Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp8695600rwr;
        Thu, 11 May 2023 05:10:46 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ7uekEzWhPsiKhCeFp7545gEnAMXXNVAmU67Y2Z4Txq7w75cKy99imHOryi+0vPdma03FiU
X-Received: by 2002:a05:6a20:7d82:b0:103:4c5d:667a with SMTP id v2-20020a056a207d8200b001034c5d667amr6263015pzj.4.1683807046184;
        Thu, 11 May 2023 05:10:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1683807046; cv=none;
        d=google.com; s=arc-20160816;
        b=oJ5GbaRgD5gu2ckAmBh6QLApki2iqfGUnU75kSAEOJZnLQQsmZMFHK5CoyDsOmsBvZ
         JKLBXkNFFGd+FaXuvhbpBK0rtSfni360yYM1Hv3glaCsb8TSrnJJyw9pzm9F9ju+9U+N
         1srYKsju93AZN2Mzwhh7CVpDF1DIk4XPuB34qJatV/sHzRTzcHwRtiIBKUCNx08VbKhw
         me/0f109Zb+krCvCmO1dUsQ2Siys2nf0GAvUuzOyDvhOrFZoODQPg2nBCSlBuQN86Dkg
         zhX4laouVCPBcHnDkE4MtWe0mEPkjzNTnde2xctuQULVHi297YiCNzuCvKX3rxjXer/a
         prmQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=/ERSl0qHjIbwi8MtUVkne7Iy4A+Gv+CLVSDubJ5syvg=;
        b=sxzjfm1P1Zk+jTjD21U15vnxukvThvlDnLI1qJi3SNBRBZNEctny946acO8HB3Wbsq
         2TBFS+sWc3yh7cQgikUk0n8fIpP+nluhyV86RxM4yIumGlirABsn/nbNvff+nDedru9l
         GIrEnMsp17zfvAW0+ADzO4Ks4yGwbX9qTaa3rwL1BpD6CERCYhI7S85e6LURzq8/IM1M
         LnCzOKJfpC9Ajg3qZ/TGd1j4gSmzxYCz9jy8TlEVjDgs79h86RdJxp5bgzD2qijm+8a1
         f4EdV53IuyJ8OOCJLfEG2sQLPNk8fVYsuIGqjbTPkYcQIxi5BjegEcm3RjixQlr9yPXb
         z4pA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aladdin.ru
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id j11-20020a633c0b000000b0051b9ce24708si6453096pga.103.2023.05.11.05.10.27;
        Thu, 11 May 2023 05:10:45 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aladdin.ru
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S237831AbjEKL1r (ORCPT <rfc822;recursive.nomad@gmail.com>
        + 99 others); Thu, 11 May 2023 07:27:47 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55322 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229609AbjEKL1p (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 11 May 2023 07:27:45 -0400
Received: from mail-out.aladdin-rd.ru (mail-out.aladdin-rd.ru [91.199.251.16])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 01797558D
        for <linux-kernel@vger.kernel.org>; Thu, 11 May 2023 04:27:40 -0700 (PDT)
From:   Daniil Dulov <d.dulov@aladdin.ru>
To:     Felix Kuehling <Felix.Kuehling@amd.com>
CC:     Daniil Dulov <d.dulov@aladdin.ru>,
        Alex Deucher <alexander.deucher@amd.com>,
        =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>,
        David Airlie <airlied@linux.ie>,
        Daniel Vetter <daniel@ffwll.ch>, Oak Zeng <oak.zeng@intel.com>,
        <amd-gfx@lists.freedesktop.org>, <dri-devel@lists.freedesktop.org>,
        <linux-kernel@vger.kernel.org>,
        "# v5 . 3+" <stable@vger.kernel.org>,
        <lvc-project@linuxtesting.org>
Subject: [PATCH v2] drm/amdkfd: Fix potential deallocation of previously deallocated memory.
Date:   Thu, 11 May 2023 04:23:14 -0700
Message-ID: <20230511112314.29322-1-d.dulov@aladdin.ru>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <ZD7W5aaslOXLg707@ashyti-mobl2.lan>
References: 
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type:   text/plain; charset=US-ASCII
X-Originating-IP: [10.0.20.125]
X-ClientProxiedBy: EXCH-2016-02.aladdin.ru (192.168.1.102) To
 EXCH-2016-02.aladdin.ru (192.168.1.102)
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
        SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Pointer mqd_mem_obj can be deallocated in kfd_gtt_sa_allocate().
The function then returns non-zero value, which causes the second deallocation.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: d1f8f0d17d40 ("drm/amdkfd: Move non-sdma mqd allocation out of init_mqd")
Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
---
v2: Move if (retval) inside previous if as Andi Shyti <andi.shyti@linux.intel.com> suggested.
 drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
index 3b6f5963180d..dadeb2013fd9 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
@@ -113,18 +113,19 @@ static struct kfd_mem_obj *allocate_mqd(struct kfd_dev *kfd,
 			&(mqd_mem_obj->gtt_mem),
 			&(mqd_mem_obj->gpu_addr),
 			(void *)&(mqd_mem_obj->cpu_ptr), true);
+
+		if (retval) {
+			kfree(mqd_mem_obj);
+			return NULL;
+		}
 	} else {
 		retval = kfd_gtt_sa_allocate(kfd, sizeof(struct v9_mqd),
 				&mqd_mem_obj);
-	}
-
-	if (retval) {
-		kfree(mqd_mem_obj);
-		return NULL;
+		if (retval)
+			return NULL;
 	}
 
 	return mqd_mem_obj;
-
 }
 
 static void init_mqd(struct mqd_manager *mm, void **mqd,
-- 
2.25.1