[PATCH 03/12] drm/v3d: Fix potential memory leak in the performance extension - Linux-stable-mirror

10 Jul 2024

From: Tvrtko Ursulin tvrtko.ursulin@igalia.com
If fetching of userspace memory fails during the main loop, all drm sync
objs looked up until that point will be leaked because of the missing
drm_syncobj_put.
Fix it by exporting and using a common cleanup helper.
Signed-off-by: Tvrtko Ursulin tvrtko.ursulin@igalia.com
Fixes: bae7cb5d6800 ("drm/v3d: Create a CPU job extension for the reset performance query job"
Cc: Maíra Canal mcanal@igalia.com
Cc: Iago Toral Quiroga itoral@igalia.com
Cc: stable@vger.kernel.org # v6.8+
---
 drivers/gpu/drm/v3d/v3d_drv.h    |  2 ++
 drivers/gpu/drm/v3d/v3d_sched.c  | 22 +++++++++++++-----
 drivers/gpu/drm/v3d/v3d_submit.c | 40 +++++++++++++++++++++-----------
 3 files changed, 44 insertions(+), 20 deletions(-)

diff --git a/drivers/gpu/drm/v3d/v3d_drv.h b/drivers/gpu/drm/v3d/v3d_drv.h
index 95651c3c926f..38c80168da51 100644
--- a/drivers/gpu/drm/v3d/v3d_drv.h
+++ b/drivers/gpu/drm/v3d/v3d_drv.h
@@ -565,6 +565,8 @@ void v3d_mmu_remove_ptes(struct v3d_bo *bo);
 /* v3d_sched.c */
 void __v3d_timestamp_query_info_free(struct v3d_timestamp_query_info *qinfo,
    			     unsigned int count);
+void __v3d_performance_query_info_free(struct v3d_performance_query_info *qinfo,
+				       unsigned int count);
 void v3d_job_update_stats(struct v3d_job *job, enum v3d_queue queue);
 int v3d_sched_init(struct v3d_dev *v3d);
 void v3d_sched_fini(struct v3d_dev *v3d);
diff --git a/drivers/gpu/drm/v3d/v3d_sched.c b/drivers/gpu/drm/v3d/v3d_sched.c
index e45d3ddc6f82..173801aa54ee 100644
--- a/drivers/gpu/drm/v3d/v3d_sched.c
+++ b/drivers/gpu/drm/v3d/v3d_sched.c
@@ -87,20 +87,30 @@ __v3d_timestamp_query_info_free(struct v3d_timestamp_query_info *qinfo,
    }
 }
+void
+__v3d_performance_query_info_free(struct v3d_performance_query_info *qinfo,
+				  unsigned int count)
+{
+	if (qinfo->queries) {
+		unsigned int i;
+
+		for (i = 0; i < count; i++)
+			drm_syncobj_put(qinfo->queries[i].syncobj);
+
+		kvfree(qinfo->queries);
+	}
+}
+
 static void
 v3d_cpu_job_free(struct drm_sched_job *sched_job)
 {
    struct v3d_cpu_job *job = to_cpu_job(sched_job);
-	struct v3d_performance_query_info *performance_query = &job->performance_query;
__v3d_timestamp_query_info_free(&job->timestamp_query,
    				job->timestamp_query.count);
-	if (performance_query->queries) {
-		for (int i = 0; i < performance_query->count; i++)
-			drm_syncobj_put(performance_query->queries[i].syncobj);
-		kvfree(performance_query->queries);
-	}
+	__v3d_performance_query_info_free(&job->performance_query,
+					  job->performance_query.count);
v3d_job_cleanup(&job->base);
 }
diff --git a/drivers/gpu/drm/v3d/v3d_submit.c b/drivers/gpu/drm/v3d/v3d_submit.c
index 2818afdd4807..ca1b1ad0a75c 100644
--- a/drivers/gpu/drm/v3d/v3d_submit.c
+++ b/drivers/gpu/drm/v3d/v3d_submit.c
