Unverified Commit 22fb0556 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!665 [HUST CSE] fix a use-after-free bug in uncore_pci_remove() 

Merge Pull Request from: @liu-ziqin 
 
https://gitee.com/openeuler/kernel/blob/OLK-5.10/arch/x86/events/zhaoxin/uncore.c#L1692
released the variable 'box',
however https://gitee.com/openeuler/kernel/blob/OLK-5.10/arch/x86/events/zhaoxin/uncore.c#L1694
dereferenced the freed memory 'box'(box->pmu->type->name),resulting use-after-free bug. 
This bug can be fixed by defining variable 'name' to temporarily store the value of
box->pmu->type->name,and replacing 'box->pmu->type->name' in the condition check
at L1694 with 'name'. 
 
Link:https://gitee.com/openeuler/kernel/pulls/665

 

Reviewed-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
parents 139aa37a e2ca326d

arch/x86/events/zhaoxin/uncore.c

+3 −1
Original line number Diff line number Diff line
@@ -1671,6 +1671,7 @@ static void uncore_pci_remove(struct pci_dev *pdev) 
	struct zhaoxin_uncore_box **boxes = pci_get_drvdata(pdev);

	struct zhaoxin_uncore_box *box;

	struct zhaoxin_uncore_pmu *pmu;

	const char *name;

	int subnode_id;

	int i = 0;
@@ -1681,6 +1682,7 @@ static void uncore_pci_remove(struct pci_dev *pdev) 
again:

	box = boxes[i];

	pmu = box->pmu;

	name = box->pmu->type->name;

	if (WARN_ON_ONCE(subnode_id != box->subnode_id))

		return;
@@ -1691,7 +1693,7 @@ static void uncore_pci_remove(struct pci_dev *pdev) 
	uncore_box_exit(box);

	kfree(box);



	if (!strcmp(box->pmu->type->name, "mc0")) {

	if (!strcmp(name, "mc0")) {

		i++;

		goto again;

	}