[1/2] cpufreq/powernv: Fix use-after-free
diff mbox series

Message ID 20200206062622.28235-1-oohall@gmail.com
State New
Headers show
Series
  • [1/2] cpufreq/powernv: Fix use-after-free
Related show

Checks

Context Check Description
snowpatch_ozlabs/needsstable warning Please consider tagging this patch for stable!
snowpatch_ozlabs/checkpatch success total: 0 errors, 0 warnings, 0 checks, 12 lines checked
snowpatch_ozlabs/apply_patch success Successfully applied on branch powerpc/merge (530a1cfd52af0aba1af4b1c9a7bc66a202a459b1)

Commit Message

Oliver O'Halloran Feb. 6, 2020, 6:26 a.m. UTC
The cpufreq driver has a use-after-free that we can hit if:

a) There's an OCC message pending when the notifier is registered, and
b) The cpufreq driver fails to register with the core.

When a) occurs the notifier schedules a workqueue item to handle the
message. The backing work_struct is located on chips[].throttle and when b)
happens we clean up by freeing the array. Once we get to the (now free)
queued item and the kernel crashes.

Cc: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
Fixes: c5e29ea ("cpufreq: powernv: Fix bugs in powernv_cpufreq_{init/exit}")
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
---
 drivers/cpufreq/powernv-cpufreq.c | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Gautham R Shenoy Feb. 25, 2020, 6:42 a.m. UTC | #1
On Thu, Feb 06, 2020 at 05:26:21PM +1100, Oliver O'Halloran wrote:
> The cpufreq driver has a use-after-free that we can hit if:
> 
> a) There's an OCC message pending when the notifier is registered, and
> b) The cpufreq driver fails to register with the core.
> 
> When a) occurs the notifier schedules a workqueue item to handle the
> message. The backing work_struct is located on chips[].throttle and when b)
> happens we clean up by freeing the array. Once we get to the (now free)
> queued item and the kernel crashes.
> 
> Cc: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
> Fixes: c5e29ea ("cpufreq: powernv: Fix bugs in powernv_cpufreq_{init/exit}")
> Signed-off-by: Oliver O'Halloran <oohall@gmail.com>

Thanks for this fix Oliver.

Reviewed-by: Gautham R. Shenoy <ego@linux.vnet.ibm.com>

> ---
>  drivers/cpufreq/powernv-cpufreq.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/drivers/cpufreq/powernv-cpufreq.c b/drivers/cpufreq/powernv-cpufreq.c
> index 56f4bc0..1806b1d 100644
> --- a/drivers/cpufreq/powernv-cpufreq.c
> +++ b/drivers/cpufreq/powernv-cpufreq.c
> @@ -1080,6 +1080,12 @@ static int init_chip_info(void)
> 
>  static inline void clean_chip_info(void)
>  {
> +	int i;
> +
> +	/* flush any pending work items */
> +	if (chips)
> +		for (i = 0; i < nr_chips; i++)
> +			cancel_work_sync(&chips[i].throttle);
>  	kfree(chips);
>  }
> 
> -- 
> 2.9.5
>
Andrew Donnellan Feb. 25, 2020, 7:03 a.m. UTC | #2
On 6/2/20 5:26 pm, Oliver O'Halloran wrote:
> The cpufreq driver has a use-after-free that we can hit if:
> 
> a) There's an OCC message pending when the notifier is registered, and
> b) The cpufreq driver fails to register with the core.
> 
> When a) occurs the notifier schedules a workqueue item to handle the
> message. The backing work_struct is located on chips[].throttle and when b)
> happens we clean up by freeing the array. Once we get to the (now free)
> queued item and the kernel crashes.
> 
> Cc: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
> Fixes: c5e29ea ("cpufreq: powernv: Fix bugs in powernv_cpufreq_{init/exit}")
> Signed-off-by: Oliver O'Halloran <oohall@gmail.com>

This sounds like it needs to go to stable.
Michael Ellerman Feb. 27, 2020, 1:31 a.m. UTC | #3
Andrew Donnellan <ajd@linux.ibm.com> writes:
> On 6/2/20 5:26 pm, Oliver O'Halloran wrote:
>> The cpufreq driver has a use-after-free that we can hit if:
>> 
>> a) There's an OCC message pending when the notifier is registered, and
>> b) The cpufreq driver fails to register with the core.
>> 
>> When a) occurs the notifier schedules a workqueue item to handle the
>> message. The backing work_struct is located on chips[].throttle and when b)
>> happens we clean up by freeing the array. Once we get to the (now free)
>> queued item and the kernel crashes.
>> 
>> Cc: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
>> Fixes: c5e29ea ("cpufreq: powernv: Fix bugs in powernv_cpufreq_{init/exit}")
>> Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
>
> This sounds like it needs to go to stable.

I tagged it for stable when applying.

cheers

Patch
diff mbox series

diff --git a/drivers/cpufreq/powernv-cpufreq.c b/drivers/cpufreq/powernv-cpufreq.c
index 56f4bc0..1806b1d 100644
--- a/drivers/cpufreq/powernv-cpufreq.c
+++ b/drivers/cpufreq/powernv-cpufreq.c
@@ -1080,6 +1080,12 @@  static int init_chip_info(void)
 
 static inline void clean_chip_info(void)
 {
+	int i;
+
+	/* flush any pending work items */
+	if (chips)
+		for (i = 0; i < nr_chips; i++)
+			cancel_work_sync(&chips[i].throttle);
 	kfree(chips);
 }