Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp6124922rdb; Thu, 14 Dec 2023 08:57:58 -0800 (PST) X-Google-Smtp-Source: AGHT+IF5nk9A1FynV68pKI/uYMPLX0cpbN4i4WUGiiuueG5KJShChR6kRo9liu+86hUKny06VQrJ X-Received: by 2002:a17:902:eb87:b0:1d0:b944:6344 with SMTP id q7-20020a170902eb8700b001d0b9446344mr4719226plg.28.1702573077809; Thu, 14 Dec 2023 08:57:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702573077; cv=none; d=google.com; s=arc-20160816; b=0gmQcC/8hoU3Atr1yr6g1ByIKTIlnjIhvnnZskC2HzOHzzxszbnv3HvMH0ZzhV5FkS +yzLNv3l29OUL+j/aYVwyTwAPQpYRYOWnV0dmpz++fU9pVU2HeuoWMt/IFXz1dpFFWnh SKAOnf4lDGxNnJ4TK/v/Ns64rdyZ+d2mzAORMrALtPKNJsgCsutbHzCA3Hy3dBO8pabw brerAmX4d6subA/UrG5he0HPtfXsmSed5YqfJARfMacFDEKjQGV5Bk4txOKtL1mPB100 MYvFe+lMbHKHwIEl34ROEV+C/GN+qiilW90e/Cjyz4WvMMrxMTZy0y66OxcY/6qNkvi8 H+WQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=Bstr3dkab57sM4Lzy/I6ji0FkDDGbSF0a9moJP/I+TM=; fh=bX5s1+ofwxP6EIxpzobemZ9uAJamB5AGz/s7UnzY43Q=; b=K04Bs2gLvHVuZMpjL3jP8316tri+gv69QDUNGFFgyoPwvMPAQaarcFdVA/1qYsMFTb Zg/VsLo1Lg0Yx7V1J4MIrlRx/sRGSLXdLYKpPBZyFdf5pBprF11HC60zqsvJuEJMjUSW wJbCNcf2tqPxsIYx3eY3DQBfVC0pwzbyfI53JbbiweptxxMpXO4nyNoMwgz6Bu1dBuBi u4sG0o/cU3vOuASfRgn5dmA615vV377nfXteSNt2dZ7aDB95OqSNJL2Eg6dZad/qhi73 zYkptG7POzhDVnS004qhRIqy6ItcFyvuycYEAZfsg+Yew+XzjzX6qQn+uVXAq8WEvQKt EGQQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id k10-20020a170902694a00b001cc4aca5f5dsi11403964plt.636.2023.12.14.08.57.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Dec 2023 08:57:57 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 9A29180DECF7; Thu, 14 Dec 2023 08:57:56 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230305AbjLNQ5r (ORCPT + 99 others); Thu, 14 Dec 2023 11:57:47 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55776 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230252AbjLNQ5q (ORCPT ); Thu, 14 Dec 2023 11:57:46 -0500 Received: from zg8tndyumtaxlji0oc4xnzya.icoremail.net (zg8tndyumtaxlji0oc4xnzya.icoremail.net [46.101.248.176]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 72AB211A for ; Thu, 14 Dec 2023 08:57:50 -0800 (PST) Received: from luzhipeng.223.5.5.5 (unknown [115.200.224.93]) by mail-app4 (Coremail) with SMTP id cS_KCgD3_zcFNHtlxSKWAA--.6598S2; Fri, 15 Dec 2023 00:57:42 +0800 (CST) From: Zhipeng Lu To: alexious@zju.edu.cn Cc: Evan Quan , Alex Deucher , =?UTF-8?q?Christian=20K=C3=B6nig?= , "Pan, Xinhui" , David Airlie , Daniel Vetter , Hawking Zhang , Ran Sun , Le Ma , Jammy Zhou , amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org Subject: [PATCH] drivers/amd/pm: fix a use-after-free in kv_parse_power_table Date: Fri, 15 Dec 2023 00:24:58 +0800 Message-Id: <20231214162500.3483936-1-alexious@zju.edu.cn> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID: cS_KCgD3_zcFNHtlxSKWAA--.6598S2 X-Coremail-Antispam: 1UD129KBjvJXoW7tFWDuw17uFWfury8XF4kCrg_yoW8GrW7pr 4fGFyYk34rta12qa9Fq3W8ZF43uanxJFWxGFWkXr45twn8XF1jkFZYyrWYqFyq9FZ3uFZa qr17Jry8XrnF9F7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUv014x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26F1j6w1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U JVWxJr1l84ACjcxK6I8E87Iv67AKxVWxJr0_GcWl84ACjcxK6I8E87Iv6xkF7I0E14v26r xl6s0DM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj 6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr 0_Gr1lF7xvr2IYc2Ij64vIr41lF7I21c0EjII2zVCS5cI20VAGYxC7M4IIrI8v6xkF7I0E 8cxan2IY04v7MxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I 8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWUtVW8 ZwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x 0267AKxVW8JVWxJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_ Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7VUb XdbUUUUUU== X-CM-SenderInfo: qrsrjiarszq6lmxovvfxof0/ X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Thu, 14 Dec 2023 08:57:56 -0800 (PST) When ps allocated by kzalloc equals to NULL, kv_parse_power_table frees adev->pm.dpm.ps that allocated before. However, after the control flow goes through the following call chains: kv_parse_power_table |-> kv_dpm_init |-> kv_dpm_sw_init |-> kv_dpm_fini The adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its first free in kv_parse_power_table and causes a use-after-free bug. Fixes: a2e73f56fa62 ("drm/amdgpu: Add support for CIK parts") Signed-off-by: Zhipeng Lu --- drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c b/drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c index 5d28c951a319..5cb4725c773f 100644 --- a/drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c +++ b/drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c @@ -2735,10 +2735,8 @@ static int kv_parse_power_table(struct amdgpu_device *adev) non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *) &non_clock_info_array->nonClockInfo[non_clock_array_index]; ps = kzalloc(sizeof(struct kv_ps), GFP_KERNEL); - if (ps == NULL) { - kfree(adev->pm.dpm.ps); + if (ps == NULL) return -ENOMEM; - } adev->pm.dpm.ps[i].ps_priv = ps; k = 0; idx = (u8 *)&power_state->v2.clockInfoIndex[0]; -- 2.34.1