drm/amdkfd: Fix potential deallocation of previously deallocated memory.

[ Upstream commit cabbdea1f1861098991768d7bbf5a49ed1608213 ]

Pointer mqd_mem_obj can be deallocated in kfd_gtt_sa_allocate().
The function then returns non-zero value, which causes the second deallocation.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: d1f8f0d17d40 ("drm/amdkfd: Move non-sdma mqd allocation out of init_mqd")
Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
index 0778e587a2d683011284c95d74f2c2e42655013d..eaf084acb706f760768c422a3695d870751eb4f9 100644 (file)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
@@ -115,18 +115,19 @@ static struct kfd_mem_obj *allocate_mqd(struct kfd_dev *kfd,
                        &(mqd_mem_obj->gtt_mem),
                        &(mqd_mem_obj->gpu_addr),
                        (void *)&(mqd_mem_obj->cpu_ptr), true);
+
+               if (retval) {
+                       kfree(mqd_mem_obj);
+                       return NULL;
+               }
        } else {
                retval = kfd_gtt_sa_allocate(kfd, sizeof(struct v9_mqd),
                                &mqd_mem_obj);
-       }
-
-       if (retval) {
-               kfree(mqd_mem_obj);
-               return NULL;
+               if (retval)
+                       return NULL;
        }
 
        return mqd_mem_obj;
-
 }
 
 static void init_mqd(struct mqd_manager *mm, void **mqd,