| Message ID | 5ff4d367-b5bd-40ae-9529-56d08ea6c1d0@stanley.mountain (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [next] drm/amdgpu: Fix double free in amdgpu_userq_fence_driver_alloc() | expand |
Please change this also instead of 'goto free_fence_drv' just return err.
fence_drv = kzalloc(sizeof(*fence_drv), GFP_KERNEL);
if (!fence_drv) {
DRM_ERROR("Failed to allocate memory for fence driver\n");
r = -ENOMEM;
goto free_fence_drv; // this should be replace by return.
}
~arvind
On 4/10/2025 9:54 PM, Dan Carpenter wrote:
> The goto frees "fence_drv" so this is a double free bug. There is no
> need to call amdgpu_seq64_free(adev, fence_drv->va) since the seq64
> allocation failed so change the goto to goto free_fence_drv. Also
> propagate the error code from amdgpu_seq64_alloc() instead of hard coding
> it to -ENOMEM.
>
> Fixes: e7cf21fbb277 ("drm/amdgpu: Few optimization and fixes for userq fence driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> ---
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c | 7 ++-----
> 1 file changed, 2 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
> index a4953d668972..b012fece91e8 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
> @@ -84,11 +84,8 @@ int amdgpu_userq_fence_driver_alloc(struct amdgpu_device *adev,
> /* Acquire seq64 memory */
> r = amdgpu_seq64_alloc(adev, &fence_drv->va, &fence_drv->gpu_addr,
> &fence_drv->cpu_addr);
> - if (r) {
> - kfree(fence_drv);
> - r = -ENOMEM;
> - goto free_seq64;
> - }
> + if (r)
> + goto free_fence_drv;
>
> memset(fence_drv->cpu_addr, 0, sizeof(u64));
>
On Thu, Apr 10, 2025 at 10:29:31PM +0530, Yadav, Arvind wrote: > Please change this also instead of 'goto free_fence_drv' just return err. > > fence_drv = kzalloc(sizeof(*fence_drv), GFP_KERNEL); > if (!fence_drv) { > DRM_ERROR("Failed to allocate memory for fence driver\n"); > r = -ENOMEM; > goto free_fence_drv; // this should be replace by return. > } > > ~arvind I noticed that when I was writing my patch as well. I'm always in favor of direct returns, but it makes the patch confusing to add this unrelated cleanup... I'll send it as a separate patch. regards, dan carpenter
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c index a4953d668972..b012fece91e8 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c @@ -84,11 +84,8 @@ int amdgpu_userq_fence_driver_alloc(struct amdgpu_device *adev, /* Acquire seq64 memory */ r = amdgpu_seq64_alloc(adev, &fence_drv->va, &fence_drv->gpu_addr, &fence_drv->cpu_addr); - if (r) { - kfree(fence_drv); - r = -ENOMEM; - goto free_seq64; - } + if (r) + goto free_fence_drv; memset(fence_drv->cpu_addr, 0, sizeof(u64));
The goto frees "fence_drv" so this is a double free bug. There is no need to call amdgpu_seq64_free(adev, fence_drv->va) since the seq64 allocation failed so change the goto to goto free_fence_drv. Also propagate the error code from amdgpu_seq64_alloc() instead of hard coding it to -ENOMEM. Fixes: e7cf21fbb277 ("drm/amdgpu: Few optimization and fixes for userq fence driver") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> --- --- drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-)