From: Shravan Chippa <[email protected]>
Commit b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread support for a
DMA channel") changed sf_pdma_prep_dma_memcpy() to unconditionally
allocate a new sf_pdma_desc each time it is called.
The driver previously recycled descs, by checking the in_use flag, only
allocating additional descs if the existing one was in use. This logic
was removed in commit b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread
support for a DMA channel"), but sf_pdma_free_desc() was not changed to
handle the new behaviour.
As a result, each time sf_pdma_prep_dma_memcpy() is called, the previous
descriptor is leaked, over time leading to memory starvation:
unreferenced object 0xffffffe008447300 (size 192):
comm "irq/39-mchp_dsc", pid 343, jiffies 4294906910 (age 981.200s)
hex dump (first 32 bytes):
00 00 00 ff 00 00 00 00 b8 c1 00 00 00 00 00 00 ................
00 00 70 08 10 00 00 00 00 00 00 c0 00 00 00 00 ..p.............
backtrace:
[<00000000064a04f4>] kmemleak_alloc+0x1e/0x28
[<00000000018927a7>] kmem_cache_alloc+0x11e/0x178
[<000000002aea8d16>] sf_pdma_prep_dma_memcpy+0x40/0x112
Add the missing kfree() to sf_pdma_free_desc(), and remove the redundant
in_use flag.
Fixes: b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread support for a DMA channel")
Signed-off-by: Shravan Chippa <[email protected]>
---
drivers/dma/sf-pdma/sf-pdma.c | 3 +--
drivers/dma/sf-pdma/sf-pdma.h | 1 -
2 files changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/dma/sf-pdma/sf-pdma.c b/drivers/dma/sf-pdma/sf-pdma.c
index 6b524eb6bcf3..e578ad556949 100644
--- a/drivers/dma/sf-pdma/sf-pdma.c
+++ b/drivers/dma/sf-pdma/sf-pdma.c
@@ -96,7 +96,6 @@ sf_pdma_prep_dma_memcpy(struct dma_chan *dchan, dma_addr_t dest, dma_addr_t src,
if (!desc)
return NULL;
- desc->in_use = true;
desc->dirn = DMA_MEM_TO_MEM;
desc->async_tx = vchan_tx_prep(&chan->vchan, &desc->vdesc, flags);
@@ -290,7 +289,7 @@ static void sf_pdma_free_desc(struct virt_dma_desc *vdesc)
struct sf_pdma_desc *desc;
desc = to_sf_pdma_desc(vdesc);
- desc->in_use = false;
+ kfree(desc);
}
static void sf_pdma_donebh_tasklet(struct tasklet_struct *t)
diff --git a/drivers/dma/sf-pdma/sf-pdma.h b/drivers/dma/sf-pdma/sf-pdma.h
index dcb3687bd5da..5c398a83b491 100644
--- a/drivers/dma/sf-pdma/sf-pdma.h
+++ b/drivers/dma/sf-pdma/sf-pdma.h
@@ -78,7 +78,6 @@ struct sf_pdma_desc {
u64 src_addr;
struct virt_dma_desc vdesc;
struct sf_pdma_chan *chan;
- bool in_use;
enum dma_transfer_direction dirn;
struct dma_async_tx_descriptor *async_tx;
};
--
2.34.1
Hey Shravan,
On Fri, Jan 20, 2023 at 03:36:23PM +0530, shravan kumar wrote:
> From: Shravan Chippa <[email protected]>
>
> Commit b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread support for a
> DMA channel") changed sf_pdma_prep_dma_memcpy() to unconditionally
> allocate a new sf_pdma_desc each time it is called.
>
> The driver previously recycled descs, by checking the in_use flag, only
> allocating additional descs if the existing one was in use. This logic
> was removed in commit b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread
> support for a DMA channel"), but sf_pdma_free_desc() was not changed to
> handle the new behaviour.
>
> As a result, each time sf_pdma_prep_dma_memcpy() is called, the previous
> descriptor is leaked, over time leading to memory starvation:
>
> unreferenced object 0xffffffe008447300 (size 192):
> comm "irq/39-mchp_dsc", pid 343, jiffies 4294906910 (age 981.200s)
> hex dump (first 32 bytes):
> 00 00 00 ff 00 00 00 00 b8 c1 00 00 00 00 00 00 ................
> 00 00 70 08 10 00 00 00 00 00 00 c0 00 00 00 00 ..p.............
> backtrace:
> [<00000000064a04f4>] kmemleak_alloc+0x1e/0x28
> [<00000000018927a7>] kmem_cache_alloc+0x11e/0x178
> [<000000002aea8d16>] sf_pdma_prep_dma_memcpy+0x40/0x112
>
> Add the missing kfree() to sf_pdma_free_desc(), and remove the redundant
> in_use flag.
>
> Fixes: b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread support for a DMA channel")
> Signed-off-by: Shravan Chippa <[email protected]>
Reviewed-by: Conor Dooley <[email protected]>
Thanks,
Conor.
