vs_blt: executing
[ 30.648455][ T1049] [IGT] gem_set_tiling_vs_blt: starting subtest tiled-to-tiled
[ 30.656020][ T1049] stack segment: 0000 [#1] SMP PTI
[ 30.660971][ T1049] CPU: 4 PID: 1049 Comm: gem_set_tiling_ Not tainted 5.15.0-rc6-00178-g0af38d64f297 #1
[ 30.670401][ T1049] Hardware name: Dell Inc. OptiPlex 9020/0DNKMN, BIOS A05 12/05/2013
[ 30.678280][ T1049] RIP: 0010:drm_vma_node_revoke+0x21/0x80 [drm]
[ 30.684364][ T1049] Code: 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 49 89 fc 55 53 48 89 f3 e8 ac f4 96 c1 49 8b ac 24 b0 00 00 00 48 85 ed 74 17
<48> 39 5d 18 74 22 48 8b 45 08 48 0f 43 45 10 48 89 c5 48 85 c0 75
[ 30.703731][ T1049] RSP: 0018:ffffc90000e93d60 EFLAGS: 00010286
[ 30.709623][ T1049] RAX: ffff000000002028 RBX: ffff88821e5cc000 RCX: ffffc90000e93d00
[ 30.717411][ T1049] RDX: 00000000000000ff RSI: ffff88821e5cc000 RDI: ffff88821abd2658
[ 30.725201][ T1049] RBP: ffff000000002028 R08: 00000000fffbdc4a R09: 0000000000000238
[ 30.732988][ T1049] R10: 0000000000000001 R11: ffff888215789b60 R12: ffff88821abd2658
[ 30.740778][ T1049] R13: ffff88821e5cc130 R14: ffff88821e5cc040 R15: 0000000000000001
[ 30.748568][ T1049] FS: 00007f777ce7cc00(0000) GS:ffff888201d00000(0000) knlGS:0000000000000000
[ 30.757308][ T1049] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 30.763715][ T1049] CR2: 0000558324d0e678 CR3: 0000000212bc6001 CR4: 00000000001706e0
[ 30.771505][ T1049] Call Trace:
[ 30.774630][ T1049] drm_gem_object_release_handle+0x63/0x80 [drm]
[ 30.780811][ T1049] drm_gem_handle_delete+0x5f/0xc0 [drm]
[ 30.786283][ T1049] ? drm_gem_handle_create+0x40/0x40 [drm]
[ 30.791924][ T1049] drm_ioctl_kernel+0xaa/0x100 [drm]
[ 30.797046][ T1049] drm_ioctl+0x220/0x3c0 [drm]
[ 30.801665][ T1049] ? drm_gem_handle_create+0x40/0x40 [drm]
[ 30.807320][ T1049] ? vfs_write+0x238/0x2c0
[ 30.811570][ T1049] __x64_sys_ioctl+0x83/0xc0
[ 30.815989][ T1049] do_syscall_64+0x3b/0xc0
[ 30.820239][ T1049] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 30.825958][ T1049] RIP: 0033:0x7f7780820427
[ 30.830208][ T1049] Code: 00 00 90 48 8b 05 69 aa 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 39 aa 0c 00 f7 d8 64 89 01 48
[ 30.849578][ T1049] RSP: 002b:00007ffedb056728 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 30.857802][ T1049] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f7780820427
[ 30.865591][ T1049] RDX: 00007ffedb056760 RSI: 0000000040086409 RDI: 0000000000000004
[ 30.873378][ T1049] RBP: 00007ffedb056760 R08: 00007ffedb09f170 R09: 000000000000001c
[ 30.881168][ T1049] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000040086409
[ 30.888957][ T1049] R13: 0000000000000004 R14: 0000000000000001 R15: 0000000000000000
[ 30.896747][ T1049] Modules linked in: btrfs blake2b_generic xor zstd_compress raid6_pq libcrc32c sd_mod t10_pi sg ata_generic ipmi_devintf ipmi_msghandler intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel i915 kvm intel_gtt ttm drm_kms_helper irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel syscopyarea mei_wdt sysfillrect sysimgblt rapl fb_sys_fops mei_me intel_cstate ata_piix drm libata intel_uncore mei video ip_tables
[ 30.939408][ T1049] ---[ end trace fef9d299f191964d ]---
[ 30.944696][ T1049] RIP: 0010:drm_vma_node_revoke+0x21/0x80 [drm]
[ 30.950795][ T1049] Code: 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 49 89 fc 55 53 48 89 f3 e8 ac f4 96 c1 49 8b ac 24 b0 00 00 00 48 85 ed 74 17 <48> 39 5d 18 74 22 48 8b 45 08 48 0f 43 45 10 48 89 c5 48 85 c0 75
[ 30.970189][ T1049] RSP: 0018:ffffc90000e93d60 EFLAGS: 00010286
[ 30.976091][ T1049] RAX: ffff000000002028 RBX: ffff88821e5cc000 RCX: ffffc90000e93d00
[ 30.983895][ T1049] RDX: 00000000000000ff RSI: ffff88821e5cc000 RDI: ffff88821abd2658
[ 30.991708][ T1049] RBP: ffff000000002028 R08: 00000000fffbdc4a R09: 0000000000000238
[ 30.999510][ T1049] R10: 0000000000000001 R11: ffff888215789b60 R12: ffff88821abd2658
[ 31.007313][ T1049] R13: ffff88821e5cc130 R14: ffff88821e5cc040 R15: 0000000000000001
[ 31.015117][ T1049] FS: 00007f777ce7cc00(0000) GS:ffff888201d00000(0000) knlGS:0000000000000000
[ 31.023870][ T1049] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 31.030290][ T1049] CR2: 0000558324d0e678 CR3: 0000000212bc6001 CR4: 00000000001706e0
[ 31.038106][ T1049] Kernel panic - not syncing: Fatal exception
[ 31.044016][ T1049] Kernel Offset: disabled

To reproduce:
# build kernel with attached config file

git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
sudo bin/lkp install job.yaml # job file is attached in this email
bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
sudo bin/lkp run generated-yaml-file

# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.

---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/[email protected] Intel Corporation

Thanks,
Oliver Sang

Attachments:

(No filename) (6.14 kB)
config-5.15.0-rc6-00178-g0af38d64f297 (179.42 kB)
job-script (5.39 kB)
dmesg.xz (21.20 kB)
job.yaml (4.23 kB)
Download all attachments