Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp6132732rdb; Thu, 14 Dec 2023 09:06:56 -0800 (PST) X-Google-Smtp-Source: AGHT+IHKmlHlAE2Igf72XY37bxuLwBMe1vsqnvGzydRREQuNHew+4O982Ti64UgxcoWmWVf0ygbS X-Received: by 2002:a05:6a20:3251:b0:191:b62e:4bda with SMTP id hm17-20020a056a20325100b00191b62e4bdamr1870692pzc.89.1702573616435; Thu, 14 Dec 2023 09:06:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702573616; cv=none; d=google.com; s=arc-20160816; b=dCXntpTgJhRPg2wPZe2a6SvJ7Q3zkG10/PZVOEIgQWwWgIahlMIFXU6FxoV92FyOV1 zQNfFAVIR0nlYASCsmudJjWgJm3voQJSUlskf9A+0GXh3s9bgNk4Al52YOAD6sfFzm+W 5CYLYOhSgBGGzHIRYRV2gbR0JlpJDtvuEYgUoA28Hsph5phlKV6N6Nz736XmTgWdcPNb 9EclvE8x7gKloVFrpILSNnY1EiglLBrQELdPdPpruUjJIp1JTPVQUp947y9AvWD36aFH NhKUmSPvGsuLbFcK0XiMTG+jYQa6q7uZfv5yC9hSRto9491AtnBhNrbTRlwvXBdfZXH5 TgMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=lw0RodZSdxJA0iLxv7tkLpUrFdAojr9L6Vs6gKIIOys=; fh=iaJ96wy7N+7XPItvTXb2phSPpCUAJAGfGZHxiJy+POw=; b=a9cP+GEwiBlb0Nm3UESO39uS/3jgwzJhG2RHlaHzUq+O5CcBczA1NWLSNlgOY0Caca e1EH9QRa1FBtyCXs6+VzvTfLSkB+C4LnPF/rG1q0b/N863my3hV0jUW93G6VFnkifuzk PwU4uGFPHY9zPWwxamVPzJMh2IoGcVPL9OI+iHGTLYJVoneksNJMxeCbdOxWqPdN69sh 7o3V5fJz1UyxKcu6NANiFU0M8ScChfj1dR7u3vpuwFxAHYuQOOX3WUw3/x+UVixkqxfs 9O06+YCac14Nx0VMSoRkL+XfO9GBylSiQijXutv2cFikbmT6fkJt8ggDbhsrUmcEjST/ 2Oqg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=M5aZ8Ajv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from morse.vger.email (morse.vger.email. [2620:137:e000::3:1]) by mx.google.com with ESMTPS id u2-20020a656702000000b005c2423377a8si11215327pgf.759.2023.12.14.09.06.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Dec 2023 09:06:56 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) client-ip=2620:137:e000::3:1; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=M5aZ8Ajv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id 701DE8329977; Thu, 14 Dec 2023 09:06:48 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229464AbjLNRGd (ORCPT + 99 others); Thu, 14 Dec 2023 12:06:33 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48248 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229446AbjLNRGc (ORCPT ); Thu, 14 Dec 2023 12:06:32 -0500 Received: from mail-oa1-x33.google.com (mail-oa1-x33.google.com [IPv6:2001:4860:4864:20::33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1391EB7 for ; Thu, 14 Dec 2023 09:06:38 -0800 (PST) Received: by mail-oa1-x33.google.com with SMTP id 586e51a60fabf-202d6823844so3134974fac.2 for ; Thu, 14 Dec 2023 09:06:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702573597; x=1703178397; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=lw0RodZSdxJA0iLxv7tkLpUrFdAojr9L6Vs6gKIIOys=; b=M5aZ8AjvC3sCCL5HtasFJDLWGuqZQ5CG7SwX/FarXHgjZTPHFNba8Ei1sY/IpyYh4A SnEwBTsf3bcpzOEnj8V3VSt7mve6XJjJX/VBntex7pZd2HERQjpqUactw4WCTWPPpYbN IIh6c9YjfZXs1aQTz1IQGAv+hgWeFWrl2Ir74mt/5ySuJyTmLcxxuHGwF0lWh50tRdrJ jQo10tA/q/4NUL4fKUL/n1316V4iTMX2qfGabZC5de/EfBQvkS68G3QE7CKkRPd7iOGr