[PATCH] perf/x86/uncore: fix a potential double-free in uncore_type

linux-perf-users.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] perf/x86/uncore: fix a potential double-free in uncore_type_init
@ 2023-12-05  3:27 Dinghao Liu
  2023-12-05  8:12 ` Zhenyu Wang
  2023-12-11 10:40 ` Adrian Hunter
  0 siblings, 2 replies; 4+ messages in thread
From: Dinghao Liu @ 2023-12-05  3:27 UTC (permalink / raw)
  To: dinghao.liu
  Cc: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
	Mark Rutland, Alexander Shishkin, Jiri Olsa, Namhyung Kim,
	Ian Rogers, Adrian Hunter, Thomas Gleixner, Borislav Petkov,
	Dave Hansen, x86, H. Peter Anvin, Colin Ian King,
	linux-perf-users, linux-kernel

When kzalloc for pmus[i].boxes fails, we should clean up pmus
to prevent memleak. However, when kzalloc for attr_group fails,
pmus has been assigned to type->pmus, and freeing will be done
later on by the callers. The chain is: uncore_type_init ->
uncore_types_init -> uncore_pci_init -> uncore_types_exit ->
uncore_type_exit. Therefore, freeing pmus in uncore_type_init
may cause a double-free. Fix this by setting type->pmus to
NULL after kfree.

Fixes: 629eb703d3e4 ("perf/x86/intel/uncore: Fix memory leaks on allocation failures")
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
---
 arch/x86/events/intel/uncore.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/x86/events/intel/uncore.c b/arch/x86/events/intel/uncore.c
index 01023aa5125b..d80445a24011 100644
--- a/arch/x86/events/intel/uncore.c
+++ b/arch/x86/events/intel/uncore.c
@@ -1041,6 +1041,7 @@ static int __init uncore_type_init(struct intel_uncore_type *type, bool setid)
 	for (i = 0; i < type->num_boxes; i++)
 		kfree(pmus[i].boxes);
 	kfree(pmus);
+	type->pmus = NULL;
 
 	return -ENOMEM;
 }
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] perf/x86/uncore: fix a potential double-free in uncore_type_init
  2023-12-05  3:27 [PATCH] perf/x86/uncore: fix a potential double-free in uncore_type_init Dinghao Liu
@ 2023-12-05  8:12 ` Zhenyu Wang
  2023-12-05  8:44   ` dinghao.liu
  2023-12-11 10:40 ` Adrian Hunter
  1 sibling, 1 reply; 4+ messages in thread
From: Zhenyu Wang @ 2023-12-05  8:12 UTC (permalink / raw)
  To: Dinghao Liu
  Cc: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
	Mark Rutland, Alexander Shishkin, Jiri Olsa, Namhyung Kim,
	Ian Rogers, Adrian Hunter, Thomas Gleixner, Borislav Petkov,
	Dave Hansen, x86, H. Peter Anvin, Colin Ian King,
	linux-perf-users, linux-kernel

[-- Attachment #1: Type: text/plain, Size: 1393 bytes --]

On 2023.12.05 11:27:09 +0800, Dinghao Liu wrote:
> When kzalloc for pmus[i].boxes fails, we should clean up pmus
> to prevent memleak. However, when kzalloc for attr_group fails,
> pmus has been assigned to type->pmus, and freeing will be done
> later on by the callers. The chain is: uncore_type_init ->
> uncore_types_init -> uncore_pci_init -> uncore_types_exit ->
> uncore_type_exit. Therefore, freeing pmus in uncore_type_init
> may cause a double-free. Fix this by setting type->pmus to
> NULL after kfree.

Change is ok but the call trace you wrote here is reversed or malformed??
With that fixed or cleared.

