Received: by 2002:ac2:464d:0:0:0:0:0 with SMTP id s13csp3012172lfo; Mon, 30 May 2022 08:11:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwFpOw0sBJrWUkr0jV+D2x/SYXdolSEkII22xxdIK38yc6jBS6poTEevMbaaMRMR1GJSdtT X-Received: by 2002:a05:6402:1818:b0:42b:e047:a94c with SMTP id g24-20020a056402181800b0042be047a94cmr20979061edy.109.1653923505179; Mon, 30 May 2022 08:11:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1653923505; cv=none; d=google.com; s=arc-20160816; b=bz0XsvLCqGEeMNZKvYE8+sunJoXsNVvqNRUhNm/lhlsAa9aPGm5HQaH/T2n/K6iyIG uAEbBENN+R0z91bcCr5GfxUcEt8z850nv+ZE9pQYd9RSCHWDJrrcOapbW6xmpEo3ao/S +hxBrqH0/85GCRlP1aO/Bt/YZmkzPzbQrpKFLT8PnTWYewbvqO4cy6pasm0z0RMTEbJe AFfTRxchtIAeVA9MB70YyK6uYSZ9WhMKPB2S8Vm6OCBIu3KjHwrC9aIUyRijGXnZ91DR Cd/oDVvupK2tpFgHoR2Q3d+P1XXEXPkuCXPpZv1tE/ILoSt4QgZDq5GxpdLro1WYqHtI 3EzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=MoHsC5HX+f0xjuIy7bgXs/CojAl8K58sU1kAimwujzc=; b=NyD+T9BAIeuNVFYwd7wpA/dK6qJ+t9C/6HpN6qZe9PolpwGYLe5+YwmX1MDKcVPHkj 82/Oo2l2L4AKUo3mecHt3Jl1gM6h9AYvL2BwXvJXysJOOdXSutcCiO42t/mtyShHQLZk ScGdb6eIngueg0jUri5qqwMMpkUtmBA+jT2bE2ASQ9FadA5fN6ijB+QQ+HWXkav3vzt5 oNOZ9FtQV1eRFxDNW/7qOsCD4OF8R/sC0yHgZdVLVIKF/qKI5hUwo9UR8qNjiCqKQstV scI4O8ZKbPoipx/zzKE25uHNRbpwFMDwiEKd7bwJrVYwan8oqygh1gGJBkpUWd4duToI Ks+g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=hynRXW6y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id o1-20020a056402438100b0042b370a1553si15912377edc.67.2022.05.30.08.11.10; Mon, 30 May 2022 08:11:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=hynRXW6y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240298AbiE3O3s (ORCPT + 99 others); Mon, 30 May 2022 10:29:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40156 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241500AbiE3ORi (ORCPT ); Mon, 30 May 2022 10:17:38 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3A39753707; Mon, 30 May 2022 06:47:37 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id BF49960EC3; Mon, 30 May 2022 13:47:36 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E3BFFC3411A; Mon, 30 May 2022 13:47:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1653918456; bh=cVaZcLGwbKC5d/IW4BBGSpZFFZmjg+VtkO7FpKZARkI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hynRXW6ycF1tWWP6d5LhkQysjKnh1yVYn0s+2BKQaFt7mnvrzPJ7B7mQcHSmfSlt0 DjmnP4Qu6Q3S8/nMC1m3h2tWMWvgtlkvvZ89fPdGNZU3/aTKeCQDxl6u1RV4nowaoS aZDeMLP4kX0boVe+6KJ0Bh5g6RT6T6AtD2l+QQWt3/ji+57EP+1esjn2fzNpl9NOLa yQrjx6GJSigRArMvxd7Lu1MdDvnD6PO1fXHS8f8+aeSixw92FRRjEA+oO9W0qRasQA 4hstBLRAOVATNvxpRKX4Lq5iMxcv+clBbfFTgHDOVeaOyy2bF5RPb0gsrqNtRyn22W PT7684msF0FMw== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Keita Suzuki , Alex Deucher , Sasha Levin , christian.koenig@amd.com, Xinhui.Pan@amd.com, airlied@linux.ie, daniel@ffwll.ch, amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org Subject: [PATCH AUTOSEL 5.4 13/55] drm/amd/pm: fix double free in si_parse_power_table() Date: Mon, 30 May 2022 09:46:19 -0400 Message-Id: <20220530134701.1935933-13-sashal@kernel.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220530134701.1935933-1-sashal@kernel.org> References: <20220530134701.1935933-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Keita Suzuki [ Upstream commit f3fa2becf2fc25b6ac7cf8d8b1a2e4a86b3b72bd ] In function si_parse_power_table(), array adev->pm.dpm.ps and its member is allocated. If the allocation of each member fails, the array itself is freed and returned with an error code. However, the array is later freed again in si_dpm_fini() function which is called when the function returns an error. This leads to potential double free of the array adev->pm.dpm.ps, as well as leak of its array members, since the members are not freed in the allocation function and the array is not nulled when freed. In addition adev->pm.dpm.num_ps, which keeps track of the allocated array member, is not updated until the member allocation is successfully finished, this could also lead to either use after free, or uninitialized variable access in si_dpm_fini(). Fix this by postponing the free of the array until si_dpm_fini() and increment adev->pm.dpm.num_ps everytime the array member is allocated. Signed-off-by: Keita Suzuki Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin --- drivers/gpu/drm/amd/amdgpu/si_dpm.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/si_dpm.c b/drivers/gpu/drm/amd/amdgpu/si_dpm.c index 4cb4c891120b..9931d5c17cfb 100644 --- a/drivers/gpu/drm/amd/amdgpu/si_dpm.c +++ b/drivers/gpu/drm/amd/amdgpu/si_dpm.c @@ -7250,17 +7250,15 @@ static int si_parse_power_table(struct amdgpu_device *adev) if (!adev->pm.dpm.ps) return -ENOMEM; power_state_offset = (u8 *)state_array->states; - for (i = 0; i < state_array->ucNumEntries; i++) { + for (adev->pm.dpm.num_ps = 0, i = 0; i < state_array->ucNumEntries; i++) { u8 *idx; power_state = (union pplib_power_state *)power_state_offset; non_clock_array_index = power_state->v2.nonClockInfoIndex; non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *) &non_clock_info_array->nonClockInfo[non_clock_array_index]; ps = kzalloc(sizeof(struct si_ps), GFP_KERNEL); - if (ps == NULL) { - kfree(adev->pm.dpm.ps); + if (ps == NULL) return -ENOMEM; - } adev->pm.dpm.ps[i].ps_priv = ps; si_parse_pplib_non_clock_info(adev, &adev->pm.dpm.ps[i], non_clock_info, @@ -7282,8 +7280,8 @@ static int si_parse_power_table(struct amdgpu_device *adev) k++; } power_state_offset += 2 + power_state->v2.ucNumDPMLevels; + adev->pm.dpm.num_ps++; } - adev->pm.dpm.num_ps = state_array->ucNumEntries; /* fill in the vce power states */ for (i = 0; i < adev->pm.dpm.num_of_vce_states; i++) { -- 2.35.1