| From 41855a898650803e24b284173354cc3e44d07725 Mon Sep 17 00:00:00 2001 |
| From: Tom Rix <trix@redhat.com> |
| Date: Mon, 6 Jul 2020 05:28:57 -0700 |
| Subject: drm/radeon: fix double free |
| |
| From: Tom Rix <trix@redhat.com> |
| |
| commit 41855a898650803e24b284173354cc3e44d07725 upstream. |
| |
| clang static analysis flags this error |
| |
| drivers/gpu/drm/radeon/ci_dpm.c:5652:9: warning: Use of memory after it is freed [unix.Malloc] |
| kfree(rdev->pm.dpm.ps[i].ps_priv); |
| ^~~~~~~~~~~~~~~~~~~~~~~~~~ |
| drivers/gpu/drm/radeon/ci_dpm.c:5654:2: warning: Attempt to free released memory [unix.Malloc] |
| kfree(rdev->pm.dpm.ps); |
| ^~~~~~~~~~~~~~~~~~~~~~ |
| |
| problem is reported in ci_dpm_fini, with these code blocks. |
| |
| for (i = 0; i < rdev->pm.dpm.num_ps; i++) { |
| kfree(rdev->pm.dpm.ps[i].ps_priv); |
| } |
| kfree(rdev->pm.dpm.ps); |
| |
| The first free happens in ci_parse_power_table where it cleans up locally |
| on a failure. ci_dpm_fini also does a cleanup. |
| |
| ret = ci_parse_power_table(rdev); |
| if (ret) { |
| ci_dpm_fini(rdev); |
| return ret; |
| } |
| |
| So remove the cleanup in ci_parse_power_table and |
| move the num_ps calculation to inside the loop so ci_dpm_fini |
| will know how many array elements to free. |
| |
| Fixes: cc8dbbb4f62a ("drm/radeon: add dpm support for CI dGPUs (v2)") |
| |
| Signed-off-by: Tom Rix <trix@redhat.com> |
| Signed-off-by: Alex Deucher <alexander.deucher@amd.com> |
| Cc: stable@vger.kernel.org |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/gpu/drm/radeon/ci_dpm.c | 7 +++---- |
| 1 file changed, 3 insertions(+), 4 deletions(-) |
| |
| --- a/drivers/gpu/drm/radeon/ci_dpm.c |
| +++ b/drivers/gpu/drm/radeon/ci_dpm.c |
| @@ -5578,6 +5578,7 @@ static int ci_parse_power_table(struct r |
| if (!rdev->pm.dpm.ps) |
| return -ENOMEM; |
| power_state_offset = (u8 *)state_array->states; |
| + rdev->pm.dpm.num_ps = 0; |
| for (i = 0; i < state_array->ucNumEntries; i++) { |
| u8 *idx; |
| power_state = (union pplib_power_state *)power_state_offset; |
| @@ -5587,10 +5588,8 @@ static int ci_parse_power_table(struct r |
| if (!rdev->pm.power_state[i].clock_info) |
| return -EINVAL; |
| ps = kzalloc(sizeof(struct ci_ps), GFP_KERNEL); |
| - if (ps == NULL) { |
| - kfree(rdev->pm.dpm.ps); |
| + if (ps == NULL) |
| return -ENOMEM; |
| - } |
| rdev->pm.dpm.ps[i].ps_priv = ps; |
| ci_parse_pplib_non_clock_info(rdev, &rdev->pm.dpm.ps[i], |
| non_clock_info, |
| @@ -5612,8 +5611,8 @@ static int ci_parse_power_table(struct r |
| k++; |
| } |
| power_state_offset += 2 + power_state->v2.ucNumDPMLevels; |
| + rdev->pm.dpm.num_ps = i + 1; |
| } |
| - rdev->pm.dpm.num_ps = state_array->ucNumEntries; |
| |
| /* fill in the vce power states */ |
| for (i = 0; i < RADEON_MAX_VCE_LEVELS; i++) { |