From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from bali.collaboradmins.com (bali.collaboradmins.com [148.251.105.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D6C5D2DD60E for ; Tue, 5 May 2026 08:33:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=148.251.105.195 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777970033; cv=none; b=fiFjAkE/8RnWgrdU5UGlLIj6Co0aNAGTj8L25+25/zD4qu2HUkWWF+PfQY+Y67TwFNPXM2vglZp42SnlPgaSG/zJKJmGRb4Q4ROF9OiOp/xUChC5tKRbH+voNXL5Gn99O+6Mlgw/fLultAnjD6rHD/Blsp5N7Am+5qlzxpYmTKU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777970033; c=relaxed/simple; bh=ZTezVbSul7TTdgv9frluFrCT9XdKbrTiGjqbGxeNFbM=; h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=irc+Tj1K9qj8qtD/mEoD9mYjO6ytxCtO3xFrvQq7eaaBp1Lz6tLYjiHWgHoyOwC3yyE8h6kxnPKPfhcawn3Eya9qdQ4H9zfCviLNp9RsiQxoI/uVSEmcMqxyom3FPPLNHj58pv8H4dixcHCmJPpfpJQNklZp2MfYN/4CqNu8mXk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=collabora.com; spf=pass smtp.mailfrom=collabora.com; dkim=pass (2048-bit key) header.d=collabora.com header.i=@collabora.com header.b=b8ad2IU+; arc=none smtp.client-ip=148.251.105.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=collabora.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=collabora.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=collabora.com header.i=@collabora.com header.b="b8ad2IU+" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com; s=mail; t=1777970030; bh=ZTezVbSul7TTdgv9frluFrCT9XdKbrTiGjqbGxeNFbM=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=b8ad2IU+h5JNzZOgZIKyUojFqZ4ijB8TBZzUF5cs6ATRCLrNOQFtbPI375O/aikyd 94r2IFVAWnWFhv5SeFuDZOptrPCu/3Qv8xSnebuSC54FBeIQ1ez+X14KZzdNCNyUM4 09M8PAnJBuYt8uN/DlNn8FIPFk1Dq/e1pwgR49BPGBxrDqRN0U+NmQMbyTn/gZJ484 t5q00rTHWuBxqaH6wLikMFokXAG3X5oUZsYwn2HoUpgxauWP3GaXEi1ffAF7IyPrFM oi9reA1NHS9M+rKVq7tWimNkw0/2WuP3t6sOHhF1M3yd0zFy1gotl7oy8I3CUu0cAq FXECP/C/vHHqQ== Received: from fedora (unknown [100.64.0.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: bbrezillon) by bali.collaboradmins.com (Postfix) with ESMTPSA id 822BA17E1301; Tue, 5 May 2026 10:33:49 +0200 (CEST) Date: Tue, 5 May 2026 10:33:45 +0200 From: Boris Brezillon To: Marcin =?UTF-8?B?xZpsdXNhcno=?= Cc: =?UTF-8?B?QWRyacOhbg==?= Larumbe , linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, Steven Price , kernel@collabora.com, Liviu Dudau , Maarten Lankhorst , Maxime Ripard , Thomas Zimmermann , David Airlie , Simona Vetter , Daniel Almeida , Alice Ryhl , nd@arm.com Subject: Re: [PATCH v10 5/6] drm/panthor: Support sparse mappings Message-ID: <20260505103345.5bc1984a@fedora> In-Reply-To: References: <20260429183253.66422-1-adrian.larumbe@collabora.com> <20260429183253.66422-6-adrian.larumbe@collabora.com> Organization: Collabora X-Mailer: Claws Mail 4.4.0 (GTK 3.24.52; x86_64-redhat-linux-gnu) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Tue, 5 May 2026 10:14:50 +0200 Marcin =C5=9Alusarz wrote: > On Wed, Apr 29, 2026 at 07:32:17PM +0100, Adri=C3=AF=C2=BF=C2=BDn Larumbe= wrote: > > @@ -1651,6 +1715,13 @@ int panthor_vm_pool_create(struct panthor_file *= pfile) > > return -ENOMEM; > > =20 > > xa_init_flags(&pfile->vms->xa, XA_FLAGS_ALLOC1); > > + > > + pfile->vms->dummy =3D panthor_dummy_bo_create(pfile->ptdev); > > + if (IS_ERR(pfile->vms->dummy)) { > > + kfree(pfile->vms); > > + return PTR_ERR(pfile->vms->dummy); =20 >=20 > This is use-after-free. Indeed. Let's add a proper error path where panthor_vm_pool_destroy() is called to make sure we don't leak resources when an error occurs anywhere in the creation path, and let's make panthor_vm_pool_destroy() safe against dummy=3DNULL. void panthor_vm_pool_destroy(struct panthor_file *pfile) { ... if (pfile->vms->dummy) drm_gem_object_put(&pfile->vms->dummy->base); ... } int panthor_vm_pool_create(struct panthor_file *pfile) { struct panthor_gem_object *dummy; ... dummy =3D panthor_dummy_bo_create(pfile->ptdev); if (IS_ERR(dummy)) { ret =3D PTR_ERR(dummy); goto err_destroy_vm_pool; } pfile->vms->dummy =3D dummy; ... return 0; err_destroy_vm_pool: panthor_vm_pool_destroy(pfile); return ret; } >=20 > > + } > > + > > return 0; > > } =20