* [bug report] dma-buf: heaps: Rework heap allocation hooks to return struct dma_buf instead of fd
@ 2026-05-02 9:40 Dan Carpenter
[not found] ` <agsrBPXYXA2vZgj1@willie-the-truck>
0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2026-05-02 9:40 UTC (permalink / raw)
To: Catalin Marinas, Will Deacon, linux-mm, Sumit Semwal, dri-devel
Cc: linaro-mm-sig
I'm not sure exactly who to report this bug too. Probably the mm
devs?
drivers/dma-buf/heaps/system_heap.c:499 system_heap_allocate()
warn: passing positive error code 's32min-(-1),1' to 'ERR_PTR'
drivers/dma-buf/heaps/system_heap.c
459 if (cc_shared) {
460 for_each_sgtable_sg(table, sg, i) {
461 ret = system_heap_set_page_decrypted(sg_page(sg));
462 if (ret)
463 goto free_pages;
It kind of looks like system_heap_set_page_decrypted() can return 1.
464 }
465 }
466
467 /* create the dmabuf */
468 exp_info.exp_name = dma_heap_get_name(heap);
469 exp_info.ops = &system_heap_buf_ops;
470 exp_info.size = buffer->len;
471 exp_info.flags = fd_flags;
472 exp_info.priv = buffer;
473 dmabuf = dma_buf_export(&exp_info);
474 if (IS_ERR(dmabuf)) {
475 ret = PTR_ERR(dmabuf);
476 goto free_pages;
477 }
478 return dmabuf;
479
480 free_pages:
481 for_each_sgtable_sg(table, sg, i) {
482 struct page *p = sg_page(sg);
483
484 /*
485 * Intentionally leak pages that cannot be re-encrypted
486 * to prevent shared memory from being reused.
487 */
488 if (buffer->cc_shared &&
489 system_heap_set_page_encrypted(p))
490 continue;
491 __free_pages(p, compound_order(p));
492 }
493 sg_free_table(table);
494 free_buffer:
495 list_for_each_entry_safe(page, tmp_page, &pages, lru)
496 __free_pages(page, compound_order(page));
497 kfree(buffer);
498
--> 499 return ERR_PTR(ret);
500 }
The problem is that add_to_pagemap() returns PM_END_OF_BUFFER (1)
which is used by pagemap_read() and nowhere else. The call tree
is:
system_heap_allocate()
system_heap_set_page_decrypted()
set_memory_decrypted()
realm_set_memory_decrypted()
__set_memory_enc_dec()
__change_memory_common()
update_range_prot()
walk_kernel_page_table_range_lockless()
walk_pgd_range()
pagemap_pte_hole()
add_to_pagemap()
This code seems sort of old and I guess no one has reported the bug
so maybe it's a false positive, but it feels like it's asking for
problems to return the PM_END_OF_BUFFER. There aren't any comments
on any of those functions above explaining what return values are
expected.
This email is a free service from the Smatch-CI project [smatch.sf.net].
regards,
dan carpenter
^ permalink raw reply [flat|nested] 3+ messages in thread[parent not found: <agsrBPXYXA2vZgj1@willie-the-truck>]
* Re: [bug report] dma-buf: heaps: Rework heap allocation hooks to return struct dma_buf instead of fd [not found] ` <agsrBPXYXA2vZgj1@willie-the-truck> @ 2026-05-18 18:10 ` John Stultz 2026-05-18 19:21 ` T.J. Mercier 1 sibling, 0 replies; 3+ messages in thread From: John Stultz @ 2026-05-18 18:10 UTC (permalink / raw) To: Will Deacon, Jiri Pirko Cc: Dan Carpenter, tjmercier, Catalin Marinas, linux-mm, Sumit Semwal, dri-devel, linaro-mm-sig On Mon, May 18, 2026 at 8:06 AM Will Deacon <will@kernel.org> wrote: > > On Sat, May 02, 2026 at 12:40:10PM +0300, Dan Carpenter wrote: > > I'm not sure exactly who to report this bug too. Probably the mm > > devs? > > [Adding John and TJ, in case they are interested / able to help] > > Will > > (original report follows) > > > drivers/dma-buf/heaps/system_heap.c:499 system_heap_allocate() > > warn: passing positive error code 's32min-(-1),1' to 'ERR_PTR' > > > > drivers/dma-buf/heaps/system_heap.c > > 459 if (cc_shared) { > > 460 for_each_sgtable_sg(table, sg, i) { > > 461 ret = system_heap_set_page_decrypted(sg_page(sg)); > > 462 if (ret) > > 463 goto free_pages; > > > > It kind of looks like system_heap_set_page_decrypted() can return 1. > > > > 464 } > > 465 } > > 466 > > 467 /* create the dmabuf */ > > 468 exp_info.exp_name = dma_heap_get_name(heap); > > 469 exp_info.ops = &system_heap_buf_ops; > > 470 exp_info.size = buffer->len; > > 471 exp_info.flags = fd_flags; > > 472 exp_info.priv = buffer; > > 473 dmabuf = dma_buf_export(&exp_info); > > 474 if (IS_ERR(dmabuf)) { > > 475 ret = PTR_ERR(dmabuf); > > 476 goto free_pages; > > 477 } > > 478 return dmabuf; > > 479 > > 480 free_pages: > > 481 for_each_sgtable_sg(table, sg, i) { > > 482 struct page *p = sg_page(sg); > > 483 > > 484 /* > > 485 * Intentionally leak pages that cannot be re-encrypted > > 486 * to prevent shared memory from being reused. > > 487 */ > > 488 if (buffer->cc_shared && > > 489 system_heap_set_page_encrypted(p)) > > 490 continue; > > 491 __free_pages(p, compound_order(p)); > > 492 } > > 493 sg_free_table(table); > > 494 free_buffer: > > 495 list_for_each_entry_safe(page, tmp_page, &pages, lru) > > 496 __free_pages(page, compound_order(page)); > > 