From: Sebin Sebastian <mailmesebin00@gmail.com>
To: "André Almeida" <andrealmeid@igalia.com>
Cc: "Tom St Denis" <tom.stdenis@amd.com>,
"Lijo Lazar" <lijo.lazar@amd.com>,
"Somalapuram Amaranath" <Amaranath.Somalapuram@amd.com>,
"David Airlie" <airlied@linux.ie>,
"Pan, Xinhui" <Xinhui.Pan@amd.com>,
linux-kernel@vger.kernel.org, amd-gfx@lists.freedesktop.org,
"Nirmoy Das" <nirmoy.das@amd.com>,
dri-devel@lists.freedesktop.org,
"Daniel Vetter" <daniel@ffwll.ch>,
"Alex Deucher" <alexander.deucher@amd.com>,
"Evan Quan" <evan.quan@amd.com>,
"Christian König" <christian.koenig@amd.com>
Subject: Re: [PATCH -next] drm/amdgpu: double free error and freeing uninitialized null pointer
Date: Thu, 14 Jul 2022 20:36:09 +0530 [thread overview]
Message-ID: <YtAw4dra+g1rcAXd@sebin-inspiron> (raw)
In-Reply-To: <21df71a6-44d4-48a6-17d2-d463174a10c7@igalia.com>
On Tue, Jul 12, 2022 at 12:14:27PM -0300, André Almeida wrote:
> Hi Sebin,
>
> Às 10:29 de 10/07/22, Sebin Sebastian escreveu:
> > Fix two coverity warning's double free and and an uninitialized pointer
> > read. Both tmp and new are pointing at same address and both are freed
> > which leads to double free. Freeing tmp in the condition after new is
> > assigned with new address fixes the double free issue. new is not
> > initialized to null which also leads to a free on an uninitialized
> > pointer.
> > Coverity issue: 1518665 (uninitialized pointer read)
> > 1518679 (double free)
>
> What are those numbers?
>
These numbers are the issue ID's for the errors that are being reported
by the coverity static analyzer tool.
> >
> > Signed-off-by: Sebin Sebastian <mailmesebin00@gmail.com>
> > ---
> > drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 8 +++++---
> > 1 file changed, 5 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
> > index f3b3c688e4e7..d82fe0e1b06b 100644
> > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
> > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
> > @@ -1660,7 +1660,7 @@ static ssize_t amdgpu_reset_dump_register_list_write(struct file *f,
> > {
> > struct amdgpu_device *adev = (struct amdgpu_device *)file_inode(f)->i_private;
> > char reg_offset[11];
> > - uint32_t *new, *tmp = NULL;
> > + uint32_t *new = NULL, *tmp = NULL;
> > int ret, i = 0, len = 0;
> >
> > do {
> > @@ -1692,17 +1692,19 @@ static ssize_t amdgpu_reset_dump_register_list_write(struct file *f,
> > goto error_free;
> > }
>
> If the `if (!new) {` above this line is true, will be tmp freed?
>
Yes, It doesn't seem to free tmp here. Should I free tmp immediately
after the do while loop and remove `kfree(tmp)` from the `if (ret)`
block? Thanks for pointing out the errors.
> > ret = down_write_killable(&adev->reset_domain->sem);
> > - if (ret)
> > + if (ret) {
> > + kfree(tmp);
> > goto error_free;
> > + }
> >
> > swap(adev->reset_dump_reg_list, tmp);
> > swap(adev->reset_dump_reg_value, new);
> > adev->num_regs = i;
> > up_write(&adev->reset_domain->sem);
> > + kfree(tmp);
> > ret = size;
> >
> > error_free:
> > - kfree(tmp);
> > kfree(new);
> > return ret;
> > }
WARNING: multiple messages have this Message-ID (diff)
From: Sebin Sebastian <mailmesebin00@gmail.com>
To: "André Almeida" <andrealmeid@igalia.com>
Cc: "Tom St Denis" <tom.stdenis@amd.com>,
"Lijo Lazar" <lijo.lazar@amd.com>,
"Somalapuram Amaranath" <Amaranath.Somalapuram@amd.com>,
"David Airlie" <airlied@linux.ie>,
"Pan, Xinhui" <Xinhui.Pan@amd.com>,
linux-kernel@vger.kernel.org, amd-gfx@lists.freedesktop.org,
"Nirmoy Das" <nirmoy.das@amd.com>,
dri-devel@lists.freedesktop.org,
"Alex Deucher" <alexander.deucher@amd.com>,
"Evan Quan" <evan.quan@amd.com>,
"Christian König" <christian.koenig@amd.com>
Subject: Re: [PATCH -next] drm/amdgpu: double free error and freeing uninitialized null pointer
Date: Thu, 14 Jul 2022 20:36:09 +0530 [thread overview]
Message-ID: <YtAw4dra+g1rcAXd@sebin-inspiron> (raw)
In-Reply-To: <21df71a6-44d4-48a6-17d2-d463174a10c7@igalia.com>
On Tue, Jul 12, 2022 at 12:14:27PM -0300, André Almeida wrote:
> Hi Sebin,
>
> Às 10:29 de 10/07/22, Sebin Sebastian escreveu:
> > Fix two coverity warning's double free and and an uninitialized pointer
> > read. Both tmp and new are pointing at same address and both are freed
> > which leads to double free. Freeing tmp in the condition after new is
> > assigned with new address fixes the double free issue. new is not
> > initialized to null which also leads to a free on an uninitialized
> > pointer.
> > Coverity issue: 1518665 (uninitialized pointer read)
> > 1518679 (double free)
>
> What are those numbers?
>
These numbers are the issue ID's for the errors that are being reported
by the coverity static analyzer tool.
> >
> > Signed-off-by: Sebin Sebastian <mailmesebin00@gmail.com>
> > ---
> > drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 8 +++++---
> > 1 file changed, 5 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
> > index f3b3c688e4e7..d82fe0e1b06b 100644
> > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
> > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
> > @@ -1660,7 +1660,7 @@ static ssize_t amdgpu_reset_dump_register_list_write(struct file *f,
> > {
> > struct amdgpu_device *adev = (struct amdgpu_device *)file_inode(f)->i_private;
> > char reg_offset[11];
> > - uint32_t *new, *tmp = NULL;
> > + uint32_t *new = NULL, *tmp = NULL;
> > int ret, i = 0, len = 0;
> >
> > do {
> > @@ -1692,17 +1692,19 @@ static ssize_t amdgpu_reset_dump_register_list_write(struct file *f,
> > goto error_free;
> > }
>
> If the `if (!new) {` above this line is true, will be tmp freed?
>
Yes, It doesn't seem to free tmp here. Should I free tmp immediately
after the do while loop and remove `kfree(tmp)` from the `if (ret)`
block? Thanks for pointing out the errors.
> > ret = down_write_killable(&adev->reset_domain->sem);
> > - if (ret)
> > + if (ret) {
> > + kfree(tmp);
> > goto error_free;
> > + }
> >
> > swap(adev->reset_dump_reg_list, tmp);
> > swap(adev->reset_dump_reg_value, new);
> > adev->num_regs = i;
> > up_write(&adev->reset_domain->sem);
> > + kfree(tmp);
> > ret = size;
> >
> > error_free:
> > - kfree(tmp);
> > kfree(new);
> > return ret;
> > }
WARNING: multiple messages have this Message-ID (diff)
From: Sebin Sebastian <mailmesebin00@gmail.com>
To: "André Almeida" <andrealmeid@igalia.com>
Cc: "Alex Deucher" <alexander.deucher@amd.com>,
"Christian König" <christian.koenig@amd.com>,
"Pan, Xinhui" <Xinhui.Pan@amd.com>,
"David Airlie" <airlied@linux.ie>,
"Daniel Vetter" <daniel@ffwll.ch>,
"Nirmoy Das" <nirmoy.das@amd.com>,
"Lijo Lazar" <lijo.lazar@amd.com>,
"Tom St Denis" <tom.stdenis@amd.com>,
"Evan Quan" <evan.quan@amd.com>,
"Somalapuram Amaranath" <Amaranath.Somalapuram@amd.com>,
amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH -next] drm/amdgpu: double free error and freeing uninitialized null pointer
Date: Thu, 14 Jul 2022 20:36:09 +0530 [thread overview]
Message-ID: <YtAw4dra+g1rcAXd@sebin-inspiron> (raw)
In-Reply-To: <21df71a6-44d4-48a6-17d2-d463174a10c7@igalia.com>
On Tue, Jul 12, 2022 at 12:14:27PM -0300, André Almeida wrote:
> Hi Sebin,
>
> Às 10:29 de 10/07/22, Sebin Sebastian escreveu:
> > Fix two coverity warning's double free and and an uninitialized pointer
> > read. Both tmp and new are pointing at same address and both are freed
> > which leads to double free. Freeing tmp in the condition after new is
> > assigned with new address fixes the double free issue. new is not
> > initialized to null which also leads to a free on an uninitialized
> > pointer.
> > Coverity issue: 1518665 (uninitialized pointer read)
> > 1518679 (double free)
>
> What are those numbers?
>
These numbers are the issue ID's for the errors that are being reported
by the coverity static analyzer tool.
> >
> > Signed-off-by: Sebin Sebastian <mailmesebin00@gmail.com>
> > ---
> > drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 8 +++++---
> > 1 file changed, 5 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
> > index f3b3c688e4e7..d82fe0e1b06b 100644
> > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
> > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
> > @@ -1660,7 +1660,7 @@ static ssize_t amdgpu_reset_dump_register_list_write(struct file *f,
> > {
> > struct amdgpu_device *adev = (struct amdgpu_device *)file_inode(f)->i_private;
> > char reg_offset[11];
> > - uint32_t *new, *tmp = NULL;
> > + uint32_t *new = NULL, *tmp = NULL;
> > int ret, i = 0, len = 0;
> >
> > do {
> > @@ -1692,17 +1692,19 @@ static ssize_t amdgpu_reset_dump_register_list_write(struct file *f,
> > goto error_free;
> > }
>
> If the `if (!new) {` above this line is true, will be tmp freed?
>
Yes, It doesn't seem to free tmp here. Should I free tmp immediately
after the do while loop and remove `kfree(tmp)` from the `if (ret)`
block? Thanks for pointing out the errors.
> > ret = down_write_killable(&adev->reset_domain->sem);
> > - if (ret)
> > + if (ret) {
> > + kfree(tmp);
> > goto error_free;
> > + }
> >
> > swap(adev->reset_dump_reg_list, tmp);
> > swap(adev->reset_dump_reg_value, new);
> > adev->num_regs = i;
> > up_write(&adev->reset_domain->sem);
> > + kfree(tmp);
> > ret = size;
> >
> > error_free:
> > - kfree(tmp);
> > kfree(new);
> > return ret;
> > }
next prev parent reply other threads:[~2022-07-14 15:10 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-10 13:29 [PATCH -next] drm/amdgpu: double free error and freeing uninitialized null pointer Sebin Sebastian
2022-07-10 13:29 ` Sebin Sebastian
2022-07-10 13:29 ` Sebin Sebastian
2022-07-12 15:14 ` André Almeida
2022-07-12 15:14 ` André Almeida
2022-07-12 15:14 ` André Almeida
2022-07-14 15:06 ` Sebin Sebastian [this message]
2022-07-14 15:06 ` Sebin Sebastian
2022-07-14 15:06 ` Sebin Sebastian
2022-07-14 15:43 ` André Almeida
2022-07-14 15:43 ` André Almeida
2022-07-14 15:43 ` André Almeida
2022-07-15 8:18 ` Somalapuram, Amaranath
2022-07-15 8:18 ` Somalapuram, Amaranath
2022-07-18 7:45 ` Sebin Sebastian
2022-07-18 7:45 ` Sebin Sebastian
2022-07-18 7:45 ` Sebin Sebastian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YtAw4dra+g1rcAXd@sebin-inspiron \
--to=mailmesebin00@gmail.com \
--cc=Amaranath.Somalapuram@amd.com \
--cc=Xinhui.Pan@amd.com \
--cc=airlied@linux.ie \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=andrealmeid@igalia.com \
--cc=christian.koenig@amd.com \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=evan.quan@amd.com \
--cc=lijo.lazar@amd.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nirmoy.das@amd.com \
--cc=tom.stdenis@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.