2022-10-18 01:43:01

by Rafael Mendonca

[permalink] [raw]
Subject: [PATCH] drm/amdkfd: Fix memory leak in kfd_mem_dmamap_userptr()

If the number of pages from the userptr BO differs from the SG BO then the
allocated memory for the SG table doesn't get freed before returning
-EINVAL, which may lead to a memory leak in some error paths. Fix this by
checking the number of pages before allocating memory for the SG table.

Fixes: 264fb4d332f5 ("drm/amdgpu: Add multi-GPU DMA mapping helpers")
Signed-off-by: Rafael Mendonca <[email protected]>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
index 978d3970b5cc..84f44f7e4111 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
@@ -510,13 +510,13 @@ kfd_mem_dmamap_userptr(struct kgd_mem *mem,
struct ttm_tt *ttm = bo->tbo.ttm;
int ret;

+ if (WARN_ON(ttm->num_pages != src_ttm->num_pages))
+ return -EINVAL;
+
ttm->sg = kmalloc(sizeof(*ttm->sg), GFP_KERNEL);
if (unlikely(!ttm->sg))
return -ENOMEM;

- if (WARN_ON(ttm->num_pages != src_ttm->num_pages))
- return -EINVAL;
-
/* Same sequence as in amdgpu_ttm_tt_pin_userptr */
ret = sg_alloc_table_from_pages(ttm->sg, src_ttm->pages,
ttm->num_pages, 0,
--
2.34.1


2022-10-19 19:36:46

by Felix Kuehling

[permalink] [raw]
Subject: Re: [PATCH] drm/amdkfd: Fix memory leak in kfd_mem_dmamap_userptr()

On 2022-10-17 21:27, Rafael Mendonca wrote:
> If the number of pages from the userptr BO differs from the SG BO then the
> allocated memory for the SG table doesn't get freed before returning
> -EINVAL, which may lead to a memory leak in some error paths. Fix this by
> checking the number of pages before allocating memory for the SG table.
>
> Fixes: 264fb4d332f5 ("drm/amdgpu: Add multi-GPU DMA mapping helpers")
> Signed-off-by: Rafael Mendonca <[email protected]>

Thank you for catching this. The patch is

Reviewed-by: Felix Kuehling <[email protected]>

I submitted it to our amd-staging-drm-next branch.

Regards,
  Felix


> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
> index 978d3970b5cc..84f44f7e4111 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
> @@ -510,13 +510,13 @@ kfd_mem_dmamap_userptr(struct kgd_mem *mem,
> struct ttm_tt *ttm = bo->tbo.ttm;
> int ret;
>
> + if (WARN_ON(ttm->num_pages != src_ttm->num_pages))
> + return -EINVAL;
> +
> ttm->sg = kmalloc(sizeof(*ttm->sg), GFP_KERNEL);
> if (unlikely(!ttm->sg))
> return -ENOMEM;
>
> - if (WARN_ON(ttm->num_pages != src_ttm->num_pages))
> - return -EINVAL;
> -
> /* Same sequence as in amdgpu_ttm_tt_pin_userptr */
> ret = sg_alloc_table_from_pages(ttm->sg, src_ttm->pages,
> ttm->num_pages, 0,