Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp307004ybg;
        Tue, 22 Oct 2019 21:15:28 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyOcAh6PKARBpr03UmbUGzFTMS8BsZ89NwRmNvj3whKjRwYg1BazEHclIevCZD4jPMfgxT9
X-Received: by 2002:a50:cbc2:: with SMTP id l2mr35637629edi.304.1571804128255;
        Tue, 22 Oct 2019 21:15:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1571804128; cv=none;
        d=google.com; s=arc-20160816;
        b=gSVefgsRil0R4YMuf3w5C+flRcVDKLVIuSI9lFAnq0jL1ol+QSzyDrKSWOFz5n8Mpj
         Fy75YxnpGQzCPMTmqDE64HtZB6cijNMqI87w5gNypeYBSPwPIBU3fbE5LKM3iifhc+7N
         TA8KJvQYOKymF8Gb2DDwHcxaWn9c+8ptOZ5U2cVI92GZITsyBA/Ll3v5v4iKjDyj5UdR
         LYsR5tWUJs4MEGOZUX/Ke+Kffoq8Uf2ep8D26X/vCYHw3O8llsZKCwrBlWioJj7WnwqY
         RQeQYNu6/LIOB2OB9HviE5LroESrCT8VwRl+WBUTm1QaBpzeYiEXezDX9C/CxhII0EqB
         JI1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=/LHGxMJgC9fsphY4M+7ir7vJgAGyj8pWVsdCiE4QA6o=;
        b=CD/VE2HvkXHFpKAX6o5DdSH6n0rY8RP6NG879wM9dYvYYzhzSD2T5FRsRZN5eu4PJh
         R+hTaXnu1yEacpwyqkZYHirGuEttNEAVWaVbL29hsNgfU2WNxcNOrBbqI75so85jPdDq
         mCoPIXDOtLLy0SCUquT2jo40f1Wux2dZbFU921+2PG3lWF0wH7SPJo/CvdJl+Cl/Kwa5
         7fL3U50l0IOboT4JGXKLvG81WikFy3DUNWvgzdgiQ5xlaPAX1VE7tVv5jQsF22ZciToW
         AkaAUttHRYsRItNaOK7L80W67lGDbfiCC4flmSEVPNc2Byz2/YKCGMOzvCRtlesXXa7m
         7RyQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=lDTH3vIp;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id ss13si2561235ejb.259.2019.10.22.21.15.03;
        Tue, 22 Oct 2019 21:15:28 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=lDTH3vIp;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1733186AbfJWDyJ (ORCPT <rfc822;fezhang.suse@gmail.com>
        + 99 others); Tue, 22 Oct 2019 23:54:09 -0400
Received: from mail-il1-f195.google.com ([209.85.166.195]:35015 "EHLO
        mail-il1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729994AbfJWDyJ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 22 Oct 2019 23:54:09 -0400
Received: by mail-il1-f195.google.com with SMTP id p8so7861715ilp.2
        for <linux-kernel@vger.kernel.org>; Tue, 22 Oct 2019 20:54:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=/LHGxMJgC9fsphY4M+7ir7vJgAGyj8pWVsdCiE4QA6o=;
        b=lDTH3vIpVKOT4cHUqTnhkivTQ/0ICLeWcMIrK5ZpKQrPpEFQiBap0C9/xiuuA7wMxu
         8qBj7L4RonbFjzmHvGBvSUy8aBkmXf57NlETXJkYp2JYk1Gs5XYFODyLJGmOygbbtq1n
         ZzoXTonLboEb9/AoN4tpBNFgcjkThTFUlluD+mVvTUlVccwdHYK0POuC2eN1/YMikfVZ
         oQhuvJhEVkSsPRc8/jRE4P2ZEt3qp1ejyR5m8zyHnDg0SuT6JavrrseUCrEJfdDrrMAp
         O16+zL3BDiIswbyFWElgVoRfqbC92XM2WGHKAz78vQqXUCUyWuZFD+jSb1/8B5eWe7Ue
         RRSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=/LHGxMJgC9fsphY4M+7ir7vJgAGyj8pWVsdCiE4QA6o=;
        b=BudtZ0Bem5RGWCpiRr1vFA3I1XY3PnX8pOtLl2FW7NP/VqSVlU1rnlgRZCujdfyTlI
         B6g+khPNKATyUuEqcmG+delOmcPVCbrePyKhxrW0yRoOKYSG1NdCQeib9zBhd51Qy/G4
         o7jVxqcqqmcgwFM7EcHxcU1uvZNs1PYXvTRyx5ZjuX1OXvOdy24EYQs6UDHva4CEO8Fs
         zyWfz8nHkdQxmcoSPYhh8q++4e8/PIv7jCyQ+IOttinHyN1YNV7ktwgt6bpaYVl5SVvX
         kk1IUe4PsImme4bBMIXQnfoxk5qGQmY8MwUlKYeT1/ZW3k+p1aaQn6M1oAf69b3cN2BU
