Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp3606635pxb; Tue, 19 Apr 2022 06:29:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzMBWJRYA3Faj2gMYknVBoVk2FANDP20eME1GlbHE1a0himeK0YWOAupPHw8N/ZwKWckO9U X-Received: by 2002:a17:902:e154:b0:159:62:3856 with SMTP id d20-20020a170902e15400b0015900623856mr9165092pla.6.1650374970700; Tue, 19 Apr 2022 06:29:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650374970; cv=none; d=google.com; s=arc-20160816; b=AjMtBO6DmyjDY+NSqgkbYXUsJnE5bDY4mCe33jKB9ufCS74naTNF/a4ccOALCIKnNN tOJm70OoIobm5Gric2aO+JjeBYBVPHYXvzbAkZYRmsdQ8NPaSKhMAM43RUw8S/B5yPeq RiyIJ/yhXuA7iHcnAvayiirz60ZAMGlGM86L5jz1yZ3w1DdzvqLMI2tu6VMiSj8LObHJ X5ryKZdfBdUczNs1oyo0FR6DlNVj9Dj0F3+v5t5kAgYc++l8dP3aTFDZsn0I6mBYMrIX EyFBYB/zTy8sN3nlLq9NdkJ5dH4uUK/AWZLfgzsqNTdfceMZX33i4vGtybbqqKsCCs4K ZivQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:content-transfer-encoding:mime-version :message-id:date:subject:cc:from:dkim-signature; bh=v4bWODHAE/RCs4ytYs4rVZozOzTNQQhYomCKGYtkHnA=; b=sjRMQ1ysT/q0KC0MdR/4g5W0LS/DTfBkQFNye6+Je6eS3pPB8O4GvQFWh0HvasNIfT vhxeOMZ6mo+yNt62WPljMAoLxXEaVvCJ/vY/Tf/dYakK61VcZUT3a/2OwW3B5K9jkgFU P9wEZKQXYoh4/SC30Ct5QB4JwklMORzfFYaYT3sDGNNor5qUY5oqFDsZfklhh2JTf8VG unQICfETRZ1JurqVQVCsaglTCOcOeTMEB6HkpNPMfGwKWgNzwiDSyk3cR0f4qT/y+0r6 Bhvo+EzwXoiEygAWlAW+GLfMOdhMj1XA8qjTKUCqaoXxfUeaHfwZpyGGBmzpqfWPDGR/ NemA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@sslab.ics.keio.ac.jp header.s=google header.b=W8Wh+xVG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n25-20020a63a519000000b003aa4d0000cbsi432051pgf.547.2022.04.19.06.29.14; Tue, 19 Apr 2022 06:29:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@sslab.ics.keio.ac.jp header.s=google header.b=W8Wh+xVG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1350666AbiDSKk7 (ORCPT + 99 others); Tue, 19 Apr 2022 06:40:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43608 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238239AbiDSKk5 (ORCPT ); Tue, 19 Apr 2022 06:40:57 -0400 Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1653F2B1AA for ; Tue, 19 Apr 2022 03:38:15 -0700 (PDT) Received: by mail-pf1-x429.google.com with SMTP id p8so8456223pfh.8 for ; Tue, 19 Apr 2022 03:38:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sslab.ics.keio.ac.jp; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=v4bWODHAE/RCs4ytYs4rVZozOzTNQQhYomCKGYtkHnA=; b=W8Wh+xVGh01Uc6uix5XTB5eMRgqUJ+4MkQcIETafwAEScVJukF0ttf7X4iq06hKoaf cIPu+UaoGXFpd3kAAVt7vrZLTGo/1qMBHYSyyKQ6s6zXuUTVdPZ9+vrwmEaKjWJmwAmZ XkR7r2pFM/dpnZ6mhMrqOs7cEAyVItIpifS5M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=v4bWODHAE/RCs4ytYs4rVZozOzTNQQhYomCKGYtkHnA=; b=j+HJO5yTc4PLWwAwZjKSfwy7m9VqfSAaMczdBcoRdTFhPsFl5dIjKQ1SF+6BMYV8uz sGqWLE/Cme/oNgiTX4nVJ+dLbcILX2W9jYN/kP8eUNtPnDmz167+lqa/kz20UdBMcY5n O/G6g/N6hA+ai83BLyJoL4s1GWs21edcixzmGBfg64hiKkd1jkTFKGZCcu30C7Q/latR UB3RXJnc34kTQ1GtA7CjPKO8yUtBlsIQ+Rh3hbCUiKKlRa74l/qbholKN4Ckl7dbMEYM ccVWF553D7cDnl11WsITG03Zx2B79sriRHvs91CQR7P6LJrvuD7pL3mIsXKH9hbuKoJA b2DA== X-Gm-Message-State: AOAM530SQwWGRBGbN5YxlflXLIfjNBcLel4MBO/81i/jhEpVgLOlKfOh InRbgv2xlkTmEPBKB5wq3HBFbA== X-Received: by 2002:a63:6a85:0:b0:398:9e2b:afd6 with SMTP id f127-20020a636a85000000b003989e2bafd6mr14279075pgc.582.1650364693955; Tue, 19 Apr 2022 03:38:13 -0700 (PDT) Received: from saltlake.i.sslab.ics.keio.ac.jp (sslab-relay.ics.keio.ac.jp. [131.113.126.173]) by smtp.gmail.com with ESMTPSA id z15-20020a056a001d8f00b004fda37855ddsm15085869pfw.168.2022.04.19.03.38.