James Morse
1ba2e77048
cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory ...
[ Upstream commit cdef1196608892b9a46caa5f2b64095a7f0be60c ]
Since commit e5c6b312ce3c ("cpufreq: schedutil: Use kobject release()
method to free sugov_tunables") kobject_put() has kfree()d the
attr_set before gov_attr_set_put() returns.
kobject_put() isn't the last user of attr_set in gov_attr_set_put(),
the subsequent mutex_destroy() triggers a use-after-free:
| BUG: KASAN: use-after-free in mutex_is_locked+0x20/0x60
| Read of size 8 at addr ffff000800ca4250 by task cpuhp/2/20
|
| CPU: 2 PID: 20 Comm: cpuhp/2 Not tainted 5.15.0-rc1 #12369
| Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development
| Platform, BIOS EDK II Jul 30 2018
| Call trace:
| dump_backtrace+0x0/0x380
| show_stack+0x1c/0x30
| dump_stack_lvl+0x8c/0xb8
| print_address_description.constprop.0+0x74/0x2b8
| kasan_report+0x1f4/0x210
| kasan_check_range+0xfc/0x1a4
| __kasan_check_read+0x38/0x60
| mutex_is_locked+0x20/0x60
| mutex_destroy+0x80/0x100
| gov_attr_set_put+0xfc/0x150
| sugov_exit+0x78/0x190
| cpufreq_offline.isra.0+0x2c0/0x660
| cpuhp_cpufreq_offline+0x14/0x24
| cpuhp_invoke_callback+0x430/0x6d0
| cpuhp_thread_fun+0x1b0/0x624
| smpboot_thread_fn+0x5e0/0xa6c
| kthread+0x3a0/0x450
| ret_from_fork+0x10/0x20
Swap the order of the calls.
Fixes: e5c6b312ce3c ("cpufreq: schedutil: Use kobject release() method to free sugov_tunables")
Cc: 4.7+ <stable@vger.kernel.org> # 4.7+
Signed-off-by: James Morse <james.morse@arm.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-10-06 10:23:41 +02:00
2020-11-10 10:23:56 +01:00
2016-07-07 00:14:27 +02:00
2016-05-05 01:40:04 +02:00
2016-05-05 01:40:04 +02:00
2016-05-05 01:40:04 +02:00
2015-12-28 01:51:36 +01:00
2018-05-30 07:50:44 +02:00
2017-06-24 07:11:12 +02:00
2021-10-06 10:23:41 +02:00
2019-05-31 06:48:15 -07:00
2016-06-02 23:24:39 +02:00
2016-07-07 00:14:27 +02:00
2016-06-09 00:58:06 +02:00
2016-06-02 23:24:15 +02:00
2016-06-02 23:24:15 +02:00
2018-10-20 09:51:32 +02:00
2016-06-02 23:24:15 +02:00
2016-09-16 23:57:04 +02:00
2018-11-13 11:16:50 -08:00
2016-09-13 02:39:12 +02:00
2016-04-09 01:35:18 +02:00
2020-01-04 13:39:56 +01:00
2016-06-09 00:58:07 +02:00
2014-10-20 16:20:24 +02:00
2016-04-27 22:42:34 +02:00
2016-04-09 01:35:18 +02:00
2015-09-15 02:03:16 +02:00
2016-07-07 00:13:20 +02:00
2015-06-15 15:46:15 +02:00
2020-12-29 13:44:58 +01:00
2016-04-09 01:35:18 +02:00
2018-12-01 09:44:20 +01:00
2015-09-25 23:29:35 +02:00
2019-05-14 19:19:34 +02:00
2018-02-03 17:05:36 +01:00
2017-10-21 17:21:38 +02:00
2015-03-18 22:35:16 +01:00
2016-04-28 01:01:39 +02:00
2016-09-26 15:10:58 +02:00
2018-02-22 15:43:55 +01:00
2020-12-29 13:44:58 +01:00
2016-04-09 01:35:18 +02:00
2016-05-19 10:02:26 -07:00
2016-04-09 01:35:18 +02:00
2016-05-26 09:23:43 -07:00
2016-06-13 23:49:43 +02:00
2016-05-27 15:26:11 -07:00
2018-02-22 15:43:55 +01:00
2019-08-25 10:51:24 +02:00
2016-07-22 23:51:06 +02:00
2019-05-31 06:48:27 -07:00
2016-04-09 01:35:18 +02:00
2016-04-09 01:35:18 +02:00
2018-02-22 15:43:55 +01:00
2021-01-17 13:57:54 +01:00
2020-10-29 09:05:39 +01:00
2016-06-09 00:58:05 +02:00
2019-05-31 06:48:27 -07:00
2016-04-27 22:42:34 +02:00
2019-03-23 13:19:48 +01:00
2016-04-25 16:07:02 +02:00
2016-04-09 01:35:18 +02:00
2018-03-11 16:21:28 +01:00
2014-07-19 04:24:59 +09:00
2016-04-09 01:35:18 +02:00
2017-07-05 14:40:30 +02:00
2016-04-09 01:35:18 +02:00
2016-08-01 18:36:01 -04:00
2016-08-23 10:25:17 +01:00
2016-04-09 01:35:18 +02:00
2020-12-29 13:44:58 +01:00
2015-09-01 15:51:15 +02:00
2018-03-24 11:00:10 +01:00
2014-10-20 16:20:24 +02:00
2018-02-22 15:43:55 +01:00
2016-04-09 01:35:18 +02:00
2018-02-22 15:43:55 +01:00
2016-04-09 01:35:18 +02:00
2020-12-29 13:44:58 +01:00
2015-09-26 03:00:57 +02:00
2019-03-23 13:19:48 +01:00
2016-05-05 01:40:04 +02:00
1ba2e77048