From 5d10e581be44da970885e4459d21dd7455ffad43 Mon Sep 17 00:00:00 2001 From: Zhipeng Lu Date: Wed, 22 May 2024 07:27:35 +0000 Subject: [PATCH] drm/amd/pm: fix a double-free in si_dpm_init stable inclusion from stable-v4.19.314 commit afe9f5b871f86d58ecdc45b217b662227d7890d0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q9IJ CVE: CVE-2023-52691 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.19.y&id=afe9f5b871f86d58ecdc45b217b662227d7890d0 -------------------------------- [ Upstream commit ac16667237a82e2597e329eb9bc520d1cf9dff30 ] When the allocation of adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries fails, amdgpu_free_extended_power_table is called to free some fields of adev. However, when the control flow returns to si_dpm_sw_init, it goes to label dpm_failed and calls si_dpm_fini, which calls amdgpu_free_extended_power_table again and free those fields again. Thus a double-free is triggered. Fixes: 841686df9f7d ("drm/amdgpu: add SI DPM support (v4)") Signed-off-by: Zhipeng Lu Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin Signed-off-by: Xia Fukun --- drivers/gpu/drm/amd/amdgpu/si_dpm.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/si_dpm.c b/drivers/gpu/drm/amd/amdgpu/si_dpm.c index 1de96995e690..7c724d3de111 100644 --- a/drivers/gpu/drm/amd/amdgpu/si_dpm.c +++ b/drivers/gpu/drm/amd/amdgpu/si_dpm.c @@ -7348,10 +7348,9 @@ static int si_dpm_init(struct amdgpu_device *adev) kcalloc(4, sizeof(struct amdgpu_clock_voltage_dependency_entry), GFP_KERNEL); - if (!adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries) { - amdgpu_free_extended_power_table(adev); + if (!adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries) return -ENOMEM; - } + adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.count = 4; adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries[0].clk = 0; adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries[0].v = 0; -- Gitee