On 6/10/2023 7:42 AM, Sukrut Bellary wrote:
smatch warning: drivers/accel/qaic/qaic_data.c:620 qaic_free_object() error: dereferencing freed memory 'obj->import_attach'
obj->import_attach is detached and freed using dma_buf_detach(). But used after free to decrease the dmabuf ref count using dma_buf_put().
Fixes: ff13be830333 ("accel/qaic: Add datapath") Signed-off-by: Sukrut Bellary sukrut.bellary@linux.com
drivers/accel/qaic/qaic_data.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/accel/qaic/qaic_data.c b/drivers/accel/qaic/qaic_data.c index e42c1f9ffff8..7cba4d680ea8 100644 --- a/drivers/accel/qaic/qaic_data.c +++ b/drivers/accel/qaic/qaic_data.c @@ -613,11 +613,13 @@ static int qaic_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struc static void qaic_free_object(struct drm_gem_object *obj) { struct qaic_bo *bo = to_qaic_bo(obj);
- struct dma_buf *dmabuf;
if (obj->import_attach) { /* DMABUF/PRIME Path */
dma_buf_detach(obj->import_attach->dmabuf, obj->import_attach);dmabuf = obj->import_attach->dmabuf;
dma_buf_put(obj->import_attach->dmabuf);
} else { /* Private buffer allocation path */ qaic_free_sgt(bo->sgt);dma_buf_put(dmabuf);
Reviewed-by: Pranjal Ramajor Asha Kanojiya quic_pkanojiy@quicinc.com