Reviewed-by: Zhenyu Wang <zhenyuw@linux.intel.com>

> 
> Fixes: 629eb703d3e4 ("perf/x86/intel/uncore: Fix memory leaks on allocation failures")
> Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
> ---
>  arch/x86/events/intel/uncore.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/arch/x86/events/intel/uncore.c b/arch/x86/events/intel/uncore.c
> index 01023aa5125b..d80445a24011 100644
> --- a/arch/x86/events/intel/uncore.c
> +++ b/arch/x86/events/intel/uncore.c
> @@ -1041,6 +1041,7 @@ static int __init uncore_type_init(struct intel_uncore_type *type, bool setid)
>  	for (i = 0; i < type->num_boxes; i++)
>  		kfree(pmus[i].boxes);
>  	kfree(pmus);
> +	type->pmus = NULL;
>  
>  	return -ENOMEM;
>  }
> -- 
> 2.17.1
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] perf/x86/uncore: fix a potential double-free in uncore_type_init
  2023-12-05  8:12 ` Zhenyu Wang
@ 2023-12-05  8:44   ` dinghao.liu
  0 siblings, 0 replies; 4+ messages in thread
From: dinghao.liu @ 2023-12-05  8:44 UTC (permalink / raw)
  To: Zhenyu Wang
  Cc: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
	Mark Rutland, Alexander Shishkin, Jiri Olsa, Namhyung Kim,
	Ian Rogers, Adrian Hunter, Thomas Gleixner, Borislav Petkov,
	Dave Hansen, x86, H. Peter Anvin, Colin Ian King,
	linux-perf-users, linux-kernel

> On 2023.12.05 11:27:09 +0800, Dinghao Liu wrote:
> > When kzalloc for pmus[i].boxes fails, we should clean up pmus
> > to prevent memleak. However, when kzalloc for attr_group fails,
> > pmus has been assigned to type->pmus, and freeing will be done
> > later on by the callers. The chain is: uncore_type_init ->
> > uncore_types_init -> uncore_pci_init -> uncore_types_exit ->
> > uncore_type_exit. Therefore, freeing pmus in uncore_type_init
> > may cause a double-free. Fix this by setting type->pmus to
> > NULL after kfree.
> 
> Change is ok but the call trace you wrote here is reversed or malformed??
> With that fixed or cleared.
> 

Thanks for your advice. I will fix it and resend a new patch soon.

Regards,
Dinghao

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] perf/x86/uncore: fix a potential double-free in uncore_type_init
  2023-12-05  3:27 [PATCH] perf/x86/uncore: fix a potential double-free in uncore_type_init Dinghao Liu
  2023-12-05  8:12 ` Zhenyu Wang
@ 2023-12-11 10:40 ` Adrian Hunter
  1 sibling, 0 replies; 4+ messages in thread
From: Adrian Hunter @ 2023-12-11 10:40 UTC (permalink / raw)
  To: Dinghao Liu
  Cc: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
	Mark Rutland, Alexander Shishkin, Jiri Olsa, Namhyung Kim,
	Ian Rogers, Thomas Gleixner, Borislav Petkov, Dave Hansen, x86,
	H. Peter Anvin, Colin Ian King, linux-perf-users, linux-kernel

On 5/12/23 05:27, Dinghao Liu wrote:
> When kzalloc for pmus[i].boxes fails, we should clean up pmus
> to prevent memleak. However, when kzalloc for attr_group fails,
> pmus has been assigned to type->pmus, and freeing will be done
> later on by the callers. The chain is: uncore_type_init ->
> uncore_types_init -> uncore_pci_init -> uncore_types_exit ->
> uncore_type_exit. Therefore, freeing pmus in uncore_type_init
> may cause a double-free. Fix this by setting type->pmus to
> NULL after kfree.
> 
> Fixes: 629eb703d3e4 ("perf/x86/intel/uncore: Fix memory leaks on allocation failures")
> Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>

Reviewed-by: Adrian Hunter <adrian.hunter@intel.com>

> ---
>  arch/x86/events/intel/uncore.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/arch/x86/events/intel/uncore.c b/arch/x86/events/intel/uncore.c
> index 01023aa5125b..d80445a24011 100644
> --- a/arch/x86/events/intel/uncore.c
> +++ b/arch/x86/events/intel/uncore.c
> @@ -1041,6 +1041,7 @@ static int __init uncore_type_init(struct intel_uncore_type *type, bool setid)
>  	for (i = 0; i < type->num_boxes; i++)
>  		kfree(pmus[i].boxes);
>  	kfree(pmus);
> +	type->pmus = NULL;
>  
>  	return -ENOMEM;
>  }


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2023-12-11 10:40 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-12-05  3:27 [PATCH] perf/x86/uncore: fix a potential double-free in uncore_type_init Dinghao Liu
2023-12-05  8:12 ` Zhenyu Wang
2023-12-05  8:44   ` dinghao.liu
2023-12-11 10:40 ` Adrian Hunter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).