3945c48136
[ Upstream commit cdef1196608892b9a46caa5f2b64095a7f0be60c ]
Since commit e5c6b312ce3c ("cpufreq: schedutil: Use kobject release()
method to free sugov_tunables") kobject_put() has kfree()d the
attr_set before gov_attr_set_put() returns.
kobject_put() isn't the last user of attr_set in gov_attr_set_put(),
the subsequent mutex_destroy() triggers a use-after-free:
| BUG: KASAN: use-after-free in mutex_is_locked+0x20/0x60
| Read of size 8 at addr ffff000800ca4250 by task cpuhp/2/20
|
| CPU: 2 PID: 20 Comm: cpuhp/2 Not tainted 5.15.0-rc1 #12369
| Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development
| Platform, BIOS EDK II Jul 30 2018
| Call trace:
| dump_backtrace+0x0/0x380
| show_stack+0x1c/0x30
| dump_stack_lvl+0x8c/0xb8
| print_address_description.constprop.0+0x74/0x2b8
| kasan_report+0x1f4/0x210
| kasan_check_range+0xfc/0x1a4
| __kasan_check_read+0x38/0x60
| mutex_is_locked+0x20/0x60
| mutex_destroy+0x80/0x100
| gov_attr_set_put+0xfc/0x150
| sugov_exit+0x78/0x190
| cpufreq_offline.isra.0+0x2c0/0x660
| cpuhp_cpufreq_offline+0x14/0x24
| cpuhp_invoke_callback+0x430/0x6d0
| cpuhp_thread_fun+0x1b0/0x624
| smpboot_thread_fn+0x5e0/0xa6c
| kthread+0x3a0/0x450
| ret_from_fork+0x10/0x20
Swap the order of the calls.
Fixes: e5c6b312ce3c ("cpufreq: schedutil: Use kobject release() method to free sugov_tunables")
Cc: 4.7+ <stable@vger.kernel.org> # 4.7+
Signed-off-by: James Morse <james.morse@arm.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|---|---|---|
| .. | ||
| acpi-cpufreq.c | ||
| amd_freq_sensitivity.c | ||
| armada-8k-cpufreq.c | ||
| armada-37xx-cpufreq.c | ||
| bmips-cpufreq.c | ||
| brcmstb-avs-cpufreq.c | ||
| cppc_cpufreq.c | ||
| cpufreq_conservative.c | ||
| cpufreq_governor_attr_set.c | ||
| cpufreq_governor.c | ||
| cpufreq_governor.h | ||
| cpufreq_ondemand.c | ||
| cpufreq_ondemand.h | ||
| cpufreq_performance.c | ||
| cpufreq_powersave.c | ||
| cpufreq_stats.c | ||
| cpufreq_userspace.c | ||
| cpufreq-dt-platdev.c | ||
| cpufreq-dt.c | ||
| cpufreq-dt.h | ||
| cpufreq-nforce2.c | ||
| cpufreq.c | ||
| davinci-cpufreq.c | ||
| e_powersaver.c | ||
| elanfreq.c | ||
| freq_table.c | ||
| gx-suspmod.c | ||
| highbank-cpufreq.c | ||
| ia64-acpi-cpufreq.c | ||
| imx-cpufreq-dt.c | ||
| imx6q-cpufreq.c | ||
| intel_pstate.c | ||
| Kconfig | ||
| Kconfig.arm | ||
| Kconfig.powerpc | ||
| Kconfig.x86 | ||
| kirkwood-cpufreq.c | ||
| longhaul.c | ||
| longhaul.h | ||
| longrun.c | ||
| loongson1-cpufreq.c | ||
| loongson2_cpufreq.c | ||
| Makefile | ||
| maple-cpufreq.c | ||
| mediatek-cpufreq.c | ||
| mvebu-cpufreq.c | ||
| omap-cpufreq.c | ||
| p4-clockmod.c | ||
| pasemi-cpufreq.c | ||
| pcc-cpufreq.c | ||
| pmac32-cpufreq.c | ||
| pmac64-cpufreq.c | ||
| powernow-k6.c | ||
| powernow-k7.c | ||
| powernow-k7.h | ||
| powernow-k8.c | ||
| powernow-k8.h | ||
| powernv-cpufreq.c | ||
| ppc_cbe_cpufreq_pervasive.c | ||
| ppc_cbe_cpufreq_pmi.c | ||
| ppc_cbe_cpufreq.c | ||
| ppc_cbe_cpufreq.h | ||
| pxa2xx-cpufreq.c | ||
| pxa3xx-cpufreq.c | ||
| qcom-cpufreq-hw.c | ||
| qcom-cpufreq-nvmem.c | ||
| qoriq-cpufreq.c | ||
| raspberrypi-cpufreq.c | ||
| s3c24xx-cpufreq-debugfs.c | ||
| s3c24xx-cpufreq.c | ||
| s3c64xx-cpufreq.c | ||
| s3c2410-cpufreq.c | ||
| s3c2412-cpufreq.c | ||
| s3c2416-cpufreq.c | ||
| s3c2440-cpufreq.c | ||
| s5pv210-cpufreq.c | ||
| sa1100-cpufreq.c | ||
| sa1110-cpufreq.c | ||
| sc520_freq.c | ||
| scmi-cpufreq.c | ||
| scpi-cpufreq.c | ||
| sfi-cpufreq.c | ||
| sh-cpufreq.c | ||
| sparc-us2e-cpufreq.c | ||
| sparc-us3-cpufreq.c | ||
| spear-cpufreq.c | ||
| speedstep-centrino.c | ||
| speedstep-ich.c | ||
| speedstep-lib.c | ||
| speedstep-lib.h | ||
| speedstep-smi.c | ||
| sti-cpufreq.c | ||
| sun50i-cpufreq-nvmem.c | ||
| tango-cpufreq.c | ||
| tegra20-cpufreq.c | ||
| tegra124-cpufreq.c | ||
| tegra186-cpufreq.c | ||
| tegra194-cpufreq.c | ||
| ti-cpufreq.c | ||
| vexpress-spc-cpufreq.c | ||