From ea6d8811f18521a2188d1959f5fa2447e6bf5349 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Mon, 7 Oct 2019 12:02:06 +0300
Subject: drm/amd/powerplay: Fix error handling in smu_init_fb_allocations()
Git-commit: ea6d8811f18521a2188d1959f5fa2447e6bf5349
Patch-mainline: v5.5-rc1
References: bsc#1152489
The error handling is off by one. We should not free the first
"tables[i].bo" without decrementing "i" because that might result in a
double free. The second problem is that when an error occurs, then the
zeroth element "tables[0].bo" isn't freed.
I had make "i" signed int for the error handling to work, so I just
updated "ret" as well as a clean up.
Fixes: f96357a991b9 ("drm/amd/powerplay: implement smu_init(fini)_fb_allocations function")
Reviewed-by: Kevin Wang <kevin1.wang@amd.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
---
drivers/gpu/drm/amd/powerplay/amdgpu_smu.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/amd/powerplay/amdgpu_smu.c
+++ b/drivers/gpu/drm/amd/powerplay/amdgpu_smu.c
@@ -769,8 +769,7 @@ static int smu_init_fb_allocations(struc
struct smu_table_context *smu_table = &smu->smu_table;
struct smu_table *tables = smu_table->tables;
uint32_t table_count = smu_table->table_count;
- uint32_t i = 0;
- int32_t ret = 0;
+ int ret, i;
if (table_count <= 0)
return -EINVAL;
@@ -791,7 +790,7 @@ static int smu_init_fb_allocations(struc
return 0;
failed:
- for (; i > 0; i--) {
+ while (--i >= 0) {
if (tables[i].size == 0)
continue;
amdgpu_bo_free_kernel(&tables[i].bo,