From nobody Tue Feb 10 17:08:51 2026
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2779FC7EE22
	for <linux-kernel@archiver.kernel.org>; Thu, 11 May 2023 11:27:50 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S237891AbjEKL1r (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Thu, 11 May 2023 07:27:47 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55322 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229609AbjEKL1p (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 11 May 2023 07:27:45 -0400
Received: from mail-out.aladdin-rd.ru (mail-out.aladdin-rd.ru [91.199.251.16])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 01797558D
        for <linux-kernel@vger.kernel.org>;
 Thu, 11 May 2023 04:27:40 -0700 (PDT)
From: Daniil Dulov <d.dulov@aladdin.ru>
To: Felix Kuehling <Felix.Kuehling@amd.com>
CC: Daniil Dulov <d.dulov@aladdin.ru>,
        Alex Deucher <alexander.deucher@amd.com>,
        =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>,
        David Airlie <airlied@linux.ie>,
        Daniel Vetter <daniel@ffwll.ch>, Oak Zeng <oak.zeng@intel.com>,
        <amd-gfx@lists.freedesktop.org>, <dri-devel@lists.freedesktop.org>,
        <linux-kernel@vger.kernel.org>,
        "# v5 . 3+" <stable@vger.kernel.org>,
        <lvc-project@linuxtesting.org>
Subject: [PATCH v2] drm/amdkfd: Fix potential deallocation of previously
 deallocated memory.
Date: Thu, 11 May 2023 04:23:14 -0700
Message-ID: <20230511112314.29322-1-d.dulov@aladdin.ru>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <ZD7W5aaslOXLg707@ashyti-mobl2.lan>
References: 
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: [10.0.20.125]
X-ClientProxiedBy: EXCH-2016-02.aladdin.ru (192.168.1.102) To
 EXCH-2016-02.aladdin.ru (192.168.1.102)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

Pointer mqd_mem_obj can be deallocated in kfd_gtt_sa_allocate().
The function then returns non-zero value, which causes the second deallocat=
ion.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: d1f8f0d17d40 ("drm/amdkfd: Move non-sdma mqd allocation out of init_=
mqd")
Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
---
v2: Move if (retval) inside previous if as Andi Shyti <andi.shyti@linux.int=
el.com> suggested.
 drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c b/drivers/gpu/=
drm/amd/amdkfd/kfd_mqd_manager_v9.c
index 3b6f5963180d..dadeb2013fd9 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
@@ -113,18 +113,19 @@ static struct kfd_mem_obj *allocate_mqd(struct kfd_de=
v *kfd,
 			&(mqd_mem_obj->gtt_mem),
 			&(mqd_mem_obj->gpu_addr),
 			(void *)&(mqd_mem_obj->cpu_ptr), true);
+
+		if (retval) {
+			kfree(mqd_mem_obj);
+			return NULL;
+		}
 	} else {
 		retval =3D kfd_gtt_sa_allocate(kfd, sizeof(struct v9_mqd),
 				&mqd_mem_obj);
-	}
-
-	if (retval) {
-		kfree(mqd_mem_obj);
-		return NULL;
+		if (retval)
+			return NULL;
 	}
=20
 	return mqd_mem_obj;
-
 }
=20
 static void init_mqd(struct mqd_manager *mm, void **mqd,
--=20
2.25.1