Re: [PATCH v16 15/20] drm/shmem-helper: Add memory shrinker
From: Dmitry Osipenko
Date: Thu Sep 14 2023 - 09:58:34 EST
On 9/14/23 16:27, Boris Brezillon wrote:
...
> If you added this pages_use_count > 0 check to deal with the
> 'free-partially-imported-GEM' case, I keep thinking this is not
> the right fix. You should just assume that obj->import_attach == NULL
> means not-a-prime-buffer, and then make sure
> partially-initialized-prime-GEMs have import_attach assigned (see the
> oneliner I suggested in my review of
> `[PATCH v15 01/23] drm/shmem-helper: Fix UAF in error path when
> freeing SGT of imported GEM`).
Yes, I added it to deal with the partially imported GEM. The
obj->import_attach can't be set until dma-buf is fully imported as it
also will cause trouble for the error code path, now dma-buf will be
freed two times.
>> dma_unmap_sgtable(obj->dev->dev, shmem->sgt,
>> DMA_BIDIRECTIONAL, 0);
>> sg_free_table(shmem->sgt);
>> kfree(shmem->sgt);
>>
>> __drm_gem_shmem_put_pages(shmem);
> You need to decrement pages_use_count:
>
> /* shmem->pages_use_count should be 1 when ->sgt != NULL and
> * zero otherwise. If some users still hold a pages reference
> * that's a bug, and we intentionally leak the pages so they
> * can't be re-allocated to someone else while the GPU/CPU
> * still have access to it.
> */
> if (refcount_dec_and_test(&shmem->pages_use_count))
> __drm_gem_shmem_put_pages(shmem);
>
The put_pages() itself decrements the refcnt.
I'm going back to deferring all this questionable changes for the later
times. It is not essential problem for this patchset.
--
Best regards,
Dmitry