Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp2860980rwd;
        Fri, 9 Jun 2023 19:17:08 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ4oigjDeoPPs+kmRtYkgP+Vick28esYRIqEtmosBHFxOBiQbB6gXATUHB98SjoA/QHGdeo8
X-Received: by 2002:a05:6a00:1a86:b0:661:a374:7692 with SMTP id e6-20020a056a001a8600b00661a3747692mr3987511pfv.0.1686363428629;
        Fri, 09 Jun 2023 19:17:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1686363428; cv=none;
        d=google.com; s=arc-20160816;
        b=J9cpGvno11XVQBGM8DIG2ljORyzseco0Fws62rkjNXPmGjWJwLHXfPc3utvpp+EOQv
         0qYBv2hNwxHqWm9KmctlfBwajk08/M9KDz8oZmqga4/hxvif/S3nRRFKeB1YUWA8TXRH
         4xOTB/vHrS4/6XvuIsFPpeyos4v/KrisatR6Xy1gPJhI9nHL/B2WLlfF+cqlbztqvTzX
         h9dDCI80CtyoJayvUk2lEMlI03vQTV/d63J4VW5KENE9EWqW126RZKWNBtqRrPJdfQXN
         4pcp7KSLx/mEM0Ievp7vKC59PFiQzwkw7wfAOvT45BaP60tizJXR++zScW9stNlUjEzz
         5EPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=uono/nwyy6EGIB3S/PXdMtEwaggYlfpIknOEvbCtnJ4=;
        b=eMj5MOoyOtEB58zsMCI6zXpeROmEgiiWdPTMe7cIde2Cx7L6nZWr+Ym1hgyFBhjyH+
         drwB4irjkZDYc/wq/XMOLetbRgp/v9/iPVe5gb91hPTJ/MvIdJ9LVLtrT4YIoMkonmQp
         zFayl4/RFlV4GiBeDl8w/0sjva1n6COa+sMYs1MQnm7jianeJYPrI5xnHPLaqbB8Yh3h
         QisOI3kyYQXVlndN6weY2oTZE6fSEGhV4Cyvq0zFVlk7qtQ5mCM306CY03ZAj8zFP89O
         vA4AXB7P8daxDGp//aXY/arFMXO3s2BisW2vH9zLyGkYfaw2VstSz0hhssr72T1JIxb9
         eGIw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id 64-20020a621743000000b0065cd82cfd9asi3177091pfx.327.2023.06.09.19.16.55;
        Fri, 09 Jun 2023 19:17:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232799AbjFJCMK (ORCPT <rfc822;abrown110010@gmail.com>
        + 99 others); Fri, 9 Jun 2023 22:12:10 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41148 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229623AbjFJCMJ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 9 Jun 2023 22:12:09 -0400
Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com [209.85.216.45])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 46E4035A9;
        Fri,  9 Jun 2023 19:12:08 -0700 (PDT)
Received: by mail-pj1-f45.google.com with SMTP id 98e67ed59e1d1-2565a9107d2so1203580a91.0;
        Fri, 09 Jun 2023 19:12:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1686363128; x=1688955128;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=uono/nwyy6EGIB3S/PXdMtEwaggYlfpIknOEvbCtnJ4=;
        b=UxlLTjG1QwkpLJVlI0Dsn428ZEpU0RdVaf61Qj9hrqOjHsrNaVnDoWnbH/yH4B/raU
         DF6/Mza4cqkPEQBWcViDkU84GeTfSTpd1v1Kt4m00JPc7JPF73mjbeEp1RrJPpkoge+Q
         e52Eo6tds8EIjK+zlaw6xFK2U1mO8aWUxnsNH3uFm7ZWGaKGC2UXCn9Vjzcc1gbpZy/i
         xfnxgc6aR2UqfOgbHdsSdt/n89CaueXaSRf7gtKM+HyIl7Ig8ZgnphnPcVwnI3uQSiu5
         h4CJLQcTlMJA5eq7waqspv+CgW9x2KyKK49E2Dgbo+2wg6PQfbnmLbqB+XOyymNyhjqf
         qY/g==
X-Gm-Message-State: AC+VfDzZ9hlp/Vt79NPY1qzvGwChCJOWuZvZ6Ijs/nMhMAXNI55JnOnG
        0yYPTBmim5PhdsKFenOB5UzbpOh/VUnMtA==
X-Received: by 2002:a17:90a:7104:b0:255:d878:704a with SMTP id h4-20020a17090a710400b00255d878704amr2882029pjk.4.1686363127368;
        Fri, 09 Jun 2023 19:12:07 -0700 (PDT)
Received: from dev-linux.lan (cpe-70-95-21-110.san.res.rr.com. [70.95.21.110])
        by smtp.gmail.com with ESMTPSA id pq8-20020a17090b3d8800b00258bb7e8b47sm5251594pjb.50.2023.06.09.19.12.06
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 09 Jun 2023 19:12:07 -0700 (PDT)
From:   Sukrut Bellary <sukrut.bellary@linux.com>
To:     Jeffrey Hugo <quic_jhugo@quicinc.com>,
        Oded Gabbay <ogabbay@kernel.org>,
        Sumit Semwal <sumit.semwal@linaro.org>,
        =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
Cc:     Sukrut Bellary <sukrut.bellary@linux.com>,
        linux-arm-msm@vger.kernel.org, dri-devel@lists.freedesktop.org,
        linaro-mm-sig@lists.linaro.org, linux-media@vger.kernel.org,
        linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [PATCH] accel/qaic: Fix dereferencing freed memory
Date:   Fri,  9 Jun 2023 19:12:00 -0700
Message-Id: <20230610021200.377452-1-sukrut.bellary@linux.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00,
        FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,
        RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
        SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

smatch warning:
	drivers/accel/qaic/qaic_data.c:620 qaic_free_object() error:
		dereferencing freed memory 'obj->import_attach'

obj->import_attach is detached and freed using dma_buf_detach().
But used after free to decrease the dmabuf ref count using
dma_buf_put().

Fixes: ff13be830333 ("accel/qaic: Add datapath")
Signed-off-by: Sukrut Bellary <sukrut.bellary@linux.com>
---
 drivers/accel/qaic/qaic_data.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/accel/qaic/qaic_data.c b/drivers/accel/qaic/qaic_data.c
index e42c1f9ffff8..7cba4d680ea8 100644
--- a/drivers/accel/qaic/qaic_data.c
+++ b/drivers/accel/qaic/qaic_data.c
@@ -613,11 +613,13 @@ static int qaic_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struc
 static void qaic_free_object(struct drm_gem_object *obj)
 {
 	struct qaic_bo *bo = to_qaic_bo(obj);
+	struct dma_buf *dmabuf;
 
 	if (obj->import_attach) {
 		/* DMABUF/PRIME Path */
+		dmabuf = obj->import_attach->dmabuf;
 		dma_buf_detach(obj->import_attach->dmabuf, obj->import_attach);
-		dma_buf_put(obj->import_attach->dmabuf);
+		dma_buf_put(dmabuf);
 	} else {
 		/* Private buffer allocation path */
 		qaic_free_sgt(bo->sgt);
-- 
2.34.1