lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20211124152553.3407-1-Wentao_Liang_g@163.com>
Date:   Wed, 24 Nov 2021 23:25:53 +0800
From:   Wentao_Liang <Wentao_Liang_g@....com>
To:     daniel.lezcano@...nel.org, rjw@...ysocki.net
Cc:     linux-pm@...r.kernel.org, linux-kernel@...r.kernel.org,
        Wentao_Liang <Wentao_Liang_g@....com>
Subject: [PATCH] /drivers/powercap/dtpm_cpu.c: fix policy reference leak in cpuhp_dtpm_cpu_online()

In line 186(#1), 'policy = cpufreq_cpu_get(cpu)' will increase the kobject
reference counter of the policy. The policy has to be released with the
help of 'cpufreq_cpu_put()' to balance its kobject reference counter
properly. However, the function returns without dropping the reference
(#2,#3,#4,#5 and #6). It may result in a reference leak bug.

It can be fixed by calling the function 'cpufreq_cpu_put()' before the
function returns.

178 static int cpuhp_dtpm_cpu_online(unsigned int cpu)
179 {
...
186         policy = cpufreq_cpu_get(cpu);
	      //#1 reference increase
...
191         if (!pd)
192                 return -EINVAL;
	      //#2 function returns without decrementing reference counter
193
194         dtpm_cpu = per_cpu(dtpm_per_cpu, cpu);
195         if (dtpm_cpu)
196                 return dtpm_update_power(&dtpm_cpu->dtpm);
	      //#3 function returns without decrementing reference counter
197
198         dtpm_cpu = kzalloc(sizeof(*dtpm_cpu), GFP_KERNEL);
199         if (!dtpm_cpu)
200                 return -ENOMEM;
	      //#4 function returns without decrementing reference counter
...
220         return 0;
	      //#5 function returns without decrementing reference counter
...
226 out_kfree_dtpm_cpu:
...
231         return ret;
	      //#6 function returns without decrementing reference counter
232 }

Signed-off-by: Wentao_Liang <Wentao_Liang_g@....com>
---
 drivers/powercap/dtpm_cpu.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/drivers/powercap/dtpm_cpu.c b/drivers/powercap/dtpm_cpu.c
index 51c366938acd..9330cfb31a62 100644
--- a/drivers/powercap/dtpm_cpu.c
+++ b/drivers/powercap/dtpm_cpu.c
@@ -189,16 +189,22 @@ static int cpuhp_dtpm_cpu_online(unsigned int cpu)
 		return 0;
 
 	pd = em_cpu_get(cpu);
-	if (!pd)
+	if (!pd) {
+		cpufreq_cpu_put(policy);
 		return -EINVAL;
+	}
 
 	dtpm = per_cpu(dtpm_per_cpu, cpu);
-	if (dtpm)
+	if (dtpm) {
+		cpufreq_cpu_put(policy);
 		return power_add(dtpm, pd);
+	}
 
 	dtpm = dtpm_alloc(&dtpm_ops);
-	if (!dtpm)
+	if (!dtpm) {
+		cpufreq_cpu_put(policy);
 		return -EINVAL;
+	}
 
 	dtpm_cpu = kzalloc(sizeof(*dtpm_cpu), GFP_KERNEL);
 	if (!dtpm_cpu)
@@ -226,6 +232,7 @@ static int cpuhp_dtpm_cpu_online(unsigned int cpu)
 	if (ret)
 		goto out_power_sub;
 
+	cpufreq_cpu_put(policy);
 	return 0;
 
 out_power_sub:
@@ -243,6 +250,7 @@ static int cpuhp_dtpm_cpu_online(unsigned int cpu)
 
 out_kfree_dtpm:
 	kfree(dtpm);
+	cpufreq_cpu_put(policy);
 	return ret;
 }
 
-- 
2.25.1


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