All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: quic_charante@quicinc.com
Cc: dri-devel@lists.freedesktop.org
Subject: [bug report] dma-buf: call dma_buf_stats_setup after dmabuf is in valid list
Date: Mon, 16 May 2022 09:49:37 +0300	[thread overview]
Message-ID: <YoH0AcDvgowmOot4@kili> (raw)

Hello Charan Teja Reddy,

The patch ef3a6b70507a: "dma-buf: call dma_buf_stats_setup after
dmabuf is in valid list" from May 10, 2022, leads to the following
Smatch static checker warning:

	drivers/dma-buf/dma-buf.c:569 dma_buf_export()
	warn: '&dmabuf->list_node' not removed from list

drivers/dma-buf/dma-buf.c
   538          file = dma_buf_getfile(dmabuf, exp_info->flags);
   539          if (IS_ERR(file)) {
   540                  ret = PTR_ERR(file);
   541                  goto err_dmabuf;
   542          }
   543  
   544          file->f_mode |= FMODE_LSEEK;
   545          dmabuf->file = file;
   546  
   547          mutex_init(&dmabuf->lock);
   548          INIT_LIST_HEAD(&dmabuf->attachments);
   549  
   550          mutex_lock(&db_list.lock);
   551          list_add(&dmabuf->list_node, &db_list.head);

Added to the list

   552          mutex_unlock(&db_list.lock);
   553  
   554          ret = dma_buf_stats_setup(dmabuf);
   555          if (ret)
   556                  goto err_sysfs;

Goto

   557  
   558          return dmabuf;
   559  
   560  err_sysfs:
   561          /*
   562           * Set file->f_path.dentry->d_fsdata to NULL so that when
   563           * dma_buf_release() gets invoked by dentry_ops, it exits
   564           * early before calling the release() dma_buf op.
   565           */
   566          file->f_path.dentry->d_fsdata = NULL;
   567          fput(file);
   568  err_dmabuf:
   569          kfree(dmabuf);

dmabuf is freed, but it's still on the list so it leads to a use after
free.

   570  err_module:
   571          module_put(exp_info->owner);
   572          return ERR_PTR(ret);
   573  }

regards,
dan carpenter

             reply	other threads:[~2022-05-16  6:49 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-16  6:49 Dan Carpenter [this message]
2022-05-16  7:13 ` [bug report] dma-buf: call dma_buf_stats_setup after dmabuf is in valid list Charan Teja Kalla
2022-05-16  7:18   ` Christian König
2022-05-16  8:47     ` Dan Carpenter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YoH0AcDvgowmOot4@kili \
    --to=dan.carpenter@oracle.com \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=quic_charante@quicinc.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.