From 6368e6891dbfdbfafbce149a263c7bd2b2868f71 Mon Sep 17 00:00:00 2001 From: Yuhang Liang Date: Tue, 9 May 2023 15:31:20 +0800 Subject: [PATCH] x86/perf: fix use-after-free bug in uncore_pci_remove() zhaoxin inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I71KVZ CVE: NA Reference: N/A ---------------------------------------------------------------- since the dereferencing freed memory 'box' in uncore_pci_remove() will trigger a use-after-free bug, use a variable 'name' to store the value of box->pmu->type->name, so that the memory 'box' won't be dereferenced after being released. Signed-off-by: Yuhang Liang --- arch/x86/events/zhaoxin/uncore.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/x86/events/zhaoxin/uncore.c b/arch/x86/events/zhaoxin/uncore.c index a06342387814..eb5f434fafbf 100644 --- a/arch/x86/events/zhaoxin/uncore.c +++ b/arch/x86/events/zhaoxin/uncore.c @@ -1669,6 +1669,7 @@ static void uncore_pci_remove(struct pci_dev *pdev) struct zhaoxin_uncore_box **boxes = pci_get_drvdata(pdev); struct zhaoxin_uncore_box *box; struct zhaoxin_uncore_pmu *pmu; + const char *name; int subnode_id; int i = 0; @@ -1678,6 +1679,7 @@ static void uncore_pci_remove(struct pci_dev *pdev) again: box = boxes[i]; pmu = box->pmu; + name = box->pmu->type->name; if (WARN_ON_ONCE(subnode_id != box->subnode_id)) return; @@ -1688,7 +1690,7 @@ static void uncore_pci_remove(struct pci_dev *pdev) uncore_box_exit(box); kfree(box); - if (!strcmp(box->pmu->type->name, "mc0")) { + if (!strcmp(name, "mc0")) { i++; goto again; } -- GitLab