[android-common:android12-5.4 14396/19165] drivers/dma-buf/heaps/system_heap.c:351 system_heap_buf_free() error: buffer overflow 'pools' 3 <= 3 (assuming for loop doesn't break)

[kernel test robot <lkp@intel.com>]

[-- Attachment #1: Type: text/plain, Size: 3603 bytes --]

CC: kbuild-all(a)lists.01.org
TO: cros-kernel-buildreports(a)googlegroups.com

tree:   https://android.googlesource.com/kernel/common android12-5.4
head:   60bad4df861dfeb5dacdb734c9064cc83170e65f
commit: e3919bfeb0066ab9b5f9765e5610b95672990e64 [14396/19165] ANDROID: dma-buf: system_heap: Add deferred freeing to the system heap
:::::: branch date: 3 days ago
:::::: commit date: 9 months ago
config: x86_64-rhel-8.3-kselftests (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

smatch warnings:
drivers/dma-buf/heaps/system_heap.c:351 system_heap_buf_free() error: buffer overflow 'pools' 3 <= 3 (assuming for loop doesn't break)

vim +351 drivers/dma-buf/heaps/system_heap.c

44008f99d9ca07 John Stultz 2019-06-06  325  
e3919bfeb0066a John Stultz 2020-12-09  326  static void system_heap_buf_free(struct deferred_freelist_item *item,
e3919bfeb0066a John Stultz 2020-12-09  327  				 enum df_reason reason)
fc004422dadc12 John Stultz 2020-09-25  328  {
e3919bfeb0066a John Stultz 2020-12-09  329  	struct system_heap_buffer *buffer;
fc004422dadc12 John Stultz 2020-09-25  330  	struct sg_table *table;
fc004422dadc12 John Stultz 2020-09-25  331  	struct scatterlist *sg;
44008f99d9ca07 John Stultz 2019-06-06  332  	int i, j;
44008f99d9ca07 John Stultz 2019-06-06  333  
e3919bfeb0066a John Stultz 2020-12-09  334  	buffer = container_of(item, struct system_heap_buffer, deferred_free);
44008f99d9ca07 John Stultz 2019-06-06  335  	/* Zero the buffer pages before adding back to the pool */
e3919bfeb0066a John Stultz 2020-12-09  336  	if (reason == DF_NORMAL)
e3919bfeb0066a John Stultz 2020-12-09  337  		if (system_heap_zero_buffer(buffer))
e3919bfeb0066a John Stultz 2020-12-09  338  			reason = DF_UNDER_PRESSURE; // On failure, just free
fc004422dadc12 John Stultz 2020-09-25  339  
fc004422dadc12 John Stultz 2020-09-25  340  	table = &buffer->sg_table;
703f43c5810e08 John Stultz 2020-09-26  341  	for_each_sg(table->sgl, sg, table->nents, i) {
703f43c5810e08 John Stultz 2020-09-26  342  		struct page *page = sg_page(sg);
703f43c5810e08 John Stultz 2020-09-26  343  
e3919bfeb0066a John Stultz 2020-12-09  344  		if (reason == DF_UNDER_PRESSURE) {
e3919bfeb0066a John Stultz 2020-12-09  345  			__free_pages(page, compound_order(page));
e3919bfeb0066a John Stultz 2020-12-09  346  		} else {
44008f99d9ca07 John Stultz 2019-06-06  347  			for (j = 0; j < NUM_ORDERS; j++) {
44008f99d9ca07 John Stultz 2019-06-06  348  				if (compound_order(page) == orders[j])
44008f99d9ca07 John Stultz 2019-06-06  349  					break;
44008f99d9ca07 John Stultz 2019-06-06  350  			}
44008f99d9ca07 John Stultz 2019-06-06 @351  			dmabuf_page_pool_free(pools[j], page);
703f43c5810e08 John Stultz 2020-09-26  352  		}
e3919bfeb0066a John Stultz 2020-12-09  353  	}
fc004422dadc12 John Stultz 2020-09-25  354  	sg_free_table(table);
c02e6ccc5a4aab John Stultz 2019-12-03  355  	kfree(buffer);
c02e6ccc5a4aab John Stultz 2019-12-03  356  }
c02e6ccc5a4aab John Stultz 2019-12-03  357  

:::::: The code@line 351 was first introduced by commit
:::::: 44008f99d9ca0793e2562967e1da01fa74ee4a41 ANDROID: dma-buf: system_heap: Add pagepool support to system heap

:::::: TO: John Stultz <john.stultz@linaro.org>
:::::: CC: John Stultz <john.stultz@linaro.org>

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org

[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 37424 bytes --]