Hi Huan,

kernel test robot noticed the following build warnings:

url: https://github.com/intel-lab-lkp/linux/commits/Huan-Yang/udmabuf-direct-map-... base: 6a7917c89f219f09b1d88d09f376000914a52763 patch link: https://lore.kernel.org/r/20240822084342.1574914-5-link%40vivo.com patch subject: [PATCH v4 4/5] udmabuf: udmabuf_create codestyle cleanup config: x86_64-randconfig-161-20240829 (https://download.01.org/0day-ci/archive/20240829/202408291101.WAf552sW-lkp@i...) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0

If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot lkp@intel.com | Reported-by: Dan Carpenter dan.carpenter@linaro.org | Closes: https://lore.kernel.org/r/202408291101.WAf552sW-lkp@intel.com/

smatch warnings: drivers/dma-buf/udmabuf.c:467 udmabuf_create() error: double free of 'folios'

vim +/folios +467 drivers/dma-buf/udmabuf.c

c1bbed66899726 Gurchetan Singh 2019-12-02 396 static long udmabuf_create(struct miscdevice *device, c1bbed66899726 Gurchetan Singh 2019-12-02 397 struct udmabuf_create_list *head, c1bbed66899726 Gurchetan Singh 2019-12-02 398 struct udmabuf_create_item *list) fbb0de79507819 Gerd Hoffmann 2018-08-27 399 { fb2c508270085b Huan Yang 2024-08-22 400 pgoff_t pgcnt = 0, pglimit, max_ipgcnt = 0; fb2c508270085b Huan Yang 2024-08-22 401 long ret = -EINVAL; fbb0de79507819 Gerd Hoffmann 2018-08-27 402 struct udmabuf *ubuf; fb2c508270085b Huan Yang 2024-08-22 403 struct folio **folios = NULL; fb2c508270085b Huan Yang 2024-08-22 404 u32 i, flags; fbb0de79507819 Gerd Hoffmann 2018-08-27 405 33f35429fc49c0 Gerd Hoffmann 2018-09-11 406 ubuf = kzalloc(sizeof(*ubuf), GFP_KERNEL); fbb0de79507819 Gerd Hoffmann 2018-08-27 407 if (!ubuf) fbb0de79507819 Gerd Hoffmann 2018-08-27 408 return -ENOMEM; fbb0de79507819 Gerd Hoffmann 2018-08-27 409 c6a3194c05e7e6 Vivek Kasireddy 2024-06-23 410 INIT_LIST_HEAD(&ubuf->unpin_list); dc4716d75154b3 Gerd Hoffmann 2018-09-11 411 pglimit = (size_limit_mb * 1024 * 1024) >> PAGE_SHIFT; fbb0de79507819 Gerd Hoffmann 2018-08-27 412 for (i = 0; i < head->count; i++) { fb2c508270085b Huan Yang 2024-08-22 413 pgoff_t itempgcnt; fb2c508270085b Huan Yang 2024-08-22 414 fb2c508270085b Huan Yang 2024-08-22 415 if (!PAGE_ALIGNED(list[i].offset)) 0d17455ca85ecb Gerd Hoffmann 2018-09-11 416 goto err; fb2c508270085b Huan Yang 2024-08-22 417 if (!PAGE_ALIGNED(list[i].size)) 0d17455ca85ecb Gerd Hoffmann 2018-09-11 418 goto err; fb2c508270085b Huan Yang 2024-08-22 419 fb2c508270085b Huan Yang 2024-08-22 420 itempgcnt = list[i].size >> PAGE_SHIFT; fb2c508270085b Huan Yang 2024-08-22 421 pgcnt += itempgcnt; fb2c508270085b Huan Yang 2024-08-22 422 fb2c508270085b Huan Yang 2024-08-22 423 if (pgcnt > pglimit) 0d17455ca85ecb Gerd Hoffmann 2018-09-11 424 goto err; fb2c508270085b Huan Yang 2024-08-22 425 fb2c508270085b Huan Yang 2024-08-22 426 max_ipgcnt = max_t(unsigned long, itempgcnt, max_ipgcnt); fbb0de79507819 Gerd Hoffmann 2018-08-27 427 } 2b6dd600dd7257 Pavel Skripkin 2021-12-30 428 fb2c508270085b Huan Yang 2024-08-22 429 if (!pgcnt) 2b6dd600dd7257 Pavel Skripkin 2021-12-30 430 goto err; 2b6dd600dd7257 Pavel Skripkin 2021-12-30 431 fb2c508270085b Huan Yang 2024-08-22 432 ubuf->folios = kvmalloc_array(pgcnt, sizeof(*ubuf->folios), fbb0de79507819 Gerd Hoffmann 2018-08-27 433 GFP_KERNEL); 5e72b2b41a21e5 Vivek Kasireddy 2024-06-23 434 if (!ubuf->folios) { fbb0de79507819 Gerd Hoffmann 2018-08-27 435 ret = -ENOMEM; 0d17455ca85ecb Gerd Hoffmann 2018-09-11 436 goto err; fbb0de79507819 Gerd Hoffmann 2018-08-27 437 } fb2c508270085b Huan Yang 2024-08-22 438 fb2c508270085b Huan Yang 2024-08-22 439 ubuf->offsets = kvcalloc(pgcnt, sizeof(*ubuf->offsets), GFP_KERNEL); 0c8b91ef5100ea Vivek Kasireddy 2024-06-23 440 if (!ubuf->offsets) { 0c8b91ef5100ea Vivek Kasireddy 2024-06-23 441 ret = -ENOMEM; 0c8b91ef5100ea Vivek Kasireddy 2024-06-23 442 goto err; 0c8b91ef5100ea Vivek Kasireddy 2024-06-23 443 } fbb0de79507819 Gerd Hoffmann 2018-08-27 444 fb2c508270085b Huan Yang 2024-08-22 445 folios = kvmalloc_array(max_ipgcnt, sizeof(*folios), GFP_KERNEL); c6a3194c05e7e6 Vivek Kasireddy 2024-06-23 446 if (!folios) { c6a3194c05e7e6 Vivek Kasireddy 2024-06-23 447 ret = -ENOMEM; c6a3194c05e7e6 Vivek Kasireddy 2024-06-23 448 goto err; c6a3194c05e7e6 Vivek Kasireddy 2024-06-23 449 } c6a3194c05e7e6 Vivek Kasireddy 2024-06-23 450 fb2c508270085b Huan Yang 2024-08-22 451 for (i = 0; i < head->count; i++) { fb2c508270085b Huan Yang 2024-08-22 452 ret = __udmabuf_pin_list_folios(&list[i], ubuf, folios);

