arm64/mpam: Fix use-after-free in mkdir_resctrl_prepare()

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4K272 CVE: NA ------------------------------------------------- We add label out_free_rdtgrp for handling error branch when it happened before rmid and closid allocation, in case of reusing rdtgrp after freeing. Fixes: 0b16164d ("arm64/mpam: Remap reqpartid,pmg to rmid and intpartid to closid") Signed-off-by: N Wang ShaoBo <bobo.shaobowang@huawei.com> Reviewed-by: N Cheng Jian <cj.chengjian@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

arm64/mpam: Fix use-after-free in mkdir_resctrl_prepare()
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4K272 CVE: NA ------------------------------------------------- We add label out_free_rdtgrp for handling error branch when it happened before rmid and closid allocation, in case of reusing rdtgrp after freeing. Fixes: 0b16164d ("arm64/mpam: Remap reqpartid,pmg to rmid and intpartid to closid") Signed-off-by: N Wang ShaoBo <bobo.shaobowang@huawei.com> Reviewed-by: N Cheng Jian <cj.chengjian@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
e163ff16 · Wang ShaoBo · Zheng Zengkai · e56e8310 · e163ff16
显示空白变更内容
内联并排

Showing with 3 addition and 2 deletion

fs/resctrlfs.c fs/resctrlfs.c +3 -2

未找到文件。
--- a/fs/resctrlfs.c
+++ b/fs/resctrlfs.c
@@ -749,7 +749,7 @@ static int mkdir_resctrl_prepare(struct kernfs_node *parent_kn,
 		ret = closid_alloc();
 		if (ret < 0) {
 			rdt_last_cmd_puts("out of CLOSIDs\n");
-			goto out_unlock;
+			goto out_free_rdtgrp;
 		}
 		rdtgrp->closid.intpartid = ret;
 	}
@@ -819,10 +819,11 @@ static int mkdir_resctrl_prepare(struct kernfs_node *parent_kn,
 	kernfs_remove(rdtgrp->kn);
 out_free_rmid:
 	rmid_free(rdtgrp->mon.rmid);
-	kfree(rdtgrp);
 out_free_closid:
 	if (rdtgrp->type == RDTCTRL_GROUP)
 		closid_free(rdtgrp->closid.intpartid);
+out_free_rdtgrp:
+	kfree(rdtgrp);
 out_unlock:
 	resctrl_group_kn_unlock(prgrp_kn);
 	return ret;