Hey Vinod,
On Fri, Jan 20, 2023 at 03:36:23PM +0530, shravan kumar wrote:
> From: Shravan Chippa <[email protected]>
>
> Commit b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread support for a
> DMA channel") changed sf_pdma_prep_dma_memcpy() to unconditionally
> allocate a new sf_pdma_desc each time it is called.
>
> The driver previously recycled descs, by checking the in_use flag, only
> allocating additional descs if the existing one was in use. This logic
> was removed in commit b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread
> support for a DMA channel"), but sf_pdma_free_desc() was not changed to
> handle the new behaviour.
>
> As a result, each time sf_pdma_prep_dma_memcpy() is called, the previous
> descriptor is leaked, over time leading to memory starvation:
>
> unreferenced object 0xffffffe008447300 (size 192):
> comm "irq/39-mchp_dsc", pid 343, jiffies 4294906910 (age 981.200s)
> hex dump (first 32 bytes):
> 00 00 00 ff 00 00 00 00 b8 c1 00 00 00 00 00 00 ................
> 00 00 70 08 10 00 00 00 00 00 00 c0 00 00 00 00 ..p.............
> backtrace:
> [<00000000064a04f4>] kmemleak_alloc+0x1e/0x28
> [<00000000018927a7>] kmem_cache_alloc+0x11e/0x178
> [<000000002aea8d16>] sf_pdma_prep_dma_memcpy+0x40/0x112
>
> Add the missing kfree() to sf_pdma_free_desc(), and remove the redundant
> in_use flag.
>
> Fixes: b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread support for a DMA channel")
> Signed-off-by: Shravan Chippa <[email protected]>
Just checking in to make sure that this patch is on your radar.
Is there something you're waiting for on it?
Cheers,
Conor.
> ---
> drivers/dma/sf-pdma/sf-pdma.c | 3 +--
> drivers/dma/sf-pdma/sf-pdma.h | 1 -
> 2 files changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/drivers/dma/sf-pdma/sf-pdma.c b/drivers/dma/sf-pdma/sf-pdma.c
> index 6b524eb6bcf3..e578ad556949 100644
> --- a/drivers/dma/sf-pdma/sf-pdma.c
> +++ b/drivers/dma/sf-pdma/sf-pdma.c
> @@ -96,7 +96,6 @@ sf_pdma_prep_dma_memcpy(struct dma_chan *dchan, dma_addr_t dest, dma_addr_t src,
> if (!desc)
> return NULL;
>
> - desc->in_use = true;
> desc->dirn = DMA_MEM_TO_MEM;
> desc->async_tx = vchan_tx_prep(&chan->vchan, &desc->vdesc, flags);
>
> @@ -290,7 +289,7 @@ static void sf_pdma_free_desc(struct virt_dma_desc *vdesc)
> struct sf_pdma_desc *desc;
>
> desc = to_sf_pdma_desc(vdesc);
> - desc->in_use = false;
> + kfree(desc);
> }
>
> static void sf_pdma_donebh_tasklet(struct tasklet_struct *t)
> diff --git a/drivers/dma/sf-pdma/sf-pdma.h b/drivers/dma/sf-pdma/sf-pdma.h
> index dcb3687bd5da..5c398a83b491 100644
> --- a/drivers/dma/sf-pdma/sf-pdma.h
> +++ b/drivers/dma/sf-pdma/sf-pdma.h
> @@ -78,7 +78,6 @@ struct sf_pdma_desc {
> u64 src_addr;
> struct virt_dma_desc vdesc;
> struct sf_pdma_chan *chan;
> - bool in_use;
> enum dma_transfer_direction dirn;
> struct dma_async_tx_descriptor *async_tx;
> };
> --
> 2.34.1
>
On 20-01-23, 15:36, shravan kumar wrote:
> From: Shravan Chippa <[email protected]>
>
> Commit b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread support for a
> DMA channel") changed sf_pdma_prep_dma_memcpy() to unconditionally
> allocate a new sf_pdma_desc each time it is called.
>
> The driver previously recycled descs, by checking the in_use flag, only
> allocating additional descs if the existing one was in use. This logic
> was removed in commit b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread
> support for a DMA channel"), but sf_pdma_free_desc() was not changed to
> handle the new behaviour.
>
> As a result, each time sf_pdma_prep_dma_memcpy() is called, the previous
> descriptor is leaked, over time leading to memory starvation:
>
> unreferenced object 0xffffffe008447300 (size 192):
> comm "irq/39-mchp_dsc", pid 343, jiffies 4294906910 (age 981.200s)
> hex dump (first 32 bytes):
> 00 00 00 ff 00 00 00 00 b8 c1 00 00 00 00 00 00 ................
> 00 00 70 08 10 00 00 00 00 00 00 c0 00 00 00 00 ..p.............
> backtrace:
> [<00000000064a04f4>] kmemleak_alloc+0x1e/0x28
> [<00000000018927a7>] kmem_cache_alloc+0x11e/0x178
> [<000000002aea8d16>] sf_pdma_prep_dma_memcpy+0x40/0x112
>
> Add the missing kfree() to sf_pdma_free_desc(), and remove the redundant
> in_use flag.
Applied, thanks
--
~Vinod