Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cacc0506 authored by Daniil Dulov's avatar Daniil Dulov Committed by Greg Kroah-Hartman
Browse files

drm/amdkfd: Fix potential deallocation of previously deallocated memory. 



[ Upstream commit cabbdea1f1861098991768d7bbf5a49ed1608213 ]

Pointer mqd_mem_obj can be deallocated in kfd_gtt_sa_allocate().
The function then returns non-zero value, which causes the second deallocation.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: d1f8f0d1 ("drm/amdkfd: Move non-sdma mqd allocation out of init_mqd")
Signed-off-by: default avatarDaniil Dulov <d.dulov@aladdin.ru>
Signed-off-by: default avatarFelix Kuehling <Felix.Kuehling@amd.com>
Reviewed-by: default avatarFelix Kuehling <Felix.Kuehling@amd.com>
Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 9e3858f8

drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c

+7 −6
Original line number Diff line number Diff line
@@ -101,18 +101,19 @@ static struct kfd_mem_obj *allocate_mqd(struct kfd_dev *kfd, 
			&(mqd_mem_obj->gtt_mem),

			&(mqd_mem_obj->gpu_addr),

			(void *)&(mqd_mem_obj->cpu_ptr), true);

	} else {

		retval = kfd_gtt_sa_allocate(kfd, sizeof(struct v9_mqd),

				&mqd_mem_obj);

	}



		if (retval) {

			kfree(mqd_mem_obj);

			return NULL;

		}

	} else {

		retval = kfd_gtt_sa_allocate(kfd, sizeof(struct v9_mqd),

				&mqd_mem_obj);

		if (retval)

			return NULL;

	}



	return mqd_mem_obj;



}



static void init_mqd(struct mqd_manager *mm, void **mqd,