From ad222c9af25e3f074c180e389b3477dce42afc4f Mon Sep 17 00:00:00 2001 From: Shravan Chippa Date: Fri, 20 Jan 2023 15:36:23 +0530 Subject: [PATCH] dmaengine: sf-pdma: pdma_desc memory leak fix [ Upstream commit b02e07015a5ac7bbc029da931ae17914b8ae0339 ] Commit b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread support for a DMA channel") changed sf_pdma_prep_dma_memcpy() to unconditionally allocate a new sf_pdma_desc each time it is called. The driver previously recycled descs, by checking the in_use flag, only allocating additional descs if the existing one was in use. This logic was removed in commit b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread support for a DMA channel"), but sf_pdma_free_desc() was not changed to handle the new behaviour. As a result, each time sf_pdma_prep_dma_memcpy() is called, the previous descriptor is leaked, over time leading to memory starvation: unreferenced object 0xffffffe008447300 (size 192): comm "irq/39-mchp_dsc", pid 343, jiffies 4294906910 (age 981.200s) hex dump (first 32 bytes): 00 00 00 ff 00 00 00 00 b8 c1 00 00 00 00 00 00 ................ 00 00 70 08 10 00 00 00 00 00 00 c0 00 00 00 00 ..p............. backtrace: [<00000000064a04f4>] kmemleak_alloc+0x1e/0x28 [<00000000018927a7>] kmem_cache_alloc+0x11e/0x178 [<000000002aea8d16>] sf_pdma_prep_dma_memcpy+0x40/0x112 Add the missing kfree() to sf_pdma_free_desc(), and remove the redundant in_use flag. Fixes: b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread support for a DMA channel") Signed-off-by: Shravan Chippa Reviewed-by: Conor Dooley Link: https://lore.kernel.org/r/20230120100623.3530634-1-shravan.chippa@microchip.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin --- drivers/dma/sf-pdma/sf-pdma.c | 3 +-- drivers/dma/sf-pdma/sf-pdma.h | 1 - 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/dma/sf-pdma/sf-pdma.c b/drivers/dma/sf-pdma/sf-pdma.c index ab0ad7a2f201..dcf2b7a4183c 100644 --- a/drivers/dma/sf-pdma/sf-pdma.c +++ b/drivers/dma/sf-pdma/sf-pdma.c @@ -96,7 +96,6 @@ sf_pdma_prep_dma_memcpy(struct dma_chan *dchan, dma_addr_t dest, dma_addr_t src, if (!desc) return NULL; - desc->in_use = true; desc->dirn = DMA_MEM_TO_MEM; desc->async_tx = vchan_tx_prep(&chan->vchan, &desc->vdesc, flags); @@ -290,7 +289,7 @@ static void sf_pdma_free_desc(struct virt_dma_desc *vdesc) struct sf_pdma_desc *desc; desc = to_sf_pdma_desc(vdesc); - desc->in_use = false; + kfree(desc); } static void sf_pdma_donebh_tasklet(struct tasklet_struct *t) diff --git a/drivers/dma/sf-pdma/sf-pdma.h b/drivers/dma/sf-pdma/sf-pdma.h index 0c20167b097d..02a229a3ae22 100644 --- a/drivers/dma/sf-pdma/sf-pdma.h +++ b/drivers/dma/sf-pdma/sf-pdma.h @@ -82,7 +82,6 @@ struct sf_pdma_desc { u64 src_addr; struct virt_dma_desc vdesc; struct sf_pdma_chan *chan; - bool in_use; enum dma_transfer_direction dirn; struct dma_async_tx_descriptor *async_tx; };