| Message ID | 20231004083226.1940055-1-wenst@chromium.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v2] drm/mediatek: Correctly free sg_table in gem prime vmap | expand |
On Wed, Oct 4, 2023 at 4:32 PM Chen-Yu Tsai <wenst@chromium.org> wrote: > > The MediaTek DRM driver implements GEM PRIME vmap by fetching the > sg_table for the object, iterating through the pages, and then > vmapping them. In essence, unlike the GEM DMA helpers which vmap > when the object is first created or imported, the MediaTek version > does it on request. > > Unfortunately, the code never correctly frees the sg_table contents. > This results in a kernel memory leak. On a Hayato device with a text > console on the internal display, this results in the system running > out of memory in a few days from all the console screen cursor updates. > > Add sg_free_table() to correctly free the contents of the sg_table. This > was missing despite explicitly required by mtk_gem_prime_get_sg_table(). > > Also move the "out" shortcut label to after the kfree() call for the > sg_table. Having sg_free_table() together with kfree() makes more sense. > The shortcut is only used when the object already has a kernel address, > in which case the pointer is NULL and kfree() does nothing. Hence this > change causes no functional change. > > Fixes: 3df64d7b0a4f ("drm/mediatek: Implement gem prime vmap/vunmap function") > Cc: <stable@vger.kernel.org> > Signed-off-by: Chen-Yu Tsai <wenst@chromium.org> > --- Changes since v1: - Move "out" shortcut label to after sg_free_table() and kfree() > Please merge for v6.6 fixes. > > Also, I was wondering why the MediaTek DRM driver implements a lot of > the GEM functionality itself, instead of using the GEM DMA helpers. > From what I could tell, the code closely follows the DMA helpers, except > that it vmaps the buffers only upon request. > > drivers/gpu/drm/mediatek/mtk_drm_gem.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c > index 9f364df52478..0e0a41b2f57f 100644 > --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c > +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c > @@ -239,6 +239,7 @@ int mtk_drm_gem_prime_vmap(struct drm_gem_object *obj, struct iosys_map *map) > npages = obj->size >> PAGE_SHIFT; > mtk_gem->pages = kcalloc(npages, sizeof(*mtk_gem->pages), GFP_KERNEL); > if (!mtk_gem->pages) { > + sg_free_table(sgt); > kfree(sgt); > return -ENOMEM; > } > @@ -248,12 +249,15 @@ int mtk_drm_gem_prime_vmap(struct drm_gem_object *obj, struct iosys_map *map) > mtk_gem->kvaddr = vmap(mtk_gem->pages, npages, VM_MAP, > pgprot_writecombine(PAGE_KERNEL)); > if (!mtk_gem->kvaddr) { > + sg_free_table(sgt); > kfree(sgt); > kfree(mtk_gem->pages); > return -ENOMEM; > } > -out: > + sg_free_table(sgt); > kfree(sgt); > + > +out: > iosys_map_set_vaddr(map, mtk_gem->kvaddr); > > return 0; > -- > 2.42.0.582.g8ccd20d70d-goog >
Hi, Chen-yu: On Wed, 2023-10-04 at 16:32 +0800, Chen-Yu Tsai wrote: > > External email : Please do not click links or open attachments until > you have verified the sender or the content. > The MediaTek DRM driver implements GEM PRIME vmap by fetching the > sg_table for the object, iterating through the pages, and then > vmapping them. In essence, unlike the GEM DMA helpers which vmap > when the object is first created or imported, the MediaTek version > does it on request. > > Unfortunately, the code never correctly frees the sg_table contents. > This results in a kernel memory leak. On a Hayato device with a text > console on the internal display, this results in the system running > out of memory in a few days from all the console screen cursor > updates. > > Add sg_free_table() to correctly free the contents of the sg_table. > This > was missing despite explicitly required by > mtk_gem_prime_get_sg_table(). > > Also move the "out" shortcut label to after the kfree() call for the > sg_table. Having sg_free_table() together with kfree() makes more > sense. > The shortcut is only used when the object already has a kernel > address, > in which case the pointer is NULL and kfree() does nothing. Hence > this > change causes no functional change. Reviewed-by: