From: sashiko-bot@kernel.org
To: "Thierry Reding" <thierry.reding@kernel.org>
Cc: "Heiko Carstens" <hca@linux.ibm.com>,
"Alexander Gordeev" <agordeev@linux.ibm.com>,
linux-s390@vger.kernel.org, conor+dt@kernel.org,
"Vasily Gorbik" <gor@linux.ibm.com>,
dri-devel@lists.freedesktop.org, devicetree@vger.kernel.org,
robh@kernel.org
Subject: Re: [PATCH v3 07/11] dma-buf: heaps: Add debugfs support
Date: Wed, 01 Jul 2026 16:27:28 +0000 [thread overview]
Message-ID: <20260701162728.F132C1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260701-tegra-vpr-v3-7-d80f7b871bb4@nvidia.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [Low] debugfs_create_dir failure handling causes namespace pollution.
- [Low] Incomplete resource teardown in newly added dma_heap_exit() function.
Pre-existing issues:
- [High] Use-After-Free due to character device exposure before uniqueness validation completes.
--
commit be3535d09b01d53c055d9d5fb7c60f03232a5ac7
Author: Thierry Reding <treding@nvidia.com>
dma-buf: heaps: Add debugfs support
Add a callback to struct dma_heap_ops that heap providers can implement
to show information about the state of the heap in debugfs. A top-level
directory named "dma_heap" is created in debugfs and individual files
will be named after the heaps.
> diff --git a/drivers/dma-buf/dma-heap.c b/drivers/dma-buf/dma-heap.c
> index a76bf3f8b071a..1ceb6ee8c05a2 100644
> --- a/drivers/dma-buf/dma-heap.c
> +++ b/drivers/dma-buf/dma-heap.c
> @@ -224,6 +225,46 @@ const char *dma_heap_get_name(struct dma_heap *heap)
[ ... ]
> +static struct dentry *dma_heap_debugfs_dir;
> +
> +static void dma_heap_init_debugfs(void)
> +{
> + struct dentry *dir;
> +
> + dir = debugfs_create_dir("dma_heap", NULL);
> + if (IS_ERR(dir))
> + return;
> +
> + dma_heap_debugfs_dir = dir;
> +}
[Severity: Low]
If debugfs_create_dir() returns an error, this early return leaves
dma_heap_debugfs_dir as NULL.
Later, when dma_heap_add() calls debugfs_create_file() with this NULL parent,
won't it create the heap files directly in the debugfs root directory instead
of failing safely?
[ ... ]
> @@ -298,6 +339,13 @@ struct dma_heap *dma_heap_add(const struct dma_heap_export_info *exp_info)
>
> /* Add heap to the list */
> list_add(&heap->list, &heap_list);
> +
> +#ifdef CONFIG_DEBUG_FS
> + if (heap->ops && heap->ops->show)
> + debugfs_create_file(heap->name, 0444, dma_heap_debugfs_dir,
> + heap, &dma_heap_debug_fops);
> +#endif
> +
> mutex_unlock(&heap_list_lock);
>
> return heap;
[Severity: High]
This is a pre-existing issue, but doesn't the current design of
dma_heap_add() allow a use-after-free?
The character device is made live and exposed to userspace early:
cdev_init(&heap->heap_cdev, &dma_heap_fops);
ret = cdev_add(&heap->heap_cdev, heap->heap_devt, 1);
But then, if the uniqueness check fails:
list_for_each_entry(h, &heap_list, list) {
if (!strcmp(h->name, exp_info->name)) {
...
goto err3;
}
The error path frees the heap without revoking the live character device:
err0:
kfree(heap);
If userspace opens the device concurrently before the uniqueness check fails,
could it access the freed heap object?
[ ... ]
> @@ -334,6 +382,14 @@ static int dma_heap_init(void)
> }
> dma_heap_class->devnode = dma_heap_devnode;
>
> + dma_heap_init_debugfs();
> +
> return 0;
> }
> subsys_initcall(dma_heap_init);
> +
> +static void __exit dma_heap_exit(void)
> +{
> + dma_heap_exit_debugfs();
> +}
> +__exitcall(dma_heap_exit);
[Severity: Low]
Does this exit function omit teardown steps?
It cleans up debugfs but seems to be missing calls to
unregister_chrdev_region() and class_destroy() that were set up in
dma_heap_init().
If this subsystem is ever built as a loadable module, won't this leak those
resources on unload?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260701-tegra-vpr-v3-0-d80f7b871bb4@nvidia.com?part=7
next prev parent reply other threads:[~2026-07-01 16:27 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-01 16:08 [PATCH v3 00/11] dma-buf: heaps: Add support for Tegra VPR Thierry Reding
2026-07-01 16:08 ` [PATCH v3 01/11] dt-bindings: reserved-memory: Document " Thierry Reding
2026-07-01 16:15 ` sashiko-bot
2026-07-01 19:53 ` Rob Herring (Arm)
2026-07-02 12:58 ` Thierry Reding
2026-07-01 16:08 ` [PATCH v3 02/11] dt-bindings: display: tegra: Document memory regions Thierry Reding
2026-07-01 16:13 ` sashiko-bot
2026-07-01 19:53 ` Rob Herring (Arm)
2026-07-02 13:47 ` Thierry Reding
2026-07-01 16:08 ` [PATCH v3 03/11] dt-bindings: gpu: host1x: Document memory-regions for NVDEC Thierry Reding
2026-07-01 16:16 ` sashiko-bot
2026-07-01 16:08 ` [PATCH v3 04/11] arm64/mm: Add set_memory_device() and set_memory_normal() Thierry Reding
2026-07-01 16:23 ` sashiko-bot
2026-07-02 9:18 ` Will Deacon
2026-07-02 13:46 ` Thierry Reding
2026-07-01 16:08 ` [PATCH v3 05/11] bitmap: Add bitmap_allocate() function Thierry Reding
2026-07-01 16:08 ` [PATCH v3 06/11] mm/cma: Allow dynamically creating CMA areas Thierry Reding
2026-07-01 16:26 ` sashiko-bot
2026-07-01 16:08 ` [PATCH v3 07/11] dma-buf: heaps: Add debugfs support Thierry Reding
2026-07-01 16:27 ` sashiko-bot [this message]
2026-07-01 16:08 ` [PATCH v3 08/11] dma-buf: heaps: Add support for Tegra VPR Thierry Reding
2026-07-01 16:34 ` sashiko-bot
2026-07-01 16:08 ` [PATCH v3 09/11] arm64: tegra: Add VPR placeholder node on Tegra234 Thierry Reding
2026-07-01 16:08 ` [PATCH v3 10/11] arm64: tegra: Hook up VPR to host1x Thierry Reding
2026-07-01 22:46 ` sashiko-bot
2026-07-01 16:08 ` [PATCH v3 11/11] arm64: tegra: Add VPR placeholder node on Tegra264 Thierry Reding
2026-07-01 16:32 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260701162728.F132C1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=agordeev@linux.ibm.com \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=linux-s390@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=thierry.reding@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox