* [PATCHv2 -next] drm/amdgpu: double free error and freeing uninitialized null pointer
@ 2022-07-30 3:46 ` Sebin Sebastian
0 siblings, 0 replies; 10+ messages in thread
From: Sebin Sebastian @ 2022-07-30 3:46 UTC (permalink / raw)
Cc: mailmesebin00, Alex Deucher, Christian König, Pan, Xinhui,
David Airlie, Daniel Vetter, Nirmoy Das, Lijo Lazar, Evan Quan,
Tom St Denis, Somalapuram Amaranath, André Almeida, amd-gfx,
dri-devel, linux-kernel
Fix a double free and an uninitialized pointer read error. Both tmp and
new are pointing at same address and both are freed which leads to
double free. Adding a check to verify if new and tmp are free in the
error_free label fixes the double free issue. new is not initialized to
null which also leads to a free on an uninitialized pointer.
Suggested by: S. Amaranath <Amaranath.Somalapuram@amd.com>
Signed-off-by: Sebin Sebastian <mailmesebin00@gmail.com>
---
Changes in v2:
Updated patch body as suggested by André Almeida <andrealmeid@igalia.com>
Reworked to implement a check in error_free for fixing double free error
as suggested by S. Amaranath <Amaranath.Somalapuram@amd.com>
drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
index e2eec985adb3..cb00c7d6f50b 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
@@ -1705,7 +1705,7 @@ static ssize_t amdgpu_reset_dump_register_list_write(struct file *f,
{
struct amdgpu_device *adev = (struct amdgpu_device *)file_inode(f)->i_private;
char reg_offset[11];
- uint32_t *new, *tmp = NULL;
+ uint32_t *new = NULL, *tmp = NULL;
int ret, i = 0, len = 0;
do {
@@ -1747,7 +1747,8 @@ static ssize_t amdgpu_reset_dump_register_list_write(struct file *f,
ret = size;
error_free:
- kfree(tmp);
+ if (tmp != new)
+ kfree(tmp);
kfree(new);
return ret;
}
--
2.34.1
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCHv2 -next] drm/amdgpu: double free error and freeing uninitialized null pointer
@ 2022-07-30 3:46 ` Sebin Sebastian
0 siblings, 0 replies; 10+ messages in thread
From: Sebin Sebastian @ 2022-07-30 3:46 UTC (permalink / raw)
Cc: Tom St Denis, Lijo Lazar, André Almeida,
Somalapuram Amaranath, David Airlie, mailmesebin00, Pan, Xinhui,
linux-kernel, amd-gfx, Nirmoy Das, dri-devel, Alex Deucher,
Evan Quan, Christian König
Fix a double free and an uninitialized pointer read error. Both tmp and
new are pointing at same address and both are freed which leads to
double free. Adding a check to verify if new and tmp are free in the
error_free label fixes the double free issue. new is not initialized to
null which also leads to a free on an uninitialized pointer.
Suggested by: S. Amaranath <Amaranath.Somalapuram@amd.com>
Signed-off-by: Sebin Sebastian <mailmesebin00@gmail.com>
---
Changes in v2:
Updated patch body as suggested by André Almeida <andrealmeid@igalia.com>
Reworked to implement a check in error_free for fixing double free error
as suggested by S. Amaranath <Amaranath.Somalapuram@amd.com>
drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
index e2eec985adb3..cb00c7d6f50b 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
@@ -1705,7 +1705,7 @@ static ssize_t amdgpu_reset_dump_register_list_write(struct file *f,
{
struct amdgpu_device *adev = (struct amdgpu_device *)file_inode(f)->i_private;
char reg_offset[11];
- uint32_t *new, *tmp = NULL;
+ uint32_t *new = NULL, *tmp = NULL;
int ret, i = 0, len = 0;
do {
@@ -1747,7 +1747,8 @@ static ssize_t amdgpu_reset_dump_register_list_write(struct file *f,
ret = size;
error_free:
- kfree(tmp);
+ if (tmp != new)
+ kfree(tmp);
kfree(new);
return ret;
}
--
2.34.1
^ permalink raw reply related [flat|nested] 10+ messages in thread* RE: [PATCHv2 -next] drm/amdgpu: double free error and freeing uninitialized null pointer
2022-07-30 3:46 ` Sebin Sebastian
(?)