CK Hu <ck.hu@mediatek.com> > > Fixes: 3df64d7b0a4f ("drm/mediatek: Implement gem prime vmap/vunmap > function") > Cc: <stable@vger.kernel.org> > Signed-off-by: Chen-Yu Tsai <wenst@chromium.org> > --- > Please merge for v6.6 fixes. > > Also, I was wondering why the MediaTek DRM driver implements a lot of > the GEM functionality itself, instead of using the GEM DMA helpers. > From what I could tell, the code closely follows the DMA helpers, > except > that it vmaps the buffers only upon request. The reason is that priv->dma_dev is different with drm_dev, so MediaTek DRM driver have to implement its own function. Exynos DRM driver also has this problem, so it's welcome anyone to simplify both DRM driver. Regards, CK > > drivers/gpu/drm/mediatek/mtk_drm_gem.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c > b/drivers/gpu/drm/mediatek/mtk_drm_gem.c > index 9f364df52478..0e0a41b2f57f 100644 > --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c > +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c > @@ -239,6 +239,7 @@ int mtk_drm_gem_prime_vmap(struct drm_gem_object > *obj, struct iosys_map *map) > npages = obj->size >> PAGE_SHIFT; > mtk_gem->pages = kcalloc(npages, sizeof(*mtk_gem->pages), > GFP_KERNEL); > if (!mtk_gem->pages) { > + sg_free_table(sgt); > kfree(sgt); > return -ENOMEM; > } > @@ -248,12 +249,15 @@ int mtk_drm_gem_prime_vmap(struct > drm_gem_object *obj, struct iosys_map *map) > mtk_gem->kvaddr = vmap(mtk_gem->pages, npages, VM_MAP, > pgprot_writecombine(PAGE_KERNEL)); > if (!mtk_gem->kvaddr) { > + sg_free_table(sgt); > kfree(sgt); > kfree(mtk_gem->pages); > return -ENOMEM; > } > -out: > + sg_free_table(sgt); > kfree(sgt); > + > +out: > iosys_map_set_vaddr(map, mtk_gem->kvaddr); > > return 0; > -- > 2.42.0.582.g8ccd20d70d-goog
diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c index 9f364df52478..0e0a41b2f57f 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c @@ -239,6 +239,7 @@ int mtk_drm_gem_prime_vmap(struct drm_gem_object *obj, struct iosys_map *map) npages = obj->size >> PAGE_SHIFT; mtk_gem->pages = kcalloc(npages, sizeof(*mtk_gem->pages), GFP_KERNEL); if (!mtk_gem->pages) { + sg_free_table(sgt); kfree(sgt); return -ENOMEM; } @@ -248,12 +249,15 @@ int mtk_drm_gem_prime_vmap(struct drm_gem_object *obj, struct iosys_map *map) mtk_gem->kvaddr = vmap(mtk_gem->pages, npages, VM_MAP, pgprot_writecombine(PAGE_KERNEL)); if (!mtk_gem->kvaddr) { + sg_free_table(sgt); kfree(sgt); kfree(mtk_gem->pages); return -ENOMEM; } -out: + sg_free_table(sgt); kfree(sgt); + +out: iosys_map_set_vaddr(map, mtk_gem->kvaddr); return 0;
The MediaTek DRM driver implements GEM PRIME vmap by fetching the sg_table for the object, iterating through the pages, and then vmapping them. In essence, unlike the GEM DMA helpers which vmap when the object is first created or imported, the MediaTek version does it on request. Unfortunately, the code never correctly frees the sg_table contents. This results in a kernel memory leak. On a Hayato device with a text console on the internal display, this results in the system running out of memory in a few days from all the console screen cursor updates. Add sg_free_table() to correctly free the contents of the sg_table. This was missing despite explicitly required by mtk_gem_prime_get_sg_table(). Also move the "out" shortcut label to after the kfree() call for the sg_table. Having sg_free_table() together with kfree() makes more sense. The shortcut is only used when the object already has a kernel address, in which case the pointer is NULL and kfree() does nothing. Hence this change causes no functional change. Fixes: 3df64d7b0a4f ("drm/mediatek: Implement gem prime vmap/vunmap function") Cc: <stable@vger.kernel.org> Signed-off-by: Chen-Yu Tsai <wenst@chromium.org> --- Please merge for v6.6 fixes. Also, I was wondering why the MediaTek DRM driver implements a lot of the GEM functionality itself, instead of using the GEM DMA helpers. From what I could tell, the code closely follows the DMA helpers, except that it vmaps the buffers only upon request. drivers/gpu/drm/mediatek/mtk_drm_gem.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)