497 kfree(buffer); > > 498 > > --> 499 return ERR_PTR(ret); > > 500 } > > > > The problem is that add_to_pagemap() returns PM_END_OF_BUFFER (1) > > which is used by pagemap_read() and nowhere else. The call tree > > is: > > > > system_heap_allocate() > > system_heap_set_page_decrypted() > > set_memory_decrypted() > > realm_set_memory_decrypted() > > __set_memory_enc_dec() > > __change_memory_common() > > update_range_prot() > > walk_kernel_page_table_range_lockless() > > walk_pgd_range() > > pagemap_pte_hole() > > add_to_pagemap() > > > > This code seems sort of old and I guess no one has reported the bug > > so maybe it's a false positive, but it feels like it's asking for > > problems to return the PM_END_OF_BUFFER. There aren't any comments > > on any of those functions above explaining what return values are > > expected. So, do we just need the system_heap_set_page_decrypted() to have a if (ret > 0) special case on the return check from set_memory_decrypted()? Or should this get fixed at a deeper level? thanks -john ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [bug report] dma-buf: heaps: Rework heap allocation hooks to return struct dma_buf instead of fd [not found] ` <agsrBPXYXA2vZgj1@willie-the-truck> 2026-05-18 18:10 ` John Stultz @ 2026-05-18 19:21 ` T.J. Mercier 1 sibling, 0 replies; 3+ messages in thread From: T.J. Mercier @ 2026-05-18 19:21 UTC (permalink / raw) To: Will Deacon Cc: Dan Carpenter, jstultz, Catalin Marinas, linux-mm, Sumit Semwal, dri-devel, linaro-mm-sig On Mon, May 18, 2026 at 8:06 AM Will Deacon <will@kernel.org> wrote: > > On Sat, May 02, 2026 at 12:40:10PM +0300, Dan Carpenter wrote: > > I'm not sure exactly who to report this bug too. Probably the mm > > devs? > > [Adding John and TJ, in case they are interested / able to help] > > Will > > (original report follows) > > > drivers/dma-buf/heaps/system_heap.c:499 system_heap_allocate() > > warn: passing positive error code 's32min-(-1),1' to 'ERR_PTR' > > > > drivers/dma-buf/heaps/system_heap.c > > 459 if (cc_shared) { > > 460 for_each_sgtable_sg(table, sg, i) { > > 461 ret = system_heap_set_page_decrypted(sg_page(sg)); > > 462 if (ret) > > 463 goto free_pages; > > > > It kind of looks like system_heap_set_page_decrypted() can return 1. > > > > 464 } > > 465 } > > 466 > > 467 /* create the dmabuf */ > > 468 exp_info.exp_name = dma_heap_get_name(heap); > > 469 exp_info.ops = &system_heap_buf_ops; > > 470 exp_info.size = buffer->len; > > 471 exp_info.flags = fd_flags; > > 472 exp_info.priv = buffer; > > 473 dmabuf = dma_buf_export(&exp_info); > > 474 if (IS_ERR(dmabuf)) { > > 475 ret = PTR_ERR(dmabuf); > > 476 goto free_pages; > > 477 } > > 478 return dmabuf; > > 479 > > 480 free_pages: > > 481 for_each_sgtable_sg(table, sg, i) { > > 482 struct page *p = sg_page(sg); > > 483 > > 484 /* > > 485 * Intentionally leak pages that cannot be re-encrypted > > 486 * to prevent shared memory from being reused. > > 487 */ > > 488 if (buffer->cc_shared && > > 489 system_heap_set_page_encrypted(p)) > > 490 continue; > > 491 __free_pages(p, compound_order(p)); > > 492 } > > 493 sg_free_table(table); > > 494 free_buffer: > > 495 list_for_each_entry_safe(page, tmp_page, &pages, lru) > > 496 __free_pages(page, compound_order(page)); > > 497 kfree(buffer); > > 498 > > --> 499 return ERR_PTR(ret); > > 500 } > > > > The problem is that add_to_pagemap() returns PM_END_OF_BUFFER (1) > > which is used by pagemap_read() and nowhere else. The call tree > > is: > > > > system_heap_allocate() > > system_heap_set_page_decrypted() > > set_memory_decrypted() > > realm_set_memory_decrypted() > > __set_memory_enc_dec() > > __change_memory_common() > > update_range_prot() > > walk_kernel_page_table_range_lockless() > > walk_pgd_range() > > pagemap_pte_hole() This doesn't look right to me. update_range_prot is in arm64 arch code. It uses the arm64 pageattr_ops which does not provide a pte_hole op. So walk_pgd_range should never call ops->pt_hole. > > add_to_pagemap() > > > > This code seems sort of old and I guess no one has reported the bug > > so maybe it's a false positive, but it feels like it's asking for > > problems to return the PM_END_OF_BUFFER. There aren't any comments > > on any of those functions above explaining what return values are > > expected. > > > > This email is a free service from the Smatch-CI project [smatch.sf.net]. > > > > regards, > > dan carpenter ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-18 19:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-02 9:40 [bug report] dma-buf: heaps: Rework heap allocation hooks to return struct dma_buf instead of fd Dan Carpenter
[not found] ` <agsrBPXYXA2vZgj1@willie-the-truck>
2026-05-18 18:10 ` John Stultz
2026-05-18 19:21 ` T.J. Mercier
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox