Devicetree
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Thierry Reding" <thierry.reding@kernel.org>
Cc: "Heiko Carstens" <hca@linux.ibm.com>,
	"Alexander Gordeev" <agordeev@linux.ibm.com>,
	linux-s390@vger.kernel.org, conor+dt@kernel.org,
	"Vasily Gorbik" <gor@linux.ibm.com>,
	dri-devel@lists.freedesktop.org, devicetree@vger.kernel.org,
	robh@kernel.org
Subject: Re: [PATCH v3 07/11] dma-buf: heaps: Add debugfs support
Date: Wed, 01 Jul 2026 16:27:28 +0000	[thread overview]
Message-ID: <20260701162728.F132C1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260701-tegra-vpr-v3-7-d80f7b871bb4@nvidia.com>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:

New issues:
- [Low] debugfs_create_dir failure handling causes namespace pollution.
- [Low] Incomplete resource teardown in newly added dma_heap_exit() function.

Pre-existing issues:
- [High] Use-After-Free due to character device exposure before uniqueness validation completes.
--

commit be3535d09b01d53c055d9d5fb7c60f03232a5ac7
Author: Thierry Reding <treding@nvidia.com>

dma-buf: heaps: Add debugfs support

Add a callback to struct dma_heap_ops that heap providers can implement
to show information about the state of the heap in debugfs. A top-level
directory named "dma_heap" is created in debugfs and individual files
will be named after the heaps.

> diff --git a/drivers/dma-buf/dma-heap.c b/drivers/dma-buf/dma-heap.c
> index a76bf3f8b071a..1ceb6ee8c05a2 100644
> --- a/drivers/dma-buf/dma-heap.c
> +++ b/drivers/dma-buf/dma-heap.c
> @@ -224,6 +225,46 @@ const char *dma_heap_get_name(struct dma_heap *heap)

[ ... ]

> +static struct dentry *dma_heap_debugfs_dir;
> +
> +static void dma_heap_init_debugfs(void)
> +{
> +	struct dentry *dir;
> +
> +	dir = debugfs_create_dir("dma_heap", NULL);
> +	if (IS_ERR(dir))
> +		return;
> +
> +	dma_heap_debugfs_dir = dir;
> +}

[Severity: Low]
If debugfs_create_dir() returns an error, this early return leaves
dma_heap_debugfs_dir as NULL.

Later, when dma_heap_add() calls debugfs_create_file() with this NULL parent,
won't it create the heap files directly in the debugfs root directory instead
of failing safely?

[ ... ]

> @@ -298,6 +339,13 @@ struct dma_heap *dma_heap_add(const struct dma_heap_export_info *exp_info)
>  
>  	/* Add heap to the list */
>  	list_add(&heap->list, &heap_list);
> +
> +#ifdef CONFIG_DEBUG_FS
> +	if (heap->ops && heap->ops->show)
> +		debugfs_create_file(heap->name, 0444, dma_heap_debugfs_dir,
> +				    heap, &dma_heap_debug_fops);
> +#endif
> +
>  	mutex_unlock(&heap_list_lock);
>  
>  	return heap;

[Severity: High]
This is a pre-existing issue, but doesn't the current design of
dma_heap_add() allow a use-after-free?

The character device is made live and exposed to userspace early:

	cdev_init(&heap->heap_cdev, &dma_heap_fops);
	ret = cdev_add(&heap->heap_cdev, heap->heap_devt, 1);

But then, if the uniqueness check fails:

	list_for_each_entry(h, &heap_list, list) {
		if (!strcmp(h->name, exp_info->name)) {
			...
			goto err3;
		}

The error path frees the heap without revoking the live character device:

err0:
	kfree(heap);

If userspace opens the device concurrently before the uniqueness check fails,
could it access the freed heap object?

[ ... ]

> @@ -334,6 +382,14 @@ static int dma_heap_init(void)
>  	}
>  	dma_heap_class->devnode = dma_heap_devnode;
>  
> +	dma_heap_init_debugfs();
> +
>  	return 0;
>  }
>  subsys_initcall(dma_heap_init);
> +
> +static void __exit dma_heap_exit(void)
> +{
> +	dma_heap_exit_debugfs();
> +}
> +__exitcall(dma_heap_exit);

[Severity: Low]
Does this exit function omit teardown steps?

It cleans up debugfs but seems to be missing calls to
unregister_chrdev_region() and class_destroy() that were set up in
dma_heap_init().

If this subsystem is ever built as a loadable module, won't this leak those
resources on unload?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260701-tegra-vpr-v3-0-d80f7b871bb4@nvidia.com?part=7

  reply	other threads:[~2026-07-01 16:27 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01 16:08 [PATCH v3 00/11] dma-buf: heaps: Add support for Tegra VPR Thierry Reding
2026-07-01 16:08 ` [PATCH v3 01/11] dt-bindings: reserved-memory: Document " Thierry Reding
2026-07-01 16:15   ` sashiko-bot
2026-07-01 19:53   ` Rob Herring (Arm)
2026-07-02 12:58     ` Thierry Reding
2026-07-01 16:08 ` [PATCH v3 02/11] dt-bindings: display: tegra: Document memory regions Thierry Reding
2026-07-01 16:13   ` sashiko-bot
2026-07-01 19:53   ` Rob Herring (Arm)
2026-07-02 13:47     ` Thierry Reding
2026-07-01 16:08 ` [PATCH v3 03/11] dt-bindings: gpu: host1x: Document memory-regions for NVDEC Thierry Reding
2026-07-01 16:16   ` sashiko-bot
2026-07-01 16:08 ` [PATCH v3 04/11] arm64/mm: Add set_memory_device() and set_memory_normal() Thierry Reding
2026-07-01 16:23   ` sashiko-bot
2026-07-02  9:18   ` Will Deacon
2026-07-02 13:46     ` Thierry Reding
2026-07-01 16:08 ` [PATCH v3 05/11] bitmap: Add bitmap_allocate() function Thierry Reding
2026-07-01 16:08 ` [PATCH v3 06/11] mm/cma: Allow dynamically creating CMA areas Thierry Reding
2026-07-01 16:26   ` sashiko-bot
2026-07-01 16:08 ` [PATCH v3 07/11] dma-buf: heaps: Add debugfs support Thierry Reding
2026-07-01 16:27   ` sashiko-bot [this message]
2026-07-01 16:08 ` [PATCH v3 08/11] dma-buf: heaps: Add support for Tegra VPR Thierry Reding
2026-07-01 16:34   ` sashiko-bot
2026-07-01 16:08 ` [PATCH v3 09/11] arm64: tegra: Add VPR placeholder node on Tegra234 Thierry Reding
2026-07-01 16:08 ` [PATCH v3 10/11] arm64: tegra: Hook up VPR to host1x Thierry Reding
2026-07-01 22:46   ` sashiko-bot
2026-07-01 16:08 ` [PATCH v3 11/11] arm64: tegra: Add VPR placeholder node on Tegra264 Thierry Reding
2026-07-01 16:32   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260701162728.F132C1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=agordeev@linux.ibm.com \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=gor@linux.ibm.com \
    --cc=hca@linux.ibm.com \
    --cc=linux-s390@vger.kernel.org \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=thierry.reding@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox