re: kern/56826: Kernel memory leak with Nvidia GPU

To: kern-bug-people%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost, gnats-bugs%netbsd.org@localhost
Subject: re: kern/56826: Kernel memory leak with Nvidia GPU
From: matthew green <mrg%eterna.com.au@localhost>
Date: Tue, 31 May 2022 14:18:45 +1000

OK, i think i figured it out.

when nvkm_mem_new_host() is called via the in-kernel ioctl method
it passes the dmamap in via "args->v0.dma", and we borrow this
dmamap for this memory.  (i don't claim to understand what this is
really doing.)  in this case, we don't call bus_dmamap_create(),
so someone else owns this dmamap, and it can be destroyed before
the dtor for this memory is called.  this means that by the time
it's called for this memory, "mem->dmamap" is invalid and can't
be safely used.  fortunately, in this case, the "mem->nseg" member
is already the right value for the calls _create() case, and so
copying dm_nsegs in the non-_create() case gives the size needed
for the free of mem->dma.

additionally, the bus_dmamap_create() in the non-ioctl path here
is never destroyed.  this is the second leak.

   https://www.netbsd.org/~mrg/nouveau.leak.diff

works for me.  i worry about the dmama borrowing and it being
accessed after freed by the real owner still, but this code is
so very opaque and layered i have no idea.


.mrg.

References:
- re: kern/56826: Kernel memory leak with Nvidia GPU
  - From: matthew green

Prev by Date: re: kern/56826: Kernel memory leak with Nvidia GPU
Next by Date: re: kern/56826: Kernel memory leak with Nvidia GPU
Previous by Thread: re: kern/56826: Kernel memory leak with Nvidia GPU
Next by Thread: re: kern/56826: Kernel memory leak with Nvidia GPU
Indexes:

Home | Main Index | Thread Index | Old Index