NiT9LZ9tn/ywEpPlODkqnnU4ikTHc0MzbRT+nQYteDkuZ8OMOaIOk5IMgGYT/qTiGjTN Nd6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702573597; x=1703178397; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lw0RodZSdxJA0iLxv7tkLpUrFdAojr9L6Vs6gKIIOys=; b=ekNS6N+42UJblQbtNOuMXWnhhHqkfjJ/100CMczIEqBAdqnV+QyiGitKC07sQXTzfF SWNTZJrY3J2op55zw2cEx8MI0Py2b3R2RiC12PA1kVsA0l927INeBkRyk+TvjA72vW/K fBsa/YycTxYGJgxPc4ky5Bzxo2BeLFuFueHVjaQaQWm/YXtGo6+s7nayTos/yUy2ryUn DBZjnWZ+ezjUHl/uz1/RRzY29e56I89vBnK7Ap3GELsTNGHP55p8OsKYfdB5iNuAQ6RU jeiWT7bEbFJO5LxC+gT5vQmmsKJbqdaDqY609Ub3pCK96dAD4dtEABK8A0BhwfTbqW/U djUQ== X-Gm-Message-State: AOJu0Yyarl4LrrlecNjVdrkNm89GfaZaOwhfp4RWZk06FpOEWGp1PMf1 J+vj4djhCyyw6QMdk0HvxMTGzr79X4YBTzPcU08= X-Received: by 2002:a05:6870:168c:b0:203:2e8b:1a1d with SMTP id j12-20020a056870168c00b002032e8b1a1dmr3061586oae.11.1702573597292; Thu, 14 Dec 2023 09:06:37 -0800 (PST) MIME-Version: 1.0 References: <20231214162500.3483936-1-alexious@zju.edu.cn> In-Reply-To: <20231214162500.3483936-1-alexious@zju.edu.cn> From: Alex Deucher Date: Thu, 14 Dec 2023 12:06:26 -0500 Message-ID: Subject: Re: [PATCH] drivers/amd/pm: fix a use-after-free in kv_parse_power_table To: Zhipeng Lu Cc: Ran Sun , Jammy Zhou , "Pan, Xinhui" , linux-kernel@vger.kernel.org, amd-gfx@lists.freedesktop.org, Le Ma , dri-devel@lists.freedesktop.org, Alex Deucher , Evan Quan , =?UTF-8?Q?Christian_K=C3=B6nig?= , Hawking Zhang Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Thu, 14 Dec 2023 09:06:48 -0800 (PST) Applied. Thanks! On Thu, Dec 14, 2023 at 11:57=E2=80=AFAM Zhipeng Lu w= rote: > > When ps allocated by kzalloc equals to NULL, kv_parse_power_table > frees adev->pm.dpm.ps that allocated before. However, after the control > flow goes through the following call chains: > > kv_parse_power_table > |-> kv_dpm_init > |-> kv_dpm_sw_init > |-> kv_dpm_fini > > The adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its > first free in kv_parse_power_table and causes a use-after-free bug. > > Fixes: a2e73f56fa62 ("drm/amdgpu: Add support for CIK parts") > Signed-off-by: Zhipeng Lu > --- > drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > diff --git a/drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c b/drivers/gpu/drm= /amd/pm/legacy-dpm/kv_dpm.c > index 5d28c951a319..5cb4725c773f 100644 > --- a/drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c > +++ b/drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c > @@ -2735,10 +2735,8 @@ static int kv_parse_power_table(struct amdgpu_devi= ce *adev) > non_clock_info =3D (struct _ATOM_PPLIB_NONCLOCK_INFO *) > &non_clock_info_array->nonClockInfo[non_clock_arr= ay_index]; > ps =3D kzalloc(sizeof(struct kv_ps), GFP_KERNEL); > - if (ps =3D=3D NULL) { > - kfree(adev->pm.dpm.ps); > + if (ps =3D=3D NULL) > return -ENOMEM; > - } > adev->pm.dpm.ps[i].ps_priv =3D ps; > k =3D 0; > idx =3D (u8 *)&power_state->v2.clockInfoIndex[0]; > -- > 2.34.1 >