From: Dan Carpenter <error27@gmail.com>
To: Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>,
linux-mm@kvack.org, Sumit Semwal <sumit.semwal@linaro.org>,
dri-devel@lists.freedesktop.org
Cc: linaro-mm-sig@lists.linaro.org
Subject: [bug report] dma-buf: heaps: Rework heap allocation hooks to return struct dma_buf instead of fd
Date: Sat, 2 May 2026 12:40:10 +0300 [thread overview]
Message-ID: <afXGeq1AvqFY76MY@stanley.mountain> (raw)
I'm not sure exactly who to report this bug too. Probably the mm
devs?
drivers/dma-buf/heaps/system_heap.c:499 system_heap_allocate()
warn: passing positive error code 's32min-(-1),1' to 'ERR_PTR'
drivers/dma-buf/heaps/system_heap.c
459 if (cc_shared) {
460 for_each_sgtable_sg(table, sg, i) {
461 ret = system_heap_set_page_decrypted(sg_page(sg));
462 if (ret)
463 goto free_pages;
It kind of looks like system_heap_set_page_decrypted() can return 1.
464 }
465 }
466
467 /* create the dmabuf */
468 exp_info.exp_name = dma_heap_get_name(heap);
469 exp_info.ops = &system_heap_buf_ops;
470 exp_info.size = buffer->len;
471 exp_info.flags = fd_flags;
472 exp_info.priv = buffer;
473 dmabuf = dma_buf_export(&exp_info);
474 if (IS_ERR(dmabuf)) {
475 ret = PTR_ERR(dmabuf);
476 goto free_pages;
477 }
478 return dmabuf;
479
480 free_pages:
481 for_each_sgtable_sg(table, sg, i) {
482 struct page *p = sg_page(sg);
483
484 /*
485 * Intentionally leak pages that cannot be re-encrypted
486 * to prevent shared memory from being reused.
487 */
488 if (buffer->cc_shared &&
489 system_heap_set_page_encrypted(p))
490 continue;
491 __free_pages(p, compound_order(p));
492 }
493 sg_free_table(table);
494 free_buffer:
495 list_for_each_entry_safe(page, tmp_page, &pages, lru)
496 __free_pages(page, compound_order(page));
497 kfree(buffer);
498
--> 499 return ERR_PTR(ret);
500 }
The problem is that add_to_pagemap() returns PM_END_OF_BUFFER (1)
which is used by pagemap_read() and nowhere else. The call tree
is:
system_heap_allocate()
system_heap_set_page_decrypted()
set_memory_decrypted()
realm_set_memory_decrypted()
__set_memory_enc_dec()
__change_memory_common()
update_range_prot()
walk_kernel_page_table_range_lockless()
walk_pgd_range()
pagemap_pte_hole()
add_to_pagemap()
This code seems sort of old and I guess no one has reported the bug
so maybe it's a false positive, but it feels like it's asking for
problems to return the PM_END_OF_BUFFER. There aren't any comments
on any of those functions above explaining what return values are
expected.
This email is a free service from the Smatch-CI project [smatch.sf.net].
regards,
dan carpenter
reply other threads:[~2026-05-02 9:40 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=afXGeq1AvqFY76MY@stanley.mountain \
--to=error27@gmail.com \
--cc=catalin.marinas@arm.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=linaro-mm-sig@lists.linaro.org \
--cc=linux-mm@kvack.org \
--cc=sumit.semwal@linaro.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox