Received: by 10.223.185.116 with SMTP id b49csp2854051wrg; Mon, 5 Mar 2018 09:43:16 -0800 (PST) X-Google-Smtp-Source: AG47ELtVYppWyGq2ASzz2mZ0Jn12IUPPnZ2toCXlfeEQFipNkNYSrdcy8OTh6TigtpH4tEoPQICa X-Received: by 10.98.12.149 with SMTP id 21mr16192602pfm.118.1520271796237; Mon, 05 Mar 2018 09:43:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520271796; cv=none; d=google.com; s=arc-20160816; b=xEk/7gJz7t5ScNw2YmFrQXxWJIYkYQsibV8ll0FfRZIX2F/I3Kkv6sEj8JxiZUMazx 08O5HQO05eQ+Yfd8L41mwcj7b1Buu6zUgePTtUibDVp0rVBilmFO16CvW/NNjjNFbkGX 5LPoYa9LC27c1tiRIh65o/WcCZV9csWzGWIZCg6RAk1aMTuQ968OPCutwhXRmG9+3ABr AOC+lhdmUWg602eENZ6rLFxnvrVXX5yqiHdRPG6+mqjw8Qj3U8sbMkp8s+3hkatk7f7y xutVOIKnaYLjOJg9xhQTRkfnVxyXiqeMvQMZ6jGG1eduH9w1+LwGlF8F8dJBnB+tBD79 LaeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=outdKw2z9HPQdjW29kJtt8VanqGD5v4QiedNNOgU/7Y=; b=Ub1dJRmFNyw7bGIKSqRzqFQxZO6tSrVGMEgWHjvjbPhYaoPZLOReLia8JTacfDqz8W uTmc50I7hVD/bAeVXaFSMddKDm+NxdO/VzXCUdGz51CtD7eVIjl8QdiYxjRj26F8TDUq YOHhOU4z9RlMHbx8YoskK93HEnUj+95sk067hSq4PptfJJp47fDU9VvPhRTqaMjj0kaZ p70KFCwA8cQHXp4bEm4b688NUHF3j2Wrtni6HEIcjPQr7PDVSnrlESqfVzS3ve4WufNv QC3KtIF0hIuhDTxWaoq/q3HkCB/3jCx1Z/6fH7DcYOXZndCmStgnnWWX5evoXF0UJh8G gHoA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@armlinux.org.uk header.s=pandora-2014 header.b=kYX2sj++; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=armlinux.org.uk Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 2si10450641pfd.275.2018.03.05.09.43.01; Mon, 05 Mar 2018 09:43:16 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@armlinux.org.uk header.s=pandora-2014 header.b=kYX2sj++; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=armlinux.org.uk Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752162AbeCERmG (ORCPT + 99 others); Mon, 5 Mar 2018 12:42:06 -0500 Received: from pandora.armlinux.org.uk ([78.32.30.218]:42198 "EHLO pandora.armlinux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751486AbeCERmE (ORCPT ); Mon, 5 Mar 2018 12:42:04 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=armlinux.org.uk; s=pandora-2014; h=Sender:In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=outdKw2z9HPQdjW29kJtt8VanqGD5v4QiedNNOgU/7Y=; b=kYX2sj++moSSHEg7US7XEmccukuudif8jD5sVrM/pEBkVCTsjtWFAaKC6SAjmNDIYl4uIUmmRJH4hpMw2WX2s5zBUV1WESDKvW8RTKZwjUlibqmJdwQVLcBN+nNQQNkeDtODwpXLmS3Obql9XRoJog1cdGiaLZRE4wznG7tDBc0=; Received: from n2100.armlinux.org.uk ([fd8f:7570:feb6:1:214:fdff:fe10:4f86]:38382) by pandora.armlinux.org.uk with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1esu7P-0002tx-Sy; Mon, 05 Mar 2018 17:41:48 +0000 Received: from linux by n2100.armlinux.org.uk with local (Exim 4.76) (envelope-from ) id 1esu7M-0005I4-NO; Mon, 05 Mar 2018 17:41:44 +0000 Date: Mon, 5 Mar 2018 17:41:44 +0000 From: Russell King - ARM Linux To: Jeffy Chen , Greg KH Cc: linux-kernel@vger.kernel.org, Andrzej Hajda , Romain Perier , Archit Taneja , dri-devel@lists.freedesktop.org, Neil Armstrong , David Airlie , Hans Verkuil , Jose Abreu , Jernej Skrabec , Laurent Pinchart Subject: Re: [PATCH] drm/bridge/synopsys: dw-hdmi: Fix memleak in __dw_hdmi_remove Message-ID: <20180305174143.GH9418@n2100.armlinux.org.uk> References: <20180305074555.23368-1-jeffy.chen@rock-chips.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180305074555.23368-1-jeffy.chen@rock-chips.com> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 05, 2018 at 03:45:55PM +0800, Jeffy Chen wrote: > The platform_device_register_full() will allocate dma_mask for > hdmi->audio, so we should free before platform_device_unregister(). > > Reported by kmemleak: > unreferenced object 0xffffffc0ef70ff00 (size 128): > comm "kworker/4:1", pid 123, jiffies 4294670080 (age 189.604s) > hex dump (first 32 bytes): > ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace: > [<0000000021946f44>] kmemleak_alloc+0x58/0x8c > [<000000009c43890d>] kmem_cache_alloc_memcg_trace+0x18c/0x25c > [<000000000e17cd06>] platform_device_register_full+0x64/0x108 > [<00000000418a0882>] __dw_hdmi_probe+0xb9c/0xcc0 > [<00000000e0b720fd>] dw_hdmi_bind+0x30/0x88 > [<000000009af347f6>] dw_hdmi_rockchip_bind+0x260/0x2e8 > > Signed-off-by: Jeffy Chen > --- > > drivers/gpu/drm/bridge/synopsys/dw-hdmi.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c > index f9802399cc0d..d9afdc59d4f4 100644 > --- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c > +++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c > @@ -2567,8 +2567,10 @@ __dw_hdmi_probe(struct platform_device *pdev, > > static void __dw_hdmi_remove(struct dw_hdmi *hdmi) > { > - if (hdmi->audio && !IS_ERR(hdmi->audio)) > + if (hdmi->audio && !IS_ERR(hdmi->audio)) { > + kfree(hdmi->audio->dev.dma_mask); > platform_device_unregister(hdmi->audio); > + } > if (!IS_ERR(hdmi->cec)) > platform_device_unregister(hdmi->cec); NAK. This is a hack, plain and simple. The audio device is created by platform_device_register_full(), and the lifetime of that is managed by the driver model. When it's time to clean that up, it's handled by the platform support code in drivers/base/platform.c. It is not the driver's responsibility to clean this up. There's two issues here: - Since you're kfree()ing it _before_ unregistering the device, the memory you're freeing may still be accessed by the DMA API on behalf of the device driver, so you're introducing a use-after-free bug. - kfree()ing it _after_ unregistering the device means that you're then potentially accessing memory that has been kfree()'d (the underlying struct device) unless you save a pointer to it before unregistering and kfree() it after. However, see the comment in platform_device_register_full() - if this gets fixed at the core platform level (since every driver using platform_device_register_full() with a DMA mask will suffer this same problem, that's the place to fix it) adding a workaround at driver level will introduce a non-obvious double-free bug. I suspect the best solution to this is to arrange for struct platform_device to also contain a DMA mask which platform_device_register_full() can use, which means the DMA mask will be freed automatically along with the rest of the platform device, rather than separately allocating this. There may be some resistance to adding 64 bits to platform devices, but if we have lots of these separately kmalloc'd DMA masks, we're actually wasting a lot more memory not doing this (since kmalloc has a minimum size of the L1 cacheline size.) -- RMK's Patch system: http://www.armlinux.org.uk/developer/patches/ FTTC broadband for 0.8mile line in suburbia: sync at 8.8Mbps down 630kbps up According to speedtest.net: 8.21Mbps down 510kbps up