Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Date:   Thu, 13 Aug 2020 14:58:36 +0200
Message-ID: <s5ha6yyvh1f.wl-tiwai@suse.de>
From:   Takashi Iwai <tiwai@suse.de>
To:     Prateek Sood <prsood@codeaurora.org>
Cc:     mcgrof@kernel.org, gregkh@linuxfoundation.org, rafael@kernel.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH] firmware_loader: fix memory leak for paged buffer
In-Reply-To: <1597258819-14080-1-git-send-email-prsood@codeaurora.org>
References: <1597258819-14080-1-git-send-email-prsood@codeaurora.org>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka)
 FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3
 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

On Wed, 12 Aug 2020 21:00:19 +0200,
Prateek Sood wrote:
> 
> vfree() is being called on paged buffer allocated
> using alloc_page() and mapped using vmap().
> 
> Freeing of pages in vfree() relies on nr_pages of
> struct vm_struct. vmap() does not update nr_pages.
> It can lead to memory leaks.
> 
> Signed-off-by: Prateek Sood <prsood@codeaurora.org>

Thanks for spotting this out!  This is essentially a revert of the
commit ddaf29fd9bb6 ("firmware: Free temporary page table after
vmapping"), so better to mention it via Fixes tag as well as Cc to
stable.

About the changes:
> --- a/drivers/base/firmware_loader/firmware.h
> +++ b/drivers/base/firmware_loader/firmware.h
> @@ -142,10 +142,12 @@ static inline void fw_state_done(struct fw_priv *fw_priv)
>  void fw_free_paged_buf(struct fw_priv *fw_priv);
>  int fw_grow_paged_buf(struct fw_priv *fw_priv, int pages_needed);
>  int fw_map_paged_buf(struct fw_priv *fw_priv);
> +bool fw_is_paged_buf(struct fw_priv *fw_priv);

I guess this isn't necessary if we just swap the call order of
fw_free_paged_buf() and vfree(); then fw_priv->is_paged_buf is
referred only in fw_free_paged_buf().
That is, something like below.

In anyway, take my review tag:
  Reviewed-by: Takashi Iwai <tiwai@suse.de>


thanks,

Takashi

--- a/drivers/base/firmware_loader/main.c
+++ b/drivers/base/firmware_loader/main.c
@@ -252,9 +252,9 @@ static void __free_fw_priv(struct kref *ref)
 	list_del(&fw_priv->list);
 	spin_unlock(&fwc->lock);
 
-	fw_free_paged_buf(fw_priv); /* free leftover pages */
 	if (!fw_priv->allocated_size)
 		vfree(fw_priv->data);
+	fw_free_paged_buf(fw_priv); /* free leftover pages */
 	kfree_const(fw_priv->fw_name);
 	kfree(fw_priv);
 }
@@ -272,7 +272,7 @@ void fw_free_paged_buf(struct fw_priv *fw_priv)
 {
 	int i;
 
-	if (!fw_priv->pages)
+	if (!fw_priv->is_paged_buf)
 		return;
 
 	for (i = 0; i < fw_priv->nr_pages; i++)
@@ -328,10 +328,6 @@ int fw_map_paged_buf(struct fw_priv *fw_priv)
 	if (!fw_priv->data)
 		return -ENOMEM;
 
-	/* page table is no longer needed after mapping, let's free */
-	kvfree(fw_priv->pages);
-	fw_priv->pages = NULL;
-
 	return 0;
 }
 #endif