Message ID | 20190823100622.3892-5-srinivas.kandagatla@linaro.org |
---|---|
State | Superseded |
Headers | show |
Series | misc: fastrpc: few fixes | expand |
On 23/08/2019 16:23, Jorge Ramirez-Ortiz wrote: > can you add me as a co-author to this patch please? No problem I can do that if you feel so! > since I spent about a day doing the analysis, sent you a fix that > maintained the API used by the library and explained you how to > reproduce the issue I think it is just fair. > the fact that the api could be be modified and the fix be done a bit > differently- free dma buf ioctl removed- seems just a minor > implementation detail to me. No, that's not true, this is a clear fastrpc design issue. Userspace is already doing a refcount via mmap/unmap on that dmabuf fd, having an additional api adds another level of refcount which is totally redundant and is the root cause for this leak. --srini > > also you can add my tested-by if you want > > TIA > > On Fri, 23 Aug 2019 at 12:07, Srinivas Kandagatla > <srinivas.kandagatla@linaro.org <mailto:srinivas.kandagatla@linaro.org>> > wrote: > > dma buf refcount has to be done by the driver which is going to use > the fd. > This driver already does refcount on the dmabuf fd if its actively > using it > but also does an additional refcounting via extra ioctl. > This additional refcount can lead to memory leak in cases where the > applications fail to call the ioctl to decrement the refcount. > > So remove this extra refcount in the ioctl > > More info of dma buf usage at drivers/dma-buf/dma-buf.c > > Reported-by: Mayank Chopra <mak.chopra@codeaurora.org > <mailto:mak.chopra@codeaurora.org>> > Reported-by: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org > <mailto:jorge.ramirez-ortiz@linaro.org>> > Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org > <mailto:srinivas.kandagatla@linaro.org>> > --- > drivers/misc/fastrpc.c | 25 ------------------------- > 1 file changed, 25 deletions(-) > > diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c > index 38829fa74f28..eee2bb398947 100644 > --- a/drivers/misc/fastrpc.c > +++ b/drivers/misc/fastrpc.c > @@ -1198,26 +1198,6 @@ static int fastrpc_device_open(struct inode > *inode, struct file *filp) > return 0; > } > > -static int fastrpc_dmabuf_free(struct fastrpc_user *fl, char __user > *argp) > -{ > - struct dma_buf *buf; > - int info; > - > - if (copy_from_user(&info, argp, sizeof(info))) > - return -EFAULT; > - > - buf = dma_buf_get(info); > - if (IS_ERR_OR_NULL(buf)) > - return -EINVAL; > - /* > - * one for the last get and other for the ALLOC_DMA_BUFF ioctl > - */ > - dma_buf_put(buf); > - dma_buf_put(buf); > - > - return 0; > -} > - > static int fastrpc_dmabuf_alloc(struct fastrpc_user *fl, char > __user *argp) > { > struct fastrpc_alloc_dma_buf bp; > @@ -1253,8 +1233,6 @@ static int fastrpc_dmabuf_alloc(struct > fastrpc_user *fl, char __user *argp) > return -EFAULT; > } > > - get_dma_buf(buf->dmabuf); > - > return 0; > } > > @@ -1322,9 +1300,6 @@ static long fastrpc_device_ioctl(struct file > *file, unsigned int cmd, > case FASTRPC_IOCTL_INIT_CREATE: > err = fastrpc_init_create_process(fl, argp); > break; > - case FASTRPC_IOCTL_FREE_DMA_BUFF: > - err = fastrpc_dmabuf_free(fl, argp); > - break; > case FASTRPC_IOCTL_ALLOC_DMA_BUFF: > err = fastrpc_dmabuf_alloc(fl, argp); > break; > -- > 2.21.0 >
On 8/27/19 23:45, Srinivas Kandagatla wrote: > > On 23/08/2019 16:23, Jorge Ramirez-Ortiz wrote: >> can you add me as a co-author to this patch please? > > No problem I can do that if you feel so! yes please. thanks! > >> since I spent about a day doing the analysis, sent you a fix that >> maintained the API used by the library and explained you how to >> reproduce the issue I think it is just fair. > the fact that the api >> could be be modified and the fix be done a bit >> differently- free dma buf ioctl removed- seems just a minor >> implementation detail to me. > > No, that's not true, this is a clear fastrpc design issue. IMO the ioctls defines the contract with userspace and the contract establishes that userspace must call deallocate. the kernel wrongly implemented to that contract since it doesn't handle the cases where userspace can't send the release calls which leads to memory leaks. this is what I meant by and implementation issue. if we had many fastrpc users, rolling out the design change that you propose - removing an ioctl- would definitively have an impact. But since that is not yet the case, there is not doubt that your patch makes more sense. but my point was that there is not a huge gap in efforts between doing one or the other. > > Userspace is already doing a refcount via mmap/unmap on that dmabuf fd, > having an additional api adds another level of refcount which is totally > redundant and is the root cause for this leak. yes it is redundant but is not the root cause for this leak. the root cause is that the driver doesnt handle the case where userspace didnt or was not able to call release (and that is no more than adding allocated buffers to a list and clean on exit) > > > --srini
