James Morse
3cb9595e23
cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory ...
[ Upstream commit cdef1196608892b9a46caa5f2b64095a7f0be60c ]
Since commit e5c6b312ce3c ("cpufreq: schedutil: Use kobject release()
method to free sugov_tunables") kobject_put() has kfree()d the
attr_set before gov_attr_set_put() returns.
kobject_put() isn't the last user of attr_set in gov_attr_set_put(),
the subsequent mutex_destroy() triggers a use-after-free:
| BUG: KASAN: use-after-free in mutex_is_locked+0x20/0x60
| Read of size 8 at addr ffff000800ca4250 by task cpuhp/2/20
|
| CPU: 2 PID: 20 Comm: cpuhp/2 Not tainted 5.15.0-rc1 #12369
| Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development
| Platform, BIOS EDK II Jul 30 2018
| Call trace:
| dump_backtrace+0x0/0x380
| show_stack+0x1c/0x30
| dump_stack_lvl+0x8c/0xb8
| print_address_description.constprop.0+0x74/0x2b8
| kasan_report+0x1f4/0x210
| kasan_check_range+0xfc/0x1a4
| __kasan_check_read+0x38/0x60
| mutex_is_locked+0x20/0x60
| mutex_destroy+0x80/0x100
| gov_attr_set_put+0xfc/0x150
| sugov_exit+0x78/0x190
| cpufreq_offline.isra.0+0x2c0/0x660
| cpuhp_cpufreq_offline+0x14/0x24
| cpuhp_invoke_callback+0x430/0x6d0
| cpuhp_thread_fun+0x1b0/0x624
| smpboot_thread_fn+0x5e0/0xa6c
| kthread+0x3a0/0x450
| ret_from_fork+0x10/0x20
Swap the order of the calls.
Fixes: e5c6b312ce3c ("cpufreq: schedutil: Use kobject release() method to free sugov_tunables")
Cc: 4.7+ <stable@vger.kernel.org> # 4.7+
Signed-off-by: James Morse <james.morse@arm.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-10-06 15:31:21 +02:00
2020-11-05 11:08:47 +01:00
2018-02-07 11:26:37 +01:00
2017-11-08 23:22:20 +01:00
2018-06-12 16:19:22 -07:00
2017-11-08 23:22:19 +01:00
2021-08-26 08:36:45 -04:00
2018-06-12 16:19:22 -07:00
2021-03-04 09:39:33 +01:00
2018-07-18 10:13:16 +02:00
2018-11-13 11:08:16 -08:00
2021-10-06 15:31:21 +02:00
2019-05-31 06:46:12 -07:00
2017-07-26 00:15:45 +02:00
2017-07-22 02:25:20 +02:00
2018-01-05 13:22:46 +01:00
2018-05-30 12:53:11 +02:00
2018-11-13 11:08:24 -08:00
2018-05-10 11:43:59 +02:00
2017-07-26 00:15:46 +02:00
2019-12-31 16:36:01 +01:00
2017-01-02 15:02:51 +05:30
2018-03-20 12:07:52 +01:00
2018-03-20 12:07:52 +01:00
2018-04-10 08:40:45 +02:00
2017-07-26 00:15:46 +02:00
2020-12-30 11:26:00 +01:00
2018-06-12 16:19:22 -07:00
2020-04-17 10:48:38 +02:00
2021-03-04 09:39:57 +01:00
2018-02-07 11:44:23 +01:00
2018-07-17 19:55:51 +02:00
2019-05-31 06:46:24 -07:00
2018-06-12 16:19:22 -07:00
2017-07-26 00:15:43 +02:00
2020-12-30 11:26:01 +01:00
2017-08-18 01:44:21 +02:00
2018-07-17 19:55:51 +02:00
2020-12-30 11:26:00 +01:00
2017-12-16 02:29:43 +01:00
2017-01-30 09:22:21 +01:00
2018-03-20 12:07:52 +01:00
2019-08-16 10:12:46 +02:00
2018-07-25 13:28:01 +02:00
2019-05-31 06:46:24 -07:00
2017-08-25 01:20:46 +02:00
2018-03-20 12:07:52 +01:00
2018-03-20 12:07:52 +01:00
2021-01-17 14:04:21 +01:00
2021-09-22 11:48:09 +02:00
2017-02-04 00:05:30 +01:00
2019-05-31 06:46:24 -07:00
2017-11-02 11:10:55 +01:00
2019-03-23 20:10:01 +01:00
2018-06-12 16:19:22 -07:00
2019-03-23 20:10:01 +01:00
2018-03-20 12:07:52 +01:00
2018-06-12 16:19:22 -07:00
2016-12-21 02:54:18 +01:00
2017-02-09 01:22:45 +01:00
2018-05-10 11:50:42 +02:00
2017-07-26 22:54:01 +02:00
2017-07-26 00:15:46 +02:00
2017-07-26 00:15:46 +02:00
2018-03-20 12:07:52 +01:00
2019-01-16 22:04:29 +01:00
2020-12-30 11:26:01 +01:00
2018-06-12 16:19:22 -07:00
2018-03-20 12:07:52 +01:00
2018-03-20 12:07:52 +01:00
2018-03-20 12:07:52 +01:00
2018-06-12 16:19:22 -07:00
2018-03-20 12:07:52 +01:00
2018-03-20 12:07:52 +01:00
2018-05-10 11:46:00 +02:00
2018-03-20 12:07:52 +01:00
2020-12-30 11:26:01 +01:00
2017-07-22 02:20:59 +02:00
2018-05-21 13:44:24 +02:00
2019-03-23 20:10:01 +01:00
2018-03-20 12:07:53 +01:00
2018-12-13 09:16:13 +01:00
2017-07-26 00:15:46 +02:00
2017-11-08 23:22:20 +01:00
3cb9595e23