         zvig==
X-Gm-Message-State: APjAAAX1p/3n9+ebxirbsO3Em1jwYt/twlCOUq21q0hfdfJzuitcgOvn
        mpgMndwRN+Y7r/eeNx6Mco54CYTj0xSA8nZZi+oE9q9f
X-Received: by 2002:a92:4144:: with SMTP id o65mr35736635ila.172.1571802848526;
 Tue, 22 Oct 2019 20:54:08 -0700 (PDT)
MIME-Version: 1.0
References: <20191021185250.26130-1-navid.emamdoost@gmail.com> <20191022093654.GF11828@phenom.ffwll.local>
In-Reply-To: <20191022093654.GF11828@phenom.ffwll.local>
From:   Navid Emamdoost <navid.emamdoost@gmail.com>
Date:   Tue, 22 Oct 2019 22:53:57 -0500
Message-ID: <CAEkB2ETFM7u6YiUOT3fz4UQ3U_za9iM1arTnYNg-rjs5+wxOfw@mail.gmail.com>
Subject: Re: [PATCH] drm/v3d: Fix memory leak in v3d_submit_cl_ioctl
To:     Daniel Vetter <daniel@ffwll.ch>
Cc:     Navid Emamdoost <emamd001@umn.edu>, Kangjie Lu <kjlu@umn.edu>,
        Stephen McCamant <smccaman@umn.edu>,
        Eric Anholt <eric@anholt.net>, David Airlie <airlied@linux.ie>,
        dri-devel@lists.freedesktop.org,
        LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Oct 22, 2019 at 4:36 AM Daniel Vetter <daniel@ffwll.ch> wrote:
>
> On Mon, Oct 21, 2019 at 01:52:49PM -0500, Navid Emamdoost wrote:
> > In the impelementation of v3d_submit_cl_ioctl() there are two memory
> > leaks. One is when allocation for bin fails, and the other is when bin
> > initialization fails. If kcalloc fails to allocate memory for bin then
> > render->base should be put. Also, if v3d_job_init() fails to initialize
> > bin->base then allocated memory for bin should be released.
> >
> > Fixes: a783a09ee76d ("drm/v3d: Refactor job management.")
> > Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> > ---
> >  drivers/gpu/drm/v3d/v3d_gem.c | 5 ++++-
> >  1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/v3d/v3d_gem.c b/drivers/gpu/drm/v3d/v3d_gem.c
> > index 5d80507b539b..19c092d75266 100644
> > --- a/drivers/gpu/drm/v3d/v3d_gem.c
> > +++ b/drivers/gpu/drm/v3d/v3d_gem.c
> > @@ -557,13 +557,16 @@ v3d_submit_cl_ioctl(struct drm_device *dev, void *data,
> >
> >       if (args->bcl_start != args->bcl_end) {
> >               bin = kcalloc(1, sizeof(*bin), GFP_KERNEL);
> > -             if (!bin)
> > +             if (!bin) {
> > +                     v3d_job_put(&render->base);
>
> The job isn't initialized yet, this doesn't work.
Do you mean we have to release render via kfree() here?

>
> >                       return -ENOMEM;
> > +             }
> >
> >               ret = v3d_job_init(v3d, file_priv, &bin->base,
> >                                  v3d_job_free, args->in_sync_bcl);
> >               if (ret) {
> >                       v3d_job_put(&render->base);
>
> v3d_job_put will call kfree, if you chase the callchain long enough (in
> v3d_job_free). So no bug here, this would lead to a double kfree and
> crash.
Yes, v3d_job_put() takes care of render,

> -Daniel
>
> > +                     kfree(bin);
but how about leaking bin?

> >                       return ret;
> >               }
> >
> > --
> > 2.17.1
> >
>
> --
> Daniel Vetter
> Software Engineer, Intel Corporation
> http://blog.ffwll.ch



-- 
Navid.