(?)
@ 2022-08-01 1:28 ` Quan, Evan
-1 siblings, 0 replies; 10+ messages in thread
From: Quan, Evan @ 2022-08-01 1:28 UTC (permalink / raw)
To: Sebin Sebastian
Cc: Deucher, Alexander, Koenig, Christian, Pan, Xinhui, David Airlie,
Daniel Vetter, Nirmoy Das, Lazar, Lijo, StDenis, Tom,
Somalapuram, Amaranath, André Almeida,
amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org,
linux-kernel@vger.kernel.org
[AMD Official Use Only - General]
Reviewed-by: Evan Quan <evan.quan@amd.com>
> -----Original Message-----
> From: Sebin Sebastian <mailmesebin00@gmail.com>
> Sent: Saturday, July 30, 2022 11:47 AM
> Cc: mailmesebin00@gmail.com; Deucher, Alexander
> <Alexander.Deucher@amd.com>; Koenig, Christian
> <Christian.Koenig@amd.com>; Pan, Xinhui <Xinhui.Pan@amd.com>; David
> Airlie <airlied@linux.ie>; Daniel Vetter <daniel@ffwll.ch>; Nirmoy Das
> <nirmoy.das@amd.com>; Lazar, Lijo <Lijo.Lazar@amd.com>; Quan, Evan
> <Evan.Quan@amd.com>; StDenis, Tom <Tom.StDenis@amd.com>;
> Somalapuram, Amaranath <Amaranath.Somalapuram@amd.com>; André
> Almeida <andrealmeid@igalia.com>; amd-gfx@lists.freedesktop.org; dri-
> devel@lists.freedesktop.org; linux-kernel@vger.kernel.org
> Subject: [PATCHv2 -next] drm/amdgpu: double free error and freeing
> uninitialized null pointer
>
> Fix a double free and an uninitialized pointer read error. Both tmp and
> new are pointing at same address and both are freed which leads to
> double free. Adding a check to verify if new and tmp are free in the
> error_free label fixes the double free issue. new is not initialized to
> null which also leads to a free on an uninitialized pointer.
>
> Suggested by: S. Amaranath <Amaranath.Somalapuram@amd.com>
> Signed-off-by: Sebin Sebastian <mailmesebin00@gmail.com>
> ---
> Changes in v2:
> Updated patch body as suggested by André Almeida
> <andrealmeid@igalia.com>
> Reworked to implement a check in error_free for fixing double free error
> as suggested by S. Amaranath <Amaranath.Somalapuram@amd.com>
>
> drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
> b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
> index e2eec985adb3..cb00c7d6f50b 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
> @@ -1705,7 +1705,7 @@ static ssize_t
> amdgpu_reset_dump_register_list_write(struct file *f,
> {
> struct amdgpu_device *adev = (struct amdgpu_device
> *)file_inode(f)->i_private;
> char reg_offset[11];
> - uint32_t *new, *tmp = NULL;
> + uint32_t *new = NULL, *tmp = NULL;
> int ret, i = 0, len = 0;
>
> do {
> @@ -1747,7 +1747,8 @@ static ssize_t
> amdgpu_reset_dump_register_list_write(struct file *f,
> ret = size;
>
> error_free:
> - kfree(tmp);
> + if (tmp != new)
> + kfree(tmp);
> kfree(new);
> return ret;
> }
> --
> 2.34.1
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: [PATCHv2 -next] drm/amdgpu: double free error and freeing uninitialized null pointer
2022-07-30 3:46 ` Sebin Sebastian
(?)
