Hi Mario,
Thank you for your patches.
On 2/17/24 02:22, Mario Limonciello wrote:
> amd_pmf_init_smart_pc() calls out to amd_pmf_get_bios_buffer() but
> the error handling flow doesn't clean everything up all allocated
> memory.
>
> As amd_pmf_get_bios_buffer() is only called by amd_pmf_init_smart_pc(),
> fold it into the function and add labels to clean up any step that
> can fail along the way.
>
> Fixes: 7c45534afa44 ("platform/x86/amd/pmf: Add support for PMF Policy Binary")
> Signed-off-by: Mario Limonciello <mario.limonciello@xxxxxxx>
> ---
> drivers/platform/x86/amd/pmf/tee-if.c | 67 ++++++++++++++++++---------
> 1 file changed, 44 insertions(+), 23 deletions(-)
>
> diff --git a/drivers/platform/x86/amd/pmf/tee-if.c b/drivers/platform/x86/amd/pmf/tee-if.c
> index 1359ab340f7c..feb9dfafea30 100644
> --- a/drivers/platform/x86/amd/pmf/tee-if.c
> +++ b/drivers/platform/x86/amd/pmf/tee-if.c
> @@ -338,25 +338,6 @@ static void amd_pmf_remove_pb(struct amd_pmf_dev *dev) {}
> static void amd_pmf_hex_dump_pb(struct amd_pmf_dev *dev) {}
> #endif
>
> -static int amd_pmf_get_bios_buffer(struct amd_pmf_dev *dev)
> -{
> - dev->policy_buf = kzalloc(dev->policy_sz, GFP_KERNEL);
> - if (!dev->policy_buf)
> - return -ENOMEM;
> -
> - dev->policy_base = devm_ioremap(dev->dev, dev->policy_addr, dev->policy_sz);
> - if (!dev->policy_base)
> - return -ENOMEM;
> -
> - memcpy(dev->policy_buf, dev->policy_base, dev->policy_sz);
> -
> - amd_pmf_hex_dump_pb(dev);
> - if (pb_side_load)
> - amd_pmf_open_pb(dev, dev->dbgfs_dir);
> -
> - return amd_pmf_start_policy_engine(dev);
> -}
> -
> static int amd_pmf_amdtee_ta_match(struct tee_ioctl_version_data *ver, const void *data)
> {
> return ver->impl_id == TEE_IMPL_ID_AMDTEE;
> @@ -454,14 +435,54 @@ int amd_pmf_init_smart_pc(struct amd_pmf_dev *dev)
> if (ret)
> return ret;
>
> + ret = amd_pmf_set_dram_addr(dev, true);
> + if (ret)
> + goto out_dram;
> +
> + dev->policy_base = devm_ioremap(dev->dev, dev->policy_addr, dev->policy_sz);
> + if (!dev->policy_base) {
> + ret = -ENOMEM;
> + goto out_policy_base;
> + }
> +
> + dev->policy_buf = kzalloc(dev->policy_sz, GFP_KERNEL);
> + if (!dev->policy_buf) {
> + ret = -ENOMEM;
> + goto out_policy_buf;
> + }
> +
> + memcpy(dev->policy_buf, dev->policy_base, dev->policy_sz);
> +
> + amd_pmf_hex_dump_pb(dev);
> + if (pb_side_load)
> + amd_pmf_open_pb(dev, dev->dbgfs_dir);
> +
> INIT_DELAYED_WORK(&dev->pb_work, amd_pmf_invoke_cmd);
> - amd_pmf_set_dram_addr(dev, true);
> - amd_pmf_get_bios_buffer(dev);
> +
> + ret = amd_pmf_start_policy_engine(dev);
> + if (ret)
> + goto out_start_engine;
> +
> dev->prev_data = kzalloc(sizeof(*dev->prev_data), GFP_KERNEL);
> if (!dev->prev_data)
I just checked and dev->prev_data gets used by dev->pb_work
which gets queued by amd_pmf_start_policy_engine() so there
is a (pre-existing) race here and dev->prev_data should be allocated
before amd_pmf_start_policy_engine().
Note kfree(NULL) is a no-op as is cancel_delayed_work_sync()
on a non-queued work.
So I think you can just use a single error_exit: label
(or any other label-name you like) and do:
error_exit:
cancel_delayed_work_sync(&dev->pb_work);
kfree(dev->prev_data);
dev->prev_data = NULL;
kfree(dev->policy_buf);
dev->policy_buf = NULL;
kfree(dev->buf);
dev->buf = NULL;
amd_pmf_tee_deinit(dev);
return ret;
There as long as you do the INIT_DELAYED_WORK() before
any of the code which may fail with a goto error_exit.
Note I also added clearing of the pointers after freeing
them, at least for dev->buf this is important because
that also gets used in non smart-pc paths and those
count on it either being NULL or a valid pointer.
Regards,
Hans
> - return -ENOMEM;
> + goto out_prev_data;
> +
> + return 0;
>
> - return dev->smart_pc_enabled;
> +out_prev_data:
> + cancel_delayed_work_sync(&dev->pb_work);
> +
> +out_start_engine:
> + kfree(dev->policy_buf);
> +
> +out_policy_buf:
> +out_policy_base:
> + kfree(dev->buf);
> +
> +out_dram:
> + amd_pmf_tee_deinit(dev);
> +
> + return ret;
> }
>
> void amd_pmf_deinit_smart_pc(struct amd_pmf_dev *dev)