There is a kfree(folios) hidden inside this function. It doesn't belong there.

fb2c508270085b Huan Yang 2024-08-22 453 if (ret) 0d17455ca85ecb Gerd Hoffmann 2018-09-11 454 goto err; c6a3194c05e7e6 Vivek Kasireddy 2024-06-23 455 } 452dc1b0221804 Huan Yang 2024-08-22 456 kvfree(folios); ^^^^^^^^^^^^^^ A second free

fbb0de79507819 Gerd Hoffmann 2018-08-27 457 5e72b2b41a21e5 Vivek Kasireddy 2024-06-23 458 flags = head->flags & UDMABUF_FLAGS_CLOEXEC ? O_CLOEXEC : 0; 5e72b2b41a21e5 Vivek Kasireddy 2024-06-23 459 ret = export_udmabuf(ubuf, device, flags); 5e72b2b41a21e5 Vivek Kasireddy 2024-06-23 460 if (ret < 0) 0d17455ca85ecb Gerd Hoffmann 2018-09-11 461 goto err; ^^^^^^^^

fbb0de79507819 Gerd Hoffmann 2018-08-27 462 5e72b2b41a21e5 Vivek Kasireddy 2024-06-23 463 return ret; fbb0de79507819 Gerd Hoffmann 2018-08-27 464 0d17455ca85ecb Gerd Hoffmann 2018-09-11 465 err: c6a3194c05e7e6 Vivek Kasireddy 2024-06-23 466 unpin_all_folios(&ubuf->unpin_list); fb2c508270085b Huan Yang 2024-08-22 @467 kvfree(folios); ^^^^^^^^^^^^^ Double free

452dc1b0221804 Huan Yang 2024-08-22 468 kvfree(ubuf->offsets); 452dc1b0221804 Huan Yang 2024-08-22 469 kvfree(ubuf->folios); fbb0de79507819 Gerd Hoffmann 2018-08-27 470 kfree(ubuf); fbb0de79507819 Gerd Hoffmann 2018-08-27 471 return ret; fbb0de79507819 Gerd Hoffmann 2018-08-27 472 }