From patchwork Wed Aug 24 21:29:36 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tim Gardner X-Patchwork-Id: 662572 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3sKL7h4fXhz9sdm; Thu, 25 Aug 2016 07:30:24 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical-com.20150623.gappssmtp.com header.i=@canonical-com.20150623.gappssmtp.com header.b=iCN5dMCB; dkim-atps=neutral Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1bcfkb-0007nS-CA; Wed, 24 Aug 2016 21:30:21 +0000 Received: from mail-it0-f50.google.com ([209.85.214.50]) by huckleberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1bcfkC-0007aT-G2 for kernel-team@lists.ubuntu.com; Wed, 24 Aug 2016 21:29:56 +0000 Received: by mail-it0-f50.google.com with SMTP id x131so235961962ite.0 for ; Wed, 24 Aug 2016 14:29:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:in-reply-to:references; bh=oHM1sGKHihEybsfnCbzk+XhRDg+CVK/kFAolz1dXyyg=; b=iCN5dMCBnMuuRsnkVhteYbZ+Ct2VktDzfIe07O2dF4clGLTeSyGKSYXqnT6EZEwAlN 06MBmd4Ce8Y/ShUJHPg8S8rCZDb2Dxn/NEok4EUD9j/rTpDrtVS+o/pK5IwsN/lM6QYg qQKKbt5uP9rIg10xT3mwFT+nLMAS3bCjOlPQv646//sZuZ3G/ABsunvrUguQhACh1PIR qB3zx80b1p2vyj8oEmEa487+SsvEWp+hxZuL0HpPlz1KHGeHnqqwdgdhuhwDg7MFqJx/ FEbLtNDw0FyQfXpidRHNuY7SzkZZVWsESh1KJ386bVl8Ww1opx4Kuk4fFGHa5YtdIiC0 Vyww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=oHM1sGKHihEybsfnCbzk+XhRDg+CVK/kFAolz1dXyyg=; b=ZvHRZTYkYmBWvmXDGqm7gwpjmrjFKH9C2Mu9lBq6MsblHGVffJ9RzeP5o0VfWdOOqY RD9/HUGvOVG8tTeCUET7qrMmnywpzyRG8BEpwsz+RyM55TAm613ukP9QGdq0KZGjc+F/ 9ejfR5PD+qXJeekrGHiESOef25ZCt3hE/TFG5Cf2B5hDsf89N1OaJTeIkYq4dnFX+NBx tspslb2rjpr8hBa3ScbXoJuuJmADF0x2ZLjikh179xKwh5f4LAvO2yKXeD+t1WsfjEnC UZVCR4luxhsRl3/HzGIPQH18+FWPeiv2WwFPZKXOy54tpRlYLaWJwvIQJTeFhFRee53A JWAA== X-Gm-Message-State: AEkoousTEKbx5kaFkzYJLOtO86ZOVl7zjchdV30Sqrn8Imuo1zS4Wc1uf7X698ZKG5xHL5nB X-Received: by 10.107.131.11 with SMTP id f11mr6470731iod.136.1472074195169; Wed, 24 Aug 2016 14:29:55 -0700 (PDT) Received: from gbyte.rtg.local (host-174-45-44-32.hln-mt.client.bresnan.net. [174.45.44.32]) by smtp.gmail.com with ESMTPSA id o5sm12370305ith.20.2016.08.24.14.29.54 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 24 Aug 2016 14:29:54 -0700 (PDT) From: Tim Gardner To: kernel-team@lists.ubuntu.com Subject: [PATCH 06/16] intel_idle: Avoid a double free of the per-CPU data. Date: Wed, 24 Aug 2016 15:29:36 -0600 Message-Id: <1472074186-21406-7-git-send-email-tim.gardner@canonical.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1472074186-21406-1-git-send-email-tim.gardner@canonical.com> References: <1472074186-21406-1-git-send-email-tim.gardner@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com From: Richard Cochran BugLink: http://bugs.launchpad.net/bugs/1591821 The helper function, intel_idle_cpuidle_devices_uninit, frees the globally allocated per-CPU data. However, this function is invoked from the hot plug notifier callback at a time when freeing that data is not safe. If the call to cpuidle_register_driver() should fail (say, due to lack of memory), then the driver will free its per-CPU region. On the *next* CPU_ONLINE event, the driver will happily use the region again and even free it again if the failure repeats. This patch fixes the issue by moving the call to free_percpu() outside of the helper function at the two call sites that actually need to free the per-CPU data. Signed-off-by: Richard Cochran Signed-off-by: Len Brown Signed-off-by: Rafael J. Wysocki (cherry picked from commit ca42489d9ee3262482717c83428e087322fdc39c) Signed-off-by: Tim Gardner --- drivers/idle/intel_idle.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/idle/intel_idle.c b/drivers/idle/intel_idle.c index 5dd741f..0b56872 100644 --- a/drivers/idle/intel_idle.c +++ b/drivers/idle/intel_idle.c @@ -1002,7 +1002,7 @@ static int __init intel_idle_probe(void) /* * intel_idle_cpuidle_devices_uninit() - * unregister, free cpuidle_devices + * Unregisters the cpuidle devices. */ static void intel_idle_cpuidle_devices_uninit(void) { @@ -1013,9 +1013,6 @@ static void intel_idle_cpuidle_devices_uninit(void) dev = per_cpu_ptr(intel_idle_cpuidle_devices, i); cpuidle_unregister_device(dev); } - - free_percpu(intel_idle_cpuidle_devices); - return; } /* @@ -1231,6 +1228,7 @@ static int __init intel_idle_init(void) if (retval) { cpu_notifier_register_done(); cpuidle_unregister_driver(&intel_idle_driver); + free_percpu(intel_idle_cpuidle_devices); return retval; } } @@ -1253,6 +1251,7 @@ static void __exit intel_idle_exit(void) cpu_notifier_register_done(); cpuidle_unregister_driver(&intel_idle_driver); + free_percpu(intel_idle_cpuidle_devices); } module_init(intel_idle_init);