<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p><br>
</p>
<div class="moz-cite-prefix">On 7/14/2022 9:13 PM, André Almeida
wrote:<br>
</div>
<blockquote type="cite" cite="mid:1106b107-6373-9f89-5310-ea29db9fdf75@igalia.com">
<pre class="moz-quote-pre" wrap="">Às 12:06 de 14/07/22, Sebin Sebastian escreveu:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">On Tue, Jul 12, 2022 at 12:14:27PM -0300, André Almeida wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Hi Sebin,
Às 10:29 de 10/07/22, Sebin Sebastian escreveu:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Fix two coverity warning's double free and and an uninitialized pointer
read. Both tmp and new are pointing at same address and both are freed
which leads to double free. Freeing tmp in the condition after new is
assigned with new address fixes the double free issue. new is not
initialized to null which also leads to a free on an uninitialized
pointer.
Coverity issue: 1518665 (uninitialized pointer read)
1518679 (double free)
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
What are those numbers?
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">These numbers are the issue ID's for the errors that are being reported
by the coverity static analyzer tool.
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
I see, but I don't know which tool was used, so those seem like random
number to me. I would just remove this part of your commit message, but
if you want to keep it, you need to at least mention what's the tool.
</pre>
</blockquote>
<p>new variable is not needed to initialize.</p>
<p>The only condition double free happens is:</p>
<p>tmp = new;<br>
if (sscanf(reg_offset, "%X %n", &tmp[i],
&ret) != 1) {<br>
ret = -EINVAL;<br>
goto error_free; <b> // if it hits
this</b><br>
}<i><br>
</i></p>
<p>and can be avoided like:<br>
</p>
error_free:<br>
- kfree(tmp);<br>
+ if (tmp != new)<br>
+ kfree(tmp);<br>
kfree(new);<br>
return ret;<br>
}<br>
<p><br>
</p>
<p>Regards,</p>
<p>S.Amarnath<br>
</p>
<blockquote type="cite" cite="mid:1106b107-6373-9f89-5310-ea29db9fdf75@igalia.com">
<pre class="moz-quote-pre" wrap="">
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">
Signed-off-by: Sebin Sebastian <a class="moz-txt-link-rfc2396E" href="mailto:mailmesebin00@gmail.com"><mailmesebin00@gmail.com></a>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
index f3b3c688e4e7..d82fe0e1b06b 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
@@ -1660,7 +1660,7 @@ static ssize_t amdgpu_reset_dump_register_list_write(struct file *f,
{
struct amdgpu_device *adev = (struct amdgpu_device *)file_inode(f)->i_private;
char reg_offset[11];
- uint32_t *new, *tmp = NULL;
+ uint32_t *new = NULL, *tmp = NULL;
int ret, i = 0, len = 0;
do {
@@ -1692,17 +1692,19 @@ static ssize_t amdgpu_reset_dump_register_list_write(struct file *f,
goto error_free;
}
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
If the `if (!new) {` above this line is true, will be tmp freed?
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">Yes, It doesn't seem to free tmp here. Should I free tmp immediately
after the do while loop and remove `kfree(tmp)` from the `if (ret)`
block? Thanks for pointing out the errors.
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
If you free immediately after the while loop, then you would risk a use
after free here:
swap(adev->reset_dump_reg_list, tmp);
So this isn't the solution either.
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre class="moz-quote-pre" wrap=""> ret = down_write_killable(&adev->reset_domain->sem);
- if (ret)
+ if (ret) {
+ kfree(tmp);
goto error_free;
+ }
swap(adev->reset_dump_reg_list, tmp);
swap(adev->reset_dump_reg_value, new);
adev->num_regs = i;
up_write(&adev->reset_domain->sem);
+ kfree(tmp);
ret = size;
error_free:
- kfree(tmp);
kfree(new);
return ret;
}
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</body>
</html>