@@ -637,6 +637,7 @@ v3d_get_cpu_reset_performance_params(struct drm_file *file_priv,
    u32 __user *syncs;
    u64 __user *kperfmon_ids;
    struct drm_v3d_reset_performance_query reset;
+	int err;
if (!job) {
    	DRM_DEBUG("CPU job extension was attached to a GPU job.\n");
@@ -672,32 +673,36 @@ v3d_get_cpu_reset_performance_params(struct drm_file *file_priv,
    	u32 id;
if (copy_from_user(&sync, syncs++, sizeof(sync))) {
-			kvfree(job->performance_query.queries);
-			return -EFAULT;
+			err = -EFAULT;
+			goto error;
    	}
-		job->performance_query.queries[i].syncobj = drm_syncobj_find(file_priv, sync);
-
    	if (copy_from_user(&ids, kperfmon_ids++, sizeof(ids))) {
-			kvfree(job->performance_query.queries);
-			return -EFAULT;
+			err = -EFAULT;
+			goto error;
    	}
ids_pointer = u64_to_user_ptr(ids);
for (int j = 0; j < reset.nperfmons; j++) {
    		if (copy_from_user(&id, ids_pointer++, sizeof(id))) {
-				kvfree(job->performance_query.queries);
-				return -EFAULT;
+				err = -EFAULT;
+				goto error;
    		}
job->performance_query.queries[i].kperfmon_ids[j] = id;
    	}
+
+		job->performance_query.queries[i].syncobj = drm_syncobj_find(file_priv, sync);
    }
    job->performance_query.count = reset.count;
    job->performance_query.nperfmons = reset.nperfmons;
return 0;
+
+error:
+	__v3d_performance_query_info_free(qinfo, i);
+	return err;
 }
static int
@@ -708,6 +713,7 @@ v3d_get_cpu_copy_performance_query_params(struct drm_file *file_priv,
    u32 __user *syncs;
    u64 __user *kperfmon_ids;
    struct drm_v3d_copy_performance_query copy;
+	int err;
if (!job) {
    	DRM_DEBUG("CPU job extension was attached to a GPU job.\n");
@@ -746,27 +752,29 @@ v3d_get_cpu_copy_performance_query_params(struct drm_file *file_priv,
    	u32 id;
if (copy_from_user(&sync, syncs++, sizeof(sync))) {
-			kvfree(job->performance_query.queries);
-			return -EFAULT;
+			err = -EFAULT;
+			goto error;
    	}
job->performance_query.queries[i].syncobj = drm_syncobj_find(file_priv, sync);
if (copy_from_user(&ids, kperfmon_ids++, sizeof(ids))) {
-			kvfree(job->performance_query.queries);
-			return -EFAULT;
+			err = -EFAULT;
+			goto error;
    	}
ids_pointer = u64_to_user_ptr(ids);
for (int j = 0; j < copy.nperfmons; j++) {
    		if (copy_from_user(&id, ids_pointer++, sizeof(id))) {
-				kvfree(job->performance_query.queries);
-				return -EFAULT;
+				err = -EFAULT;
+				goto error;
    		}
job->performance_query.queries[i].kperfmon_ids[j] = id;
    	}
+
+		job->performance_query.queries[i].syncobj = drm_syncobj_find(file_priv, sync);
    }
    job->performance_query.count = copy.count;
    job->performance_query.nperfmons = copy.nperfmons;
@@ -779,6 +787,10 @@ v3d_get_cpu_copy_performance_query_params(struct drm_file *file_priv,
    job->copy.stride = copy.stride;
return 0;
+
+error:
+	__v3d_performance_query_info_free(qinfo, i);
+	return err;
 }
/* Whenever userspace sets ioctl extensions, v3d_get_extensions parses data
-- 
2.44.0



    