Commit 41855a89 authored by Tom Rix's avatar Tom Rix Committed by Alex Deucher

drm/radeon: fix double free

clang static analysis flags this error

drivers/gpu/drm/radeon/ci_dpm.c:5652:9: warning: Use of memory after it is freed [unix.Malloc]
                kfree(rdev->pm.dpm.ps[i].ps_priv);
                      ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/radeon/ci_dpm.c:5654:2: warning: Attempt to free released memory [unix.Malloc]
        kfree(rdev->pm.dpm.ps);
        ^~~~~~~~~~~~~~~~~~~~~~

problem is reported in ci_dpm_fini, with these code blocks.

	for (i = 0; i < rdev->pm.dpm.num_ps; i++) {
		kfree(rdev->pm.dpm.ps[i].ps_priv);
	}
	kfree(rdev->pm.dpm.ps);

The first free happens in ci_parse_power_table where it cleans up locally
on a failure.  ci_dpm_fini also does a cleanup.

	ret = ci_parse_power_table(rdev);
	if (ret) {
		ci_dpm_fini(rdev);
		return ret;
	}

So remove the cleanup in ci_parse_power_table and
move the num_ps calculation to inside the loop so ci_dpm_fini
will know how many array elements to free.

Fixes: cc8dbbb4 ("drm/radeon: add dpm support for CI dGPUs (v2)")
Signed-off-by: default avatarTom Rix <trix@redhat.com>
Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
parent 3b2e973d
...@@ -5563,6 +5563,7 @@ static int ci_parse_power_table(struct radeon_device *rdev) ...@@ -5563,6 +5563,7 @@ static int ci_parse_power_table(struct radeon_device *rdev)
if (!rdev->pm.dpm.ps) if (!rdev->pm.dpm.ps)
return -ENOMEM; return -ENOMEM;
power_state_offset = (u8 *)state_array->states; power_state_offset = (u8 *)state_array->states;
rdev->pm.dpm.num_ps = 0;
for (i = 0; i < state_array->ucNumEntries; i++) { for (i = 0; i < state_array->ucNumEntries; i++) {
u8 *idx; u8 *idx;
power_state = (union pplib_power_state *)power_state_offset; power_state = (union pplib_power_state *)power_state_offset;
...@@ -5572,10 +5573,8 @@ static int ci_parse_power_table(struct radeon_device *rdev) ...@@ -5572,10 +5573,8 @@ static int ci_parse_power_table(struct radeon_device *rdev)
if (!rdev->pm.power_state[i].clock_info) if (!rdev->pm.power_state[i].clock_info)
return -EINVAL; return -EINVAL;
ps = kzalloc(sizeof(struct ci_ps), GFP_KERNEL); ps = kzalloc(sizeof(struct ci_ps), GFP_KERNEL);
if (ps == NULL) { if (ps == NULL)
kfree(rdev->pm.dpm.ps);
return -ENOMEM; return -ENOMEM;
}
rdev->pm.dpm.ps[i].ps_priv = ps; rdev->pm.dpm.ps[i].ps_priv = ps;
ci_parse_pplib_non_clock_info(rdev, &rdev->pm.dpm.ps[i], ci_parse_pplib_non_clock_info(rdev, &rdev->pm.dpm.ps[i],
non_clock_info, non_clock_info,
...@@ -5597,8 +5596,8 @@ static int ci_parse_power_table(struct radeon_device *rdev) ...@@ -5597,8 +5596,8 @@ static int ci_parse_power_table(struct radeon_device *rdev)
k++; k++;
} }
power_state_offset += 2 + power_state->v2.ucNumDPMLevels; power_state_offset += 2 + power_state->v2.ucNumDPMLevels;
rdev->pm.dpm.num_ps = i + 1;
} }
rdev->pm.dpm.num_ps = state_array->ucNumEntries;
/* fill in the vce power states */ /* fill in the vce power states */
for (i = 0; i < RADEON_MAX_VCE_LEVELS; i++) { for (i = 0; i < RADEON_MAX_VCE_LEVELS; i++) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment