提交 6368e689 编写于 作者: Y Yuhang Liang

x86/perf: fix use-after-free bug in uncore_pci_remove()

zhaoxin inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I71KVZ
CVE: NA

Reference: N/A

----------------------------------------------------------------

since the dereferencing freed memory 'box' in uncore_pci_remove() will
trigger a use-after-free bug, use a variable 'name' to store the value of
box->pmu->type->name, so that the memory 'box' won't be dereferenced after
being released.
Signed-off-by: NYuhang Liang <M202271764@hust.edu.cn>
上级 93ad695d
...@@ -1669,6 +1669,7 @@ static void uncore_pci_remove(struct pci_dev *pdev) ...@@ -1669,6 +1669,7 @@ static void uncore_pci_remove(struct pci_dev *pdev)
struct zhaoxin_uncore_box **boxes = pci_get_drvdata(pdev); struct zhaoxin_uncore_box **boxes = pci_get_drvdata(pdev);
struct zhaoxin_uncore_box *box; struct zhaoxin_uncore_box *box;
struct zhaoxin_uncore_pmu *pmu; struct zhaoxin_uncore_pmu *pmu;
const char *name;
int subnode_id; int subnode_id;
int i = 0; int i = 0;
...@@ -1678,6 +1679,7 @@ static void uncore_pci_remove(struct pci_dev *pdev) ...@@ -1678,6 +1679,7 @@ static void uncore_pci_remove(struct pci_dev *pdev)
again: again:
box = boxes[i]; box = boxes[i];
pmu = box->pmu; pmu = box->pmu;
name = box->pmu->type->name;
if (WARN_ON_ONCE(subnode_id != box->subnode_id)) if (WARN_ON_ONCE(subnode_id != box->subnode_id))
return; return;
...@@ -1688,7 +1690,7 @@ static void uncore_pci_remove(struct pci_dev *pdev) ...@@ -1688,7 +1690,7 @@ static void uncore_pci_remove(struct pci_dev *pdev)
uncore_box_exit(box); uncore_box_exit(box);
kfree(box); kfree(box);
if (!strcmp(box->pmu->type->name, "mc0")) { if (!strcmp(name, "mc0")) {
i++; i++;
goto again; goto again;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册