From: Schspa Shi <schspa@gmail.com>
To: viresh.kumar@linaro.org
Cc: linux-kernel@vger.kernel.org, linux-pm@vger.kernel.org,
rafael@kernel.org, schspa@gmail.com
Subject: [PATCH v2] cpufreq: fix race on cpufreq online
Date: Tue, 10 May 2022 23:28:11 +0800 [thread overview]
Message-ID: <20220510152811.88071-1-schspa@gmail.com> (raw)
In-Reply-To: <20220510035259.5ep52sgahd2a6rie@vireshk-i7>
When cpufreq online failed, policy->cpus are not empty while
cpufreq sysfs file available, we may access some data freed.
Take policy->clk as an example:
static int cpufreq_online(unsigned int cpu)
{
...
// policy->cpus != 0 at this time
down_write(&policy->rwsem);
ret = cpufreq_add_dev_interface(policy);
up_write(&policy->rwsem);
down_write(&policy->rwsem);
...
/* cpufreq nitialization fails in some cases */
if (cpufreq_driver->get && has_target()) {
policy->cur = cpufreq_driver->get(policy->cpu);
if (!policy->cur) {
ret = -EIO;
pr_err("%s: ->get() failed\n", __func__);
goto out_destroy_policy;
}
}
...
up_write(&policy->rwsem);
...
return 0;
out_destroy_policy:
for_each_cpu(j, policy->real_cpus)
remove_cpu_dev_symlink(policy, get_cpu_device(j));
up_write(&policy->rwsem);
...
out_exit_policy:
if (cpufreq_driver->exit)
cpufreq_driver->exit(policy);
clk_put(policy->clk);
// policy->clk is a wild pointer
...
^
|
Another process access
__cpufreq_get
cpufreq_verify_current_freq
cpufreq_generic_get
// acces wild pointer of policy->clk;
|
|
out_offline_policy: |
cpufreq_policy_free(policy); |
// deleted here, and will wait for no body reference
cpufreq_policy_put_kobj(policy);
}
We can fix it by clear the policy->cpus mask.
Both show_scaling_cur_freq and show_cpuinfo_cur_freq will return an
error by checking this mask, thus avoiding UAF.
Signed-off-by: Schspa Shi <schspa@gmail.com>
---
Changelog:
v1 -> v2:
- Fix bad critical region enlarge which causes uninitialized
unlock.
---
drivers/cpufreq/cpufreq.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
index 80f535cc8a75..8edfa840dd74 100644
--- a/drivers/cpufreq/cpufreq.c
+++ b/drivers/cpufreq/cpufreq.c
@@ -1337,12 +1337,12 @@ static int cpufreq_online(unsigned int cpu)
down_write(&policy->rwsem);
policy->cpu = cpu;
policy->governor = NULL;
- up_write(&policy->rwsem);
} else {
new_policy = true;
policy = cpufreq_policy_alloc(cpu);
if (!policy)
return -ENOMEM;
+ down_write(&policy->rwsem);
}
if (!new_policy && cpufreq_driver->online) {
@@ -1533,7 +1533,7 @@ static int cpufreq_online(unsigned int cpu)
for_each_cpu(j, policy->real_cpus)
remove_cpu_dev_symlink(policy, get_cpu_device(j));
- up_write(&policy->rwsem);
+ cpumask_clear(policy->cpus);
out_offline_policy:
if (cpufreq_driver->offline)
@@ -1542,6 +1542,7 @@ static int cpufreq_online(unsigned int cpu)
out_exit_policy:
if (cpufreq_driver->exit)
cpufreq_driver->exit(policy);
+ up_write(&policy->rwsem);
out_free_policy:
cpufreq_policy_free(policy);
--
2.24.3 (Apple Git-128)
next prev parent reply other threads:[~2022-05-10 15:30 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-20 19:15 [PATCH] cpufreq: fix race on cpufreq online Schspa Shi
2022-04-22 14:38 ` Rafael J. Wysocki
2022-04-22 15:10 ` Schspa Shi
2022-04-22 15:59 ` Rafael J. Wysocki
2022-05-09 3:57 ` Viresh Kumar
2022-05-09 15:06 ` Schspa Shi
2022-05-10 3:52 ` Viresh Kumar
2022-05-10 15:28 ` Schspa Shi [this message]
2022-05-10 15:34 ` [PATCH v2] " Rafael J. Wysocki
2022-05-10 15:43 ` Schspa Shi
2022-05-10 15:42 ` [PATCH v3] " Schspa Shi
2022-05-11 4:35 ` Viresh Kumar
2022-05-11 8:10 ` Schspa Shi
2022-05-11 12:21 ` Viresh Kumar
2022-05-11 12:59 ` Rafael J. Wysocki
2022-05-11 13:19 ` Rafael J. Wysocki
2022-05-11 13:42 ` Rafael J. Wysocki
2022-05-11 13:42 ` Schspa Shi
2022-05-11 13:50 ` Rafael J. Wysocki
2022-05-12 6:56 ` Viresh Kumar
2022-05-12 10:49 ` Rafael J. Wysocki
2022-05-13 4:27 ` Viresh Kumar
2022-05-24 11:14 ` Viresh Kumar
2022-05-24 11:22 ` Rafael J. Wysocki
2022-05-24 11:29 ` Viresh Kumar
2022-05-24 11:48 ` Rafael J. Wysocki
2022-05-24 11:53 ` Rafael J. Wysocki
2022-05-25 5:32 ` Viresh Kumar
2022-05-12 5:56 ` Viresh Kumar
2022-05-11 13:12 ` Schspa Shi
2022-05-11 14:15 ` Rafael J. Wysocki
2022-05-12 5:51 ` Schspa Shi
2022-05-12 10:37 ` Rafael J. Wysocki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220510152811.88071-1-schspa@gmail.com \
--to=schspa@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=rafael@kernel.org \
--cc=viresh.kumar@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox