From: sashiko-bot@kernel.org
To: "Hungyu Lin" <dennylin0707@gmail.com>
Cc: dmaengine@vger.kernel.org, Frank.Li@kernel.org, vkoul@kernel.org
Subject: Re: [PATCH] dmaengine: qcom: hidma: use sysfs_emit() in sysfs show callbacks
Date: Sun, 07 Jun 2026 16:38:53 +0000 [thread overview]
Message-ID: <20260607163854.3DCFD1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260607163119.78717-1-dennylin0707@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [Critical] Missing kobject_put on error paths and driver removal leaves dangling sysfs files, leading to Use-After-Free when accessed.
--
commit fad7d7a1746d0d84aca95c02e2a6fd4400ce44f9
Author: Hungyu Lin <dennylin0707@gmail.com>
dmaengine: qcom: hidma: use sysfs_emit() in sysfs show callbacks
This commit replaces sprintf() and strlen() patterns in the sysfs show
callbacks of the hidma driver with the preferred sysfs_emit() helper.
> diff --git a/drivers/dma/qcom/hidma_mgmt_sys.c b/drivers/dma/qcom/hidma_mgmt_sys.c
> index 930eae0a6257c..9672ef9ee8fc0 100644
> --- a/drivers/dma/qcom/hidma_mgmt_sys.c
> +++ b/drivers/dma/qcom/hidma_mgmt_sys.c
[ ... ]
> @@ -143,15 +140,15 @@ static ssize_t show_values_channel(struct kobject *kobj,
> struct hidma_chan_attr *chattr;
> struct hidma_mgmt_dev *mdev;
>
> - buf[0] = 0;
> chattr = container_of(attr, struct hidma_chan_attr, attr);
> mdev = chattr->mdev;
[Severity: Critical]
This is a pre-existing issue, but while reviewing these sysfs callbacks,
could there be a use-after-free triggered here when mdev or chattr are
accessed?
Looking at hidma_mgmt_init_sys(), kobjects are created in loops:
chanops = kobject_create_and_add("chanops", &mdev->pdev->dev.kobj);
However, there do not appear to be any matching kobject_put() calls on the
error paths, nor a remove callback to tear them down on driver unbind. Since
the structures backing these attributes (mdev and chattr) are managed by
devm_ allocations, they are automatically freed upon probe failure or device
unbind.
Does this allow the sysfs files to remain accessible in the filesystem,
triggering a use-after-free when reading or writing to them dereferences
the freed memory in show_values_channel()?
> +
> if (strcmp(attr->attr.name, "priority") == 0)
> - sprintf(buf, "%d\n", mdev->priority[chattr->index]);
> + return sysfs_emit(buf, "%d\n", mdev->priority[chattr->index]);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260607163119.78717-1-dennylin0707@gmail.com?part=1
next prev parent reply other threads:[~2026-06-07 16:38 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-07 16:31 [PATCH] dmaengine: qcom: hidma: use sysfs_emit() in sysfs show callbacks Hungyu Lin
2026-06-07 16:38 ` sashiko-bot [this message]
2026-06-07 18:30 ` Dmitry Baryshkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260607163854.3DCFD1F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=dennylin0707@gmail.com \
--cc=dmaengine@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.