Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp593332iog; Mon, 13 Jun 2022 08:47:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJymiSALwbp+hI5IqObojqZiU1rT/iN/kYzFmKcVOm0Lwe4GdKEKvP6jm0XuW2KeIVQ7obvk X-Received: by 2002:a17:90a:ba81:b0:1e8:36f2:5b36 with SMTP id t1-20020a17090aba8100b001e836f25b36mr16351015pjr.5.1655135222289; Mon, 13 Jun 2022 08:47:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1655135222; cv=none; d=google.com; s=arc-20160816; b=RGp4GarZHyIzu01n2PQDBV1VkVZBzpWF2o+OzGYs0q+6cggeXYP/f+skAiYbL0y2vP LFOIT4EaaKMQt1EtWWEXboleIzzZ4cltMrdZ4roCmRVJL0ve1Y6E/fMmcF6Vo4j+oIB1 6PuiVpptLJBz0XAhrASl9dd39lTBih4kO9CfL4/PXjep+CLz2Qe3wwTia/XKZ4tRrKfl Bs4UFZq5jNkkj9Df6cGrQYgN7W2VRvfgNO/tcisPckl5hSA3DO2SgXhuC73aga2UlHQ0 4+wOrhUA6ugCrccI6i04HjhlVyIDJPY/5SCkmZXAEvllsuxQwzDPZPaQd06YvZz+45nc RIvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=MoHsC5HX+f0xjuIy7bgXs/CojAl8K58sU1kAimwujzc=; b=AlChThD9gHPHNzfhxQWCYybT/uU72HAbVSBZvoOdJp04xbkZt/EeFH0Ppj5JwmdmSZ RoyKnfUS+CCl0eUUjVMrzTqJgYoQVOycazTn9/71B5KZGwQNOtYmy3p61sYpx+aW2FTo 9T8ljwQU7xF7II+bdC1U83+PIc5l4hnu2wysCt7CF1B0kPfUkQhLvwtDVElzQ5K/Yw82 ROPUqJVHoBhp7fHO8LXBswDNYnpmw50DJc4vLhRN2RkiK0GxZieK6+Z0bzMeslFZzSzO ZaIxnQ4dqXrqWxSyedJ8avfoRj4r1il8DKDcSrtywH9xFMPVJBFQXyppMSrn0yFPkYti 7pKw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ilwWyQ+U; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id il15-20020a17090b164f00b001e26f73d372si16706406pjb.58.2022.06.13.08.46.50; Mon, 13 Jun 2022 08:47:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ilwWyQ+U; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348501AbiFMK52 (ORCPT + 99 others); Mon, 13 Jun 2022 06:57:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39568 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349936AbiFMKyh (ORCPT ); Mon, 13 Jun 2022 06:54:37 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E7FC32FFE4; Mon, 13 Jun 2022 03:28:29 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id AD8A6B80E92; Mon, 13 Jun 2022 10:28:28 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 24CDBC34114; Mon, 13 Jun 2022 10:28:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1655116107; bh=cVaZcLGwbKC5d/IW4BBGSpZFFZmjg+VtkO7FpKZARkI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ilwWyQ+UFmo6UwgdCdFHJPmVhBb4D+DT+LdKtCXFPUEZPnb+S3tUTogxbZ0J76ijG K6QNHqlGlYyg5ec5YBFD3m2D0PNEWEoZ/olzvwZCktWEnSwCrTf/pKEed2EmQen2M+ /qoesy8qRpINSeXSz/ArPOG/NSROdGKBzo0rm6BY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Keita Suzuki , Alex Deucher , Sasha Levin Subject: [PATCH 5.4 024/411] drm/amd/pm: fix double free in si_parse_power_table() Date: Mon, 13 Jun 2022 12:04:57 +0200 Message-Id: <20220613094929.226358785@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220613094928.482772422@linuxfoundation.org> References: <20220613094928.482772422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-8.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Keita Suzuki [ Upstream commit f3fa2becf2fc25b6ac7cf8d8b1a2e4a86b3b72bd ] In function si_parse_power_table(), array adev->pm.dpm.ps and its member is allocated. If the allocation of each member fails, the array itself is freed and returned with an error code. However, the array is later freed again in si_dpm_fini() function which is called when the function returns an error. This leads to potential double free of the array adev->pm.dpm.ps, as well as leak of its array members, since the members are not freed in the allocation function and the array is not nulled when freed. In addition adev->pm.dpm.num_ps, which keeps track of the allocated array member, is not updated until the member allocation is successfully finished, this could also lead to either use after free, or uninitialized variable access in si_dpm_fini(). Fix this by postponing the free of the array until si_dpm_fini() and increment adev->pm.dpm.num_ps everytime the array member is allocated. Signed-off-by: Keita Suzuki Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin --- drivers/gpu/drm/amd/amdgpu/si_dpm.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/si_dpm.c b/drivers/gpu/drm/amd/amdgpu/si_dpm.c index 4cb4c891120b..9931d5c17cfb 100644 --- a/drivers/gpu/drm/amd/amdgpu/si_dpm.c +++ b/drivers/gpu/drm/amd/amdgpu/si_dpm.c @@ -7250,17 +7250,15 @@ static int si_parse_power_table(struct amdgpu_device *adev) if (!adev->pm.dpm.ps) return -ENOMEM; power_state_offset = (u8 *)state_array->states; - for (i = 0; i < state_array->ucNumEntries; i++) { + for (adev->pm.dpm.num_ps = 0, i = 0; i < state_array->ucNumEntries; i++) { u8 *idx; power_state = (union pplib_power_state *)power_state_offset; non_clock_array_index = power_state->v2.nonClockInfoIndex; non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *) &non_clock_info_array->nonClockInfo[non_clock_array_index]; ps = kzalloc(sizeof(struct si_ps), GFP_KERNEL); - if (ps == NULL) { - kfree(adev->pm.dpm.ps); + if (ps == NULL) return -ENOMEM; - } adev->pm.dpm.ps[i].ps_priv = ps; si_parse_pplib_non_clock_info(adev, &adev->pm.dpm.ps[i], non_clock_info, @@ -7282,8 +7280,8 @@ static int si_parse_power_table(struct amdgpu_device *adev) k++; } power_state_offset += 2 + power_state->v2.ucNumDPMLevels; + adev->pm.dpm.num_ps++; } - adev->pm.dpm.num_ps = state_array->ucNumEntries; /* fill in the vce power states */ for (i = 0; i < adev->pm.dpm.num_of_vce_states; i++) { -- 2.35.1