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 Apr 2022 03:38:13 -0700 (PDT) From: Keita Suzuki Cc: keitasuzuki.park@sslab.ics.keio.ac.jp, Evan Quan , Alex Deucher , =?UTF-8?q?Christian=20K=C3=B6nig?= , "Pan, Xinhui" , David Airlie , Daniel Vetter , Lijo Lazar , "Gustavo A. R. Silva" , Hawking Zhang , =?UTF-8?q?Ma=C3=ADra=20Canal?= , amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org Subject: [PATCH] drm/amd/pm: fix double free in si_parse_power_table() Date: Tue, 19 Apr 2022 10:37:19 +0000 Message-Id: <20220419103721.4080045-1-keitasuzuki.park@sslab.ics.keio.ac.jp> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net To: unlisted-recipients:; (no To-header on input) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In function si_parse_power_table(), array adev->pm.dpm.ps and its member is allocated. If the allocation of each member fails, the array itself is freed and returned with an error code. However, the array is later freed again in si_dpm_fini() function which is called when the function returns an error. This leads to potential double free of the array adev->pm.dpm.ps, as well as leak of its array members, since the members are not freed in the allocation function and the array is not nulled when freed. In addition adev->pm.dpm.num_ps, which keeps track of the allocated array member, is not updated until the member allocation is successfully finished, this could also lead to either use after free, or uninitialized variable access in si_dpm_fini(). Fix this by postponing the free of the array until si_dpm_fini() and increment adev->pm.dpm.num_ps everytime the array member is allocated. Signed-off-by: Keita Suzuki --- drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c index caae54487f9c..079888229485 100644 --- a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c +++ b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c @@ -7331,17 +7331,15 @@ static int si_parse_power_table(struct amdgpu_device *adev) if (!adev->pm.dpm.ps) return -ENOMEM; power_state_offset = (u8 *)state_array->states; - for (i = 0; i < state_array->ucNumEntries; i++) { + for (adev->pm.dpm.num_ps = 0, i = 0; i < state_array->ucNumEntries; i++) { u8 *idx; power_state = (union pplib_power_state *)power_state_offset; non_clock_array_index = power_state->v2.nonClockInfoIndex; non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *) &non_clock_info_array->nonClockInfo[non_clock_array_index]; ps = kzalloc(sizeof(struct si_ps), GFP_KERNEL); - if (ps == NULL) { - kfree(adev->pm.dpm.ps); + if (ps == NULL) return -ENOMEM; - } adev->pm.dpm.ps[i].ps_priv = ps; si_parse_pplib_non_clock_info(adev, &adev->pm.dpm.ps[i], non_clock_info, @@ -7363,8 +7361,8 @@ static int si_parse_power_table(struct amdgpu_device *adev) k++; } power_state_offset += 2 + power_state->v2.ucNumDPMLevels; + adev->pm.dpm.num_ps++; } - adev->pm.dpm.num_ps = state_array->ucNumEntries; /* fill in the vce power states */ for (i = 0; i < adev->pm.dpm.num_of_vce_states; i++) { -- 2.25.1