On 8/28/19 10:48, Srinivas Kandagatla wrote: > > > On 28/08/2019 08:50, Jorge Ramirez wrote: >> On 8/27/19 23:45, Srinivas Kandagatla wrote: >>> On 23/08/2019 16:23, Jorge Ramirez-Ortiz wrote: >>>> can you add me as a co-author to this patch please? >>> No problem I can do that if you feel so! >> yes please. thanks! >> >>>> since I spent about a day doing the analysis, sent you a fix that >>>> maintained the API used by the library and explained you how to >>>> reproduce the issue I think it is just fair. > the fact that the api >>>> could be be modified and the fix be done a bit >>>> differently- free dma buf ioctl removed- seems just a minor >>>> implementation detail to me. >>> No, that's not true, this is a clear fastrpc design issue. >> IMO the ioctls defines the contract with userspace and the contract >> establishes that userspace must call deallocate. the kernel wrongly >> implemented to that contract since it doesn't handle the cases where >> userspace can't send the release calls which leads to memory leaks. this >> is what I meant by and implementation issue. >> >> if we had many fastrpc users, rolling out the design change that you >> propose - removing an ioctl- would definitively have an impact. But >> since that is not yet the case, there is not doubt that your patch makes >> more sense. > > Exactly before it make a way into other projects! > >> >> but my point was that there is not a huge gap in efforts between doing >> one or the other. > > Thats not the point, point is about right fix! but I disagree with you about what 'right' means. in this context, for you "right" meant potentially breaking some users and implement the best possible kernel design. for me, it meant continue to obey at the agreed ioctl interface to not disturb the users. but as I said, since there is not a significant pool of fastrpc users, breaking backward compatibility with the fastrpc library is not important hence why I agree that removing the ioctl was the better choice (on this particular case). > >> >>> Userspace is already doing a refcount via mmap/unmap on that dmabuf fd, >>> having an additional api adds another level of refcount which is totally >>> redundant and is the root cause for this leak. >> yes it is redundant but is not the root cause for this leak. the root >> cause is that the driver doesnt handle the case where userspace didnt or >> was not able to call release (and that is no more than adding allocated >> buffers to a list and clean on exit) > > I don't agree with you on that. We should not take an extra refcount in > first place in driver. of course taking an extra refcount is functionally pointless. But that was a design decision that imposed something on the user. and the kernel can certainly work with that 'silly' design decision by tracking the memory in the driver. is the right thing to do to keep less than ideal designs in the kernel to support agreed user interface? IMO it depends on the use case to my eyes the design was obviously wrong, I never questioned that...that was very clear when I started tracing the code. perhaps, rather than work around it, I should have considered that removing the ioctl wouldnt be a big deal to anyone. so I would have send two patches instead of the one I sent you 1. fix leak (keep track of allocated dma buffers and make sure everything is released on exit) 2. remove unnecessary ioctl warning users. > > let me explain it one more time! cmon, I did understand it before we engaged in this discussion :) > > dmabuf has to be mmaped in userspace app before it is used, and > "Memory mappings that were created in the process shall be unmapped > before the process is destroyed" so the refcount is taken care by > mmap/unmap automatically. I would like to leave the discussion here if that is ok with you (I clearly understand your POV but I feel I am not doing a good job at sharing my thoughts...we can do that offline if you want) > > --srini > > >> >
diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 38829fa74f28..eee2bb398947 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -1198,26 +1198,6 @@ static int fastrpc_device_open(struct inode *inode, struct file *filp) return 0; } -static int fastrpc_dmabuf_free(struct fastrpc_user *fl, char __user *argp) -{ - struct dma_buf *buf; - int info; - - if (copy_from_user(&info, argp, sizeof(info))) - return -EFAULT; - - buf = dma_buf_get(info); - if (IS_ERR_OR_NULL(buf)) - return -EINVAL; - /* - * one for the last get and other for the ALLOC_DMA_BUFF ioctl - */ - dma_buf_put(buf); - dma_buf_put(buf); - - return 0; -} - static int fastrpc_dmabuf_alloc(struct fastrpc_user *fl, char __user *argp) { struct fastrpc_alloc_dma_buf bp; @@ -1253,8 +1233,6 @@ static int fastrpc_dmabuf_alloc(struct fastrpc_user *fl, char __user *argp) return -EFAULT; } - get_dma_buf(buf->dmabuf); - return 0; } @@ -1322,9 +1300,6 @@ static long fastrpc_device_ioctl(struct file *file, unsigned int cmd, case FASTRPC_IOCTL_INIT_CREATE: err = fastrpc_init_create_process(fl, argp); break; - case FASTRPC_IOCTL_FREE_DMA_BUFF: - err = fastrpc_dmabuf_free(fl, argp); - break; case FASTRPC_IOCTL_ALLOC_DMA_BUFF: err = fastrpc_dmabuf_alloc(fl, argp); break;
dma buf refcount has to be done by the driver which is going to use the fd. This driver already does refcount on the dmabuf fd if its actively using it but also does an additional refcounting via extra ioctl. This additional refcount can lead to memory leak in cases where the applications fail to call the ioctl to decrement the refcount. So remove this extra refcount in the ioctl More info of dma buf usage at drivers/dma-buf/dma-buf.c Reported-by: Mayank Chopra <mak.chopra@codeaurora.org> Reported-by: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> --- drivers/misc/fastrpc.c | 25 ------------------------- 1 file changed, 25 deletions(-) -- 2.21.0