[Public]
> -----Original Message-----
> From: amd-gfx <amd-gfx-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Alex
> Deucher
> Sent: Friday, July 28, 2023 11:23 PM
> To: amd-gfx@xxxxxxxxxxxxxxxxxxxxx
> Cc: Deucher, Alexander <Alexander.Deucher@xxxxxxx>
> Subject: [PATCH] drm/amdgpu: fix possible UAF in amdgpu_cs_pass1()
>
> Since the gang_size check is outside of chunk parsing loop, we need to reset i
> before we free the chunk data.
>
> Signed-off-by: Alex Deucher <alexander.deucher@xxxxxxx>
Reviewed-by: Guchun Chen <guchun.chen@xxxxxxx>
Regards,
Guchun
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
> b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
> index 040f4cb6ab2d0..fb78a8f475879 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
> @@ -295,7 +295,7 @@ static int amdgpu_cs_pass1(struct amdgpu_cs_parser
> *p,
>
> if (!p->gang_size) {
> ret = -EINVAL;
> - goto free_partial_kdata;
> + goto free_all_kdata;
> }
>
> for (i = 0; i < p->gang_size; ++i) {
> --
> 2.41.0
