Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp437487ybk; Wed, 20 May 2020 03:31:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyLXxY2Ktm+XgeI7hd3h63YtdPAOruyR2LPf0IIasiMDU+wAi9UC3VkKfVrfdbnX+Mawfkj X-Received: by 2002:a17:907:b11:: with SMTP id h17mr3213338ejl.497.1589970708197; Wed, 20 May 2020 03:31:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589970708; cv=none; d=google.com; s=arc-20160816; b=ecE6DSYcYzV/prUGENMK083wnjZVJyCHpUKzZ4x0faudll+fesJy1BQPU34qTfj7nF EMLjkQbunVayVzTExp27ifYBrpyH8P41sDI18lx1Byl4oJA8QOkEztitZlf9JasWs7uK T5aj6Id65IFS/l3sSIqIIsPMLb+n7ObH6xhdgZWWPxh/bi7rF2DwotDT61R9mt5anHrm kDp9aGyExnfncKDJtlA3s71sTC95Irk1ZwEamA09vdrAK6oX3uDMkmPC3C12heLk7nhT vgx4Uk1IshTZnRBEYbiDz0/5RzxhyyYi+bqxBDH+FnaGmMKlsYpghRF718L5CPoVR3id 4UmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id; bh=6E3mtWk1qfDwjtfmX3psPQAv4Fs18Qy3W6SsTKuifhw=; b=BCuDoveWjzHcNmg8tYGSW297/+ruTR3Fgf/HmEjPw6ompKSQAOimuH9EeqddSM5pU8 v4O1zJRT0S1W8xgV9SIk2kFlCPqFGk2ecjXyUdHIgThRKP38sYvfA9TGgEMILrcyMzie qjiPviphJRZkjBCySUXHzjiIXqqXIti0+iQou2LP+OABrVs9BgS/LcQmRKnFA5plNvMv dsX4EQDBCYAsmAYj2wIzVg9YSfXw/Xeg+mQi5KpbaylTXpXf3mP3FHGRYvFVKGwKj7rm U5pduOQumyYDF28anX+fGpSRaRXR2XQ7ijt9w4a2fQJgeVyBz7S09rXkDYTjyLXkZLQG 6PDg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l16si1168772edv.461.2020.05.20.03.31.25; Wed, 20 May 2020 03:31:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726748AbgETK3Y (ORCPT + 99 others); Wed, 20 May 2020 06:29:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46792 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726720AbgETK3Y (ORCPT ); Wed, 20 May 2020 06:29:24 -0400 Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de [IPv6:2001:67c:670:201:290:27ff:fe1d:cc33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D6057C061A0F for ; Wed, 20 May 2020 03:29:23 -0700 (PDT) Received: from gallifrey.ext.pengutronix.de ([2001:67c:670:201:5054:ff:fe8d:eefb] helo=localhost) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jbLyS-0004HF-Sa; Wed, 20 May 2020 12:29:20 +0200 Message-ID: Subject: Re: [PATCH] drm/etnaviv: fix memory leak when mapping prime imported buffers From: Lucas Stach To: Martin Fuzzey Cc: stable@vger.kernel.org, Christian Gmeiner , etnaviv@lists.freedesktop.org, linux-kernel@vger.kernel.org Date: Wed, 20 May 2020 12:29:19 +0200 In-Reply-To: <1589969500-6554-1-git-send-email-martin.fuzzey@flowbird.group> References: <1589969500-6554-1-git-send-email-martin.fuzzey@flowbird.group> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.36.2 (3.36.2-1.fc32) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-SA-Exim-Connect-IP: 2001:67c:670:201:5054:ff:fe8d:eefb X-SA-Exim-Mail-From: l.stach@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Martin, Am Mittwoch, den 20.05.2020, 12:10 +0200 schrieb Martin Fuzzey: > When using mmap() on a prime imported buffer allocated by a > different driver (such as imx-drm) the later munmap() does > not correctly decrement the refcount of the original enaviv_gem_object, > leading to a leak. > > Signed-off-by: Martin Fuzzey > Cc: stable@vger.kernel.org What's the use-case where you did hit this issue? mmap'ing of imported buffers through the etnaviv DRM device is currently not well defined and I was pondering the idea of forbidding it completely by not returning a mmap offset for those objects. Regards, Lucas > --- > drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c | 20 +++++++++++++++++++- > 1 file changed, 19 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c b/drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c > index f24dd21..28a01b8 100644 > --- a/drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c > +++ b/drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c > @@ -93,7 +93,25 @@ static void *etnaviv_gem_prime_vmap_impl(struct etnaviv_gem_object *etnaviv_obj) > static int etnaviv_gem_prime_mmap_obj(struct etnaviv_gem_object *etnaviv_obj, > struct vm_area_struct *vma) > { > - return dma_buf_mmap(etnaviv_obj->base.dma_buf, vma, 0); > + int ret; > + > + ret = dma_buf_mmap(etnaviv_obj->base.dma_buf, vma, 0); > + > + /* drm_gem_mmap_obj() has already been called before this function > + * and has incremented our refcount, expecting it to be decremented > + * on unmap() via drm_gem_vm_close(). > + * However dma_buf_mmap() invokes drm_gem_cma_prime_mmap() > + * that ends up updating the vma->vma_private_data to point to the > + * dma_buf's gem object. > + * Hence our gem object here will not have its refcount decremented > + * when userspace does unmap(). > + * So decrement the refcount here to avoid a memory leak if the dma > + * buf mapping was successful. > + */ > + if (!ret) > + drm_gem_object_put_unlocked(&etnaviv_obj->base); > + > + return ret; > } > > static const struct etnaviv_gem_ops etnaviv_gem_prime_ops = {