re: kern/56826: Kernel memory leak with Nvidia GPU

[matthew green <mrg%eterna.com.au@localhost>]

The following reply was made to PR kern/56826; it has been noted by GNATS.

From: matthew green <mrg%eterna.com.au@localhost>
To: kern-bug-people%netbsd.org@localhost, gnats-admin%netbsd.org@localhost,
    netbsd-bugs%netbsd.org@localhost, gnats-bugs%netbsd.org@localhost
Cc: 
Subject: re: kern/56826: Kernel memory leak with Nvidia GPU
Date: Tue, 31 May 2022 14:18:45 +1000

 OK, i think i figured it out.
 
 when nvkm_mem_new_host() is called via the in-kernel ioctl method
 it passes the dmamap in via "args->v0.dma", and we borrow this
 dmamap for this memory.  (i don't claim to understand what this is
 really doing.)  in this case, we don't call bus_dmamap_create(),
 so someone else owns this dmamap, and it can be destroyed before
 the dtor for this memory is called.  this means that by the time
 it's called for this memory, "mem->dmamap" is invalid and can't
 be safely used.  fortunately, in this case, the "mem->nseg" member
 is already the right value for the calls _create() case, and so
 copying dm_nsegs in the non-_create() case gives the size needed
 for the free of mem->dma.
 
 additionally, the bus_dmamap_create() in the non-ioctl path here
 is never destroyed.  this is the second leak.
 
    https://www.netbsd.org/~mrg/nouveau.leak.diff
 
 works for me.  i worry about the dmama borrowing and it being
 accessed after freed by the real owner still, but this code is
 so very opaque and layered i have no idea.
 
 
 .mrg.