[Intel-gfx] [PATCH i-g-t 1/3] lib/igt_device_scan: fix dangling pointer

[Intel-gfx] [PATCH i-g-t 1/3] lib/igt_device_scan: fix dangling pointer

[Matthew Auld]

It looks like the linkto is out of scope:

../lib/igt_device_scan.c: In function ‘igt_device_add_attr’:
../lib/igt_device_scan.c:368:57: warning: dangling pointer ‘v’ to ‘linkto’ may be used [-Wdangling-pointer=]
  368 |         g_hash_table_insert(dev->attrs_ht, strdup(key), strdup(v));
      |                                                         ^~~~~~~~~
../lib/igt_device_scan.c:351:22: note: ‘linkto’ declared here
  351 |                 char linkto[PATH_MAX];

Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Petri Latvala <petri.latvala@intel.com>
---
 lib/igt_device_scan.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/igt_device_scan.c b/lib/igt_device_scan.c
index a1cee7a4..5d1d4258 100644
--- a/lib/igt_device_scan.c
+++ b/lib/igt_device_scan.c
@@ -338,6 +338,7 @@ static void igt_device_add_attr(struct igt_device *dev,
 				const char *key, const char *value)
 {
 	const char *v = value;
+	char linkto[PATH_MAX];
 
 	if (!key)
 		return;
@@ -348,7 +349,6 @@ static void igt_device_add_attr(struct igt_device *dev,
 	if (!v) {
 		struct stat st;
 		char path[PATH_MAX];
-		char linkto[PATH_MAX];
 		int len;
 
 		snprintf(path, sizeof(path), "%s/%s", dev->syspath, key);
-- 
2.36.1

[igt-dev] [PATCH i-g-t 1/3] lib/igt_device_scan: fix dangling pointer

[Matthew Auld]

It looks like the linkto is out of scope:

../lib/igt_device_scan.c: In function ‘igt_device_add_attr’:
../lib/igt_device_scan.c:368:57: warning: dangling pointer ‘v’ to ‘linkto’ may be used [-Wdangling-pointer=]
  368 |         g_hash_table_insert(dev->attrs_ht, strdup(key), strdup(v));
      |                                                         ^~~~~~~~~
../lib/igt_device_scan.c:351:22: note: ‘linkto’ declared here
  351 |                 char linkto[PATH_MAX];

Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Petri Latvala <petri.latvala@intel.com>
---
 lib/igt_device_scan.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/igt_device_scan.c b/lib/igt_device_scan.c
index a1cee7a4..5d1d4258 100644
--- a/lib/igt_device_scan.c
+++ b/lib/igt_device_scan.c
@@ -338,6 +338,7 @@ static void igt_device_add_attr(struct igt_device *dev,
 				const char *key, const char *value)
 {
 	const char *v = value;
+	char linkto[PATH_MAX];
 
 	if (!key)
 		return;
@@ -348,7 +349,6 @@ static void igt_device_add_attr(struct igt_device *dev,
 	if (!v) {
 		struct stat st;
 		char path[PATH_MAX];
-		char linkto[PATH_MAX];
 		int len;
 
 		snprintf(path, sizeof(path), "%s/%s", dev->syspath, key);
-- 
2.36.1

[Intel-gfx] [PATCH i-g-t 2/3] tests/kms_cursor_crc: fix truncated warning

[Matthew Auld]

Looks reasonable to just increase the size of 'name' to avoid the
potential truncation:

../tests/kms_cursor_crc.c: In function ‘run_size_tests.constprop’:
../tests/kms_cursor_crc.c:699:50: warning: ‘%d’ directive output may be truncated writing between 1 and 11 bytes into a region of size between 4 and 14 [-Wformat-truncation=]
  699 |                 snprintf(name, sizeof(name), "%dx%d", w, h);
      |                                                  ^~
../tests/kms_cursor_crc.c:699:46: note: directive argument in the range [-2147483648, 1024]
  699 |                 snprintf(name, sizeof(name), "%dx%d", w, h);
      |                                              ^~~~~~~
In file included from /usr/include/stdio.h:894,
                 from ../lib/igt_core.h:38,
                 from ../lib/drmtest.h:39,
                 from ../lib/igt.h:27,
                 from ../tests/kms_cursor_crc.c:25:
In function ‘snprintf’,
    inlined from ‘run_size_tests.constprop’ at ../tests/kms_cursor_crc.c:699:3:
/usr/include/bits/stdio2.h:71:10: note: ‘__builtin___snprintf_chk’ output between 4 and 24 bytes into a destination of size 16
   71 |   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   72 |                                    __glibc_objsize (__s), __fmt,
      |                                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   73 |                                    __va_arg_pack ());
      |                                    ~~~~~~~~~~~~~~~~~

Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Petri Latvala <petri.latvala@intel.com>
---
 tests/kms_cursor_crc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/kms_cursor_crc.c b/tests/kms_cursor_crc.c
index 513c9715..131fdb0a 100644
--- a/tests/kms_cursor_crc.c
+++ b/tests/kms_cursor_crc.c
@@ -691,7 +691,7 @@ static void test_rapid_movement(data_t *data)
 static void run_size_tests(data_t *data, enum pipe pipe,
 			   int w, int h)
 {
-	char name[16];
+	char name[32];
 
 	if (w == 0 && h == 0)
 		strcpy(name, "max-size");
-- 
2.36.1

[igt-dev] [PATCH i-g-t 2/3] tests/kms_cursor_crc: fix truncated warning

[Matthew Auld]

Looks reasonable to just increase the size of 'name' to avoid the
potential truncation:

../tests/kms_cursor_crc.c: In function ‘run_size_tests.constprop’:
../tests/kms_cursor_crc.c:699:50: warning: ‘%d’ directive output may be truncated writing between 1 and 11 bytes into a region of size between 4 and 14 [-Wformat-truncation=]
  699 |                 snprintf(name, sizeof(name), "%dx%d", w, h);
      |                                                  ^~
../tests/kms_cursor_crc.c:699:46: note: directive argument in the range [-2147483648, 1024]
  699 |                 snprintf(name, sizeof(name), "%dx%d", w, h);
      |                                              ^~~~~~~
In file included from /usr/include/stdio.h:894,
                 from ../lib/igt_core.h:38,
                 from ../lib/drmtest.h:39,
                 from ../lib/igt.h:27,
                 from ../tests/kms_cursor_crc.c:25:
In function ‘snprintf’,
    inlined from ‘run_size_tests.constprop’ at ../tests/kms_cursor_crc.c:699:3:
/usr/include/bits/stdio2.h:71:10: note: ‘__builtin___snprintf_chk’ output between 4 and 24 bytes into a destination of size 16
   71 |   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   72 |                                    __glibc_objsize (__s), __fmt,
      |                                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   73 |                                    __va_arg_pack ());
      |                                    ~~~~~~~~~~~~~~~~~

Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Petri Latvala <petri.latvala@intel.com>
---
 tests/kms_cursor_crc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/kms_cursor_crc.c b/tests/kms_cursor_crc.c
index 513c9715..131fdb0a 100644
--- a/tests/kms_cursor_crc.c
+++ b/tests/kms_cursor_crc.c
@@ -691,7 +691,7 @@ static void test_rapid_movement(data_t *data)
 static void run_size_tests(data_t *data, enum pipe pipe,
 			   int w, int h)
 {
-	char name[16];
+	char name[32];
 
 	if (w == 0 && h == 0)
 		strcpy(name, "max-size");
-- 
2.36.1

[Intel-gfx] [PATCH i-g-t 3/3] tests/amdgpu/amdgpu_command_submission: fix uaf

[Matthew Auld]

../lib/amdgpu/amd_command_submission.c: In function ‘amdgpu_command_submission_write_linear_helper’:
../lib/amdgpu/amd_command_submission.c:201:13: warning: pointer ‘ring_context’ used after ‘free’ [-Wuse-after-free]
  201 |         r = amdgpu_cs_ctx_free(ring_context->context_handle);
      |             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../lib/amdgpu/amd_command_submission.c:199:9: note: call to ‘free’ here
  199 |         free(ring_context);
      |         ^~~~~~~~~~~~~~~~~~

Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Petri Latvala <petri.latvala@intel.com>
---
 lib/amdgpu/amd_command_submission.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/amdgpu/amd_command_submission.c b/lib/amdgpu/amd_command_submission.c
index 4dc4df95..16939653 100644
--- a/lib/amdgpu/amd_command_submission.c
+++ b/lib/amdgpu/amd_command_submission.c
@@ -196,10 +196,10 @@ void amdgpu_command_submission_write_linear_helper(amdgpu_device_handle device,
 	}
 	/* clean resources */
 	free(ring_context->pm4);
-	free(ring_context);
 	/* end of test */
 	r = amdgpu_cs_ctx_free(ring_context->context_handle);
 	igt_assert_eq(r, 0);
+	free(ring_context);
 }
 
 
-- 
2.36.1

[igt-dev] [PATCH i-g-t 3/3] tests/amdgpu/amdgpu_command_submission: fix uaf

[Matthew Auld]

../lib/amdgpu/amd_command_submission.c: In function ‘amdgpu_command_submission_write_linear_helper’:
../lib/amdgpu/amd_command_submission.c:201:13: warning: pointer ‘ring_context’ used after ‘free’ [-Wuse-after-free]
  201 |         r = amdgpu_cs_ctx_free(ring_context->context_handle);
      |             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../lib/amdgpu/amd_command_submission.c:199:9: note: call to ‘free’ here
  199 |         free(ring_context);
      |         ^~~~~~~~~~~~~~~~~~

Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Petri Latvala <petri.latvala@intel.com>
---
 lib/amdgpu/amd_command_submission.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/amdgpu/amd_command_submission.c b/lib/amdgpu/amd_command_submission.c
index 4dc4df95..16939653 100644
--- a/lib/amdgpu/amd_command_submission.c
+++ b/lib/amdgpu/amd_command_submission.c
@@ -196,10 +196,10 @@ void amdgpu_command_submission_write_linear_helper(amdgpu_device_handle device,
 	}
 	/* clean resources */
 	free(ring_context->pm4);
-	free(ring_context);
 	/* end of test */
 	r = amdgpu_cs_ctx_free(ring_context->context_handle);
 	igt_assert_eq(r, 0);
+	free(ring_context);
 }
 
 
-- 
2.36.1

[igt-dev] ✗ Fi.CI.BUILD: failure for series starting with [i-g-t,1/3] lib/igt_device_scan: fix dangling pointer

[Patchwork]

== Series Details ==

Series: series starting with [i-g-t,1/3] lib/igt_device_scan: fix dangling pointer
URL   : https://patchwork.freedesktop.org/series/105728/
State : failure

== Summary ==

Applying: lib/igt_device_scan: fix dangling pointer
Applying: tests/kms_cursor_crc: fix truncated warning
Using index info to reconstruct a base tree...
M	tests/kms_cursor_crc.c
Falling back to patching base and 3-way merge...
Auto-merging tests/kms_cursor_crc.c
CONFLICT (content): Merge conflict in tests/kms_cursor_crc.c
Patch failed at 0002 tests/kms_cursor_crc: fix truncated warning
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

Re: [Intel-gfx] [PATCH i-g-t 3/3] tests/amdgpu/amdgpu_command_submission: fix uaf

[Gwan-gyeong Mun]

Looks good to me.

Reviewed-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>


On 6/28/22 4:13 PM, Matthew Auld wrote:
> ../lib/amdgpu/amd_command_submission.c: In function ‘amdgpu_command_submission_write_linear_helper’:
> ../lib/amdgpu/amd_command_submission.c:201:13: warning: pointer ‘ring_context’ used after ‘free’ [-Wuse-after-free]
>    201 |         r = amdgpu_cs_ctx_free(ring_context->context_handle);
>        |             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ../lib/amdgpu/amd_command_submission.c:199:9: note: call to ‘free’ here
>    199 |         free(ring_context);
>        |         ^~~~~~~~~~~~~~~~~~
> 
> Signed-off-by: Matthew Auld <matthew.auld@intel.com>
> Cc: Petri Latvala <petri.latvala@intel.com>
> ---
>   lib/amdgpu/amd_command_submission.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/lib/amdgpu/amd_command_submission.c b/lib/amdgpu/amd_command_submission.c
> index 4dc4df95..16939653 100644
> --- a/lib/amdgpu/amd_command_submission.c
> +++ b/lib/amdgpu/amd_command_submission.c
> @@ -196,10 +196,10 @@ void amdgpu_command_submission_write_linear_helper(amdgpu_device_handle device,
>   	}
>   	/* clean resources */
>   	free(ring_context->pm4);
> -	free(ring_context);
>   	/* end of test */
>   	r = amdgpu_cs_ctx_free(ring_context->context_handle);
>   	igt_assert_eq(r, 0);
> +	free(ring_context);
>   }
>   
>   
> 

Re: [igt-dev] [Intel-gfx] [PATCH i-g-t 3/3] tests/amdgpu/amdgpu_command_submission: fix uaf

[Gwan-gyeong Mun]

Looks good to me.

Reviewed-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>


On 6/28/22 4:13 PM, Matthew Auld wrote:
> ../lib/amdgpu/amd_command_submission.c: In function ‘amdgpu_command_submission_write_linear_helper’:
> ../lib/amdgpu/amd_command_submission.c:201:13: warning: pointer ‘ring_context’ used after ‘free’ [-Wuse-after-free]
>    201 |         r = amdgpu_cs_ctx_free(ring_context->context_handle);
>        |             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ../lib/amdgpu/amd_command_submission.c:199:9: note: call to ‘free’ here
>    199 |         free(ring_context);
>        |         ^~~~~~~~~~~~~~~~~~
> 
> Signed-off-by: Matthew Auld <matthew.auld@intel.com>
> Cc: Petri Latvala <petri.latvala@intel.com>
> ---
>   lib/amdgpu/amd_command_submission.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/lib/amdgpu/amd_command_submission.c b/lib/amdgpu/amd_command_submission.c
> index 4dc4df95..16939653 100644
> --- a/lib/amdgpu/amd_command_submission.c
> +++ b/lib/amdgpu/amd_command_submission.c
> @@ -196,10 +196,10 @@ void amdgpu_command_submission_write_linear_helper(amdgpu_device_handle device,
>   	}
>   	/* clean resources */
>   	free(ring_context->pm4);
> -	free(ring_context);
>   	/* end of test */
>   	r = amdgpu_cs_ctx_free(ring_context->context_handle);
>   	igt_assert_eq(r, 0);
> +	free(ring_context);
>   }
>   
>   
>