@ 2022-08-01 17:06 ` André Almeida
-1 siblings, 0 replies; 10+ messages in thread
From: André Almeida @ 2022-08-01 17:06 UTC (permalink / raw)
To: Sebin Sebastian
Cc: Tom St Denis, Lijo Lazar, Somalapuram Amaranath, David Airlie,
Pan, Xinhui, linux-kernel, amd-gfx, Nirmoy Das, dri-devel,
Daniel Vetter, Alex Deucher, Evan Quan, Christian König
Às 00:46 de 30/07/22, Sebin Sebastian escreveu:
> Fix a double free and an uninitialized pointer read error. Both tmp and
> new are pointing at same address and both are freed which leads to
> double free. Adding a check to verify if new and tmp are free in the
> error_free label fixes the double free issue. new is not initialized to
> null which also leads to a free on an uninitialized pointer.
>
> Suggested by: S. Amaranath <Amaranath.Somalapuram@amd.com>
> Signed-off-by: Sebin Sebastian <mailmesebin00@gmail.com>
Reviewed-by: André Almeida <andrealmeid@igalia.com>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCHv2 -next] drm/amdgpu: double free error and freeing uninitialized null pointer
@ 2022-08-01 17:06 ` André Almeida
0 siblings, 0 replies; 10+ messages in thread
From: André Almeida @ 2022-08-01 17:06 UTC (permalink / raw)
To: Sebin Sebastian
Cc: Alex Deucher, Christian König, Pan, Xinhui, David Airlie,
Daniel Vetter, Nirmoy Das, Lijo Lazar, Evan Quan, Tom St Denis,
Somalapuram Amaranath, amd-gfx, dri-devel, linux-kernel
Às 00:46 de 30/07/22, Sebin Sebastian escreveu:
> Fix a double free and an uninitialized pointer read error. Both tmp and
> new are pointing at same address and both are freed which leads to
> double free. Adding a check to verify if new and tmp are free in the
> error_free label fixes the double free issue. new is not initialized to
> null which also leads to a free on an uninitialized pointer.
>
> Suggested by: S. Amaranath <Amaranath.Somalapuram@amd.com>
> Signed-off-by: Sebin Sebastian <mailmesebin00@gmail.com>
Reviewed-by: André Almeida <andrealmeid@igalia.com>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCHv2 -next] drm/amdgpu: double free error and freeing uninitialized null pointer
@ 2022-08-01 17:06 ` André Almeida
0 siblings, 0 replies; 10+ messages in thread
From: André Almeida @ 2022-08-01 17:06 UTC (permalink / raw)
To: Sebin Sebastian
Cc: Tom St Denis, Lijo Lazar, Somalapuram Amaranath, David Airlie,
Pan, Xinhui, linux-kernel, amd-gfx, Nirmoy Das, dri-devel,
Alex Deucher, Evan Quan, Christian König
Às 00:46 de 30/07/22, Sebin Sebastian escreveu:
> Fix a double free and an uninitialized pointer read error. Both tmp and
> new are pointing at same address and both are freed which leads to
> double free. Adding a check to verify if new and tmp are free in the
> error_free label fixes the double free issue. new is not initialized to
> null which also leads to a free on an uninitialized pointer.
>
> Suggested by: S. Amaranath <Amaranath.Somalapuram@amd.com>
> Signed-off-by: Sebin Sebastian <mailmesebin00@gmail.com>
Reviewed-by: André Almeida <andrealmeid@igalia.com>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCHv2 -next] drm/amdgpu: double free error and freeing uninitialized null pointer
2022-08-01 17:06 ` André Almeida
(?)
