[igt-dev] [Intel-gfx] [PATCH i-g-t 3/3] tests/amdgpu/amdgpu_command_submission: fix uaf

Wed Jun 29 08:55:05 UTC 2022

Looks good to me.

Reviewed-by: Gwan-gyeong Mun <gwan-gyeong.mun at intel.com>

On 6/28/22 4:13 PM, Matthew Auld wrote:
> ../lib/amdgpu/amd_command_submission.c: In function ‘amdgpu_command_submission_write_linear_helper’:
> ../lib/amdgpu/amd_command_submission.c:201:13: warning: pointer ‘ring_context’ used after ‘free’ [-Wuse-after-free]
>    201 |         r = amdgpu_cs_ctx_free(ring_context->context_handle);
>        |             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ../lib/amdgpu/amd_command_submission.c:199:9: note: call to ‘free’ here
>    199 |         free(ring_context);
>        |         ^~~~~~~~~~~~~~~~~~
> 
> Signed-off-by: Matthew Auld <matthew.auld at intel.com>
> Cc: Petri Latvala <petri.latvala at intel.com>
> ---
>   lib/amdgpu/amd_command_submission.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/lib/amdgpu/amd_command_submission.c b/lib/amdgpu/amd_command_submission.c
> index 4dc4df95..16939653 100644
> --- a/lib/amdgpu/amd_command_submission.c
> +++ b/lib/amdgpu/amd_command_submission.c
> @@ -196,10 +196,10 @@ void amdgpu_command_submission_write_linear_helper(amdgpu_device_handle device,
>   	}
>   	/* clean resources */
>   	free(ring_context->pm4);
> -	free(ring_context);
>   	/* end of test */
>   	r = amdgpu_cs_ctx_free(ring_context->context_handle);
>   	igt_assert_eq(r, 0);
> +	free(ring_context);
>   }
>   
>   
> 