Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp683649imw; Thu, 14 Jul 2022 08:54:49 -0700 (PDT) X-Google-Smtp-Source: AGRyM1u4qw5iIfVGlc/RqPmOo1Hg0oPyGNcpJ2p2LEUmzlMacxMOO17xH4LoKvBBK2eJXe+oiKGk X-Received: by 2002:a17:903:2287:b0:16c:b0d:2e99 with SMTP id b7-20020a170903228700b0016c0b0d2e99mr8953505plh.120.1657814088893; Thu, 14 Jul 2022 08:54:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1657814088; cv=none; d=google.com; s=arc-20160816; b=c7xe71Pz8jNrgr7v5VuEpSn6E79AfcRQrbY3b6s37mmF1CDyKg6TXswY32tQRIaK4h CLUyh/h1yxcpdplJ7cFy2mklWdMYfKED6HQDrlUEDRD92gwFZzZLcfippqX4XDXx2UY4 HGoEy66grr3vudd2Q1x77wtm3a/YBJNm1q5FhnmGva6ms1+WLRJQtV1gthuW84fCAgXi 7JiG3edhCxJ3JLn+s3tNhP9dOQCIm8ZN7x9J4rQnCXutrx2cnfksDSp/BKCu83OgL8mw jwWCdacyVo4cmXPJWMJkmR77lLrr0k+hJabMl5WM/yAVM7SqiwL3153FwbQHloh8Dk+L n8FA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=Nfadgg2RwVGN0U9zbMOJUV4ip9jB/aIO9F2rxczWRHU=; b=D9bXfRugVxYCixAy7ZLoxYjOUyAfd93juYc7TpPUFqjTyPMlAZUajRK5c+263p4R6i lFxP+WlD5gyo4NTShT/XuyieWavmn+fg/m5P6QoxqgaO8rHIIYxWPLA5BXy3NS9UBc0V yOBKGFh/I3VW6KXAivUWCp1dNrzsWB3zZk+mJnZ3e4KQ+095yI0OTI+86E8AThYOFQSw E1+De4f+JpISICSVG796ph5nHUpQ99edy7tWuU2cx6EamKKkzolbN8vrESquvduTsqiW oS3RiubKSJZhxYwpUGCWJ9MxcMfJ6VpyF/sOIjh+R7M4jCciaGcgXjEagHpdgPY2W0Gn g3iQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@igalia.com header.s=20170329 header.b=GHC+99XV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a17-20020a17090ad81100b001ef888bd595si5555853pjv.118.2022.07.14.08.54.27; Thu, 14 Jul 2022 08:54:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@igalia.com header.s=20170329 header.b=GHC+99XV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240458AbiGNPnu (ORCPT + 99 others); Thu, 14 Jul 2022 11:43:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49404 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240433AbiGNPnr (ORCPT ); Thu, 14 Jul 2022 11:43:47 -0400 Received: from fanzine2.igalia.com (fanzine.igalia.com [178.60.130.6]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3488862CE for ; Thu, 14 Jul 2022 08:43:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com; s=20170329; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From: References:Cc:To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Nfadgg2RwVGN0U9zbMOJUV4ip9jB/aIO9F2rxczWRHU=; b=GHC+99XVhfLGqPOJpX8XJIekgf IVe5wW9id/p4DTQhtSytmxFaZizonB3wqasjGsrD8kctEEHACHgMKQ3RHD9hGbIM7jqSOxW+HAoUC iFwXpcgUEOzwsfDC4s92IOmM8BCU4R5TCxblPGQXn3vnQ1i3Gi0LU6nIIKaTdDN3u3yvOUJoowwp5 i30H3tIWA3+4iEEinKt2583B+eYRHGdQHmzlIufwIwWjNgOw5c3kdQA5pKa4NvBBwerrNhjpFUBLM gXFihoYuePAKRkNW2dF1e02PkGy0Pm0sTnjIBEJXTFBFF3Emp/UEEggAkIYhmBnVcljywvQKpWVF+ 1vlC9x9Q==; Received: from [177.139.47.106] (helo=[192.168.15.109]) by fanzine2.igalia.com with esmtpsa (Cipher TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_128_GCM:128) (Exim) id 1oC105-00GXxV-3u; Thu, 14 Jul 2022 17:43:37 +0200 Message-ID: <1106b107-6373-9f89-5310-ea29db9fdf75@igalia.com> Date: Thu, 14 Jul 2022 12:43:19 -0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: [PATCH -next] drm/amdgpu: double free error and freeing uninitialized null pointer Content-Language: en-US To: Sebin Sebastian Cc: Alex Deucher , =?UTF-8?Q?Christian_K=c3=b6nig?= , "Pan, Xinhui" , David Airlie , Daniel Vetter , Nirmoy Das , Lijo Lazar , Tom St Denis , Evan Quan , Somalapuram Amaranath , amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org References: <20220710132911.399325-1-mailmesebin00@gmail.com> <21df71a6-44d4-48a6-17d2-d463174a10c7@igalia.com> From: =?UTF-8?Q?Andr=c3=a9_Almeida?= In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Às 12:06 de 14/07/22, Sebin Sebastian escreveu: > On Tue, Jul 12, 2022 at 12:14:27PM -0300, André Almeida wrote: >> Hi Sebin, >> >> Às 10:29 de 10/07/22, Sebin Sebastian escreveu: >>> Fix two coverity warning's double free and and an uninitialized pointer >>> read. Both tmp and new are pointing at same address and both are freed >>> which leads to double free. Freeing tmp in the condition after new is >>> assigned with new address fixes the double free issue. new is not >>> initialized to null which also leads to a free on an uninitialized >>> pointer. >>> Coverity issue: 1518665 (uninitialized pointer read) >>> 1518679 (double free) >> >> What are those numbers? >> > These numbers are the issue ID's for the errors that are being reported > by the coverity static analyzer tool. > I see, but I don't know which tool was used, so those seem like random number to me. I would just remove this part of your commit message, but if you want to keep it, you need to at least mention what's the tool. >>> >>> Signed-off-by: Sebin Sebastian >>> --- >>> drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 8 +++++--- >>> 1 file changed, 5 insertions(+), 3 deletions(-) >>> >>> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c >>> index f3b3c688e4e7..d82fe0e1b06b 100644 >>> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c >>> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c >>> @@ -1660,7 +1660,7 @@ static ssize_t amdgpu_reset_dump_register_list_write(struct file *f, >>> { >>> struct amdgpu_device *adev = (struct amdgpu_device *)file_inode(f)->i_private; >>> char reg_offset[11]; >>> - uint32_t *new, *tmp = NULL; >>> + uint32_t *new = NULL, *tmp = NULL; >>> int ret, i = 0, len = 0; >>> >>> do { >>> @@ -1692,17 +1692,19 @@ static ssize_t amdgpu_reset_dump_register_list_write(struct file *f, >>> goto error_free; >>> } >> >> If the `if (!new) {` above this line is true, will be tmp freed? >> > Yes, It doesn't seem to free tmp here. Should I free tmp immediately > after the do while loop and remove `kfree(tmp)` from the `if (ret)` > block? Thanks for pointing out the errors. If you free immediately after the while loop, then you would risk a use after free here: swap(adev->reset_dump_reg_list, tmp); So this isn't the solution either. > >>> ret = down_write_killable(&adev->reset_domain->sem); >>> - if (ret) >>> + if (ret) { >>> + kfree(tmp); >>> goto error_free; >>> + } >>> >>> swap(adev->reset_dump_reg_list, tmp); >>> swap(adev->reset_dump_reg_value, new); >>> adev->num_regs = i; >>> up_write(&adev->reset_domain->sem); >>> + kfree(tmp); >>> ret = size; >>> >>> error_free: >>> - kfree(tmp); >>> kfree(new); >>> return ret; >>> }