@ 2022-08-10 16:41 ` Alex Deucher
-1 siblings, 0 replies; 10+ messages in thread
From: Alex Deucher @ 2022-08-10 16:41 UTC (permalink / raw)
To: André Almeida
Cc: Tom St Denis, Pan, Xinhui, Somalapuram Amaranath, David Airlie,
Sebin Sebastian, Lijo Lazar, linux-kernel, amd-gfx, Nirmoy Das,
dri-devel, Daniel Vetter, Alex Deucher, Evan Quan,
Christian König
Applied. Thanks!
Alex
On Mon, Aug 1, 2022 at 1:08 PM André Almeida <andrealmeid@igalia.com> wrote:
>
> Às 00:46 de 30/07/22, Sebin Sebastian escreveu:
> > Fix a double free and an uninitialized pointer read error. Both tmp and
> > new are pointing at same address and both are freed which leads to
> > double free. Adding a check to verify if new and tmp are free in the
> > error_free label fixes the double free issue. new is not initialized to
> > null which also leads to a free on an uninitialized pointer.
> >
> > Suggested by: S. Amaranath <Amaranath.Somalapuram@amd.com>
> > Signed-off-by: Sebin Sebastian <mailmesebin00@gmail.com>
>
> Reviewed-by: André Almeida <andrealmeid@igalia.com>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCHv2 -next] drm/amdgpu: double free error and freeing uninitialized null pointer
@ 2022-08-10 16:41 ` Alex Deucher
0 siblings, 0 replies; 10+ messages in thread
From: Alex Deucher @ 2022-08-10 16:41 UTC (permalink / raw)
To: André Almeida
Cc: Sebin Sebastian, Tom St Denis, Lijo Lazar, Somalapuram Amaranath,
David Airlie, Pan, Xinhui, linux-kernel, amd-gfx, Nirmoy Das,
dri-devel, Daniel Vetter, Alex Deucher, Evan Quan,
Christian König
Applied. Thanks!
Alex
On Mon, Aug 1, 2022 at 1:08 PM André Almeida <andrealmeid@igalia.com> wrote:
>
> Às 00:46 de 30/07/22, Sebin Sebastian escreveu:
> > Fix a double free and an uninitialized pointer read error. Both tmp and
> > new are pointing at same address and both are freed which leads to
> > double free. Adding a check to verify if new and tmp are free in the
> > error_free label fixes the double free issue. new is not initialized to
> > null which also leads to a free on an uninitialized pointer.
> >
> > Suggested by: S. Amaranath <Amaranath.Somalapuram@amd.com>
> > Signed-off-by: Sebin Sebastian <mailmesebin00@gmail.com>
>
> Reviewed-by: André Almeida <andrealmeid@igalia.com>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCHv2 -next] drm/amdgpu: double free error and freeing uninitialized null pointer
@ 2022-08-10 16:41 ` Alex Deucher
0 siblings, 0 replies; 10+ messages in thread
From: Alex Deucher @ 2022-08-10 16:41 UTC (permalink / raw)
To: André Almeida
Cc: Tom St Denis, Pan, Xinhui, Somalapuram Amaranath, David Airlie,
Sebin Sebastian, Lijo Lazar, linux-kernel, amd-gfx, Nirmoy Das,
dri-devel, Alex Deucher, Evan Quan, Christian König
Applied. Thanks!
Alex
On Mon, Aug 1, 2022 at 1:08 PM André Almeida <andrealmeid@igalia.com> wrote:
>
> Às 00:46 de 30/07/22, Sebin Sebastian escreveu:
> > Fix a double free and an uninitialized pointer read error. Both tmp and
> > new are pointing at same address and both are freed which leads to
> > double free. Adding a check to verify if new and tmp are free in the
> > error_free label fixes the double free issue. new is not initialized to
> > null which also leads to a free on an uninitialized pointer.
> >
> > Suggested by: S. Amaranath <Amaranath.Somalapuram@amd.com>
> > Signed-off-by: Sebin Sebastian <mailmesebin00@gmail.com>
>
> Reviewed-by: André Almeida <andrealmeid@igalia.com>
^ permalink raw reply [flat|nested] 10+ messages in thread