Commit e2ca326d authored by Ziqin Liu's avatar Ziqin Liu
Browse files

x86/perf: fix use-after-free bug in uncore_pci_remove() 

zhaoxin inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7066J


CVE: NA

Reference: N/A

----------------------------------------------------------------

since the dereferencing freed memory 'box' in uncore_pci_remove() will
trigger a use-after-free bug, use a variable 'name' to store the value of
box->pmu->type->name, so that the memory 'box' won't be dereferenced after
being released.

Signed-off-by: default avatarZiqin Liu <ziqin_l@hust.edu.cn>
parent 6bf61fdd

arch/x86/events/zhaoxin/uncore.c

+3 −1
Original line number Diff line number Diff line
@@ -1671,6 +1671,7 @@ static void uncore_pci_remove(struct pci_dev *pdev) 
	struct zhaoxin_uncore_box **boxes = pci_get_drvdata(pdev);

	struct zhaoxin_uncore_box *box;

	struct zhaoxin_uncore_pmu *pmu;

	const char *name;

	int subnode_id;

	int i = 0;
@@ -1681,6 +1682,7 @@ static void uncore_pci_remove(struct pci_dev *pdev) 
again:

	box = boxes[i];

	pmu = box->pmu;

	name = box->pmu->type->name;

	if (WARN_ON_ONCE(subnode_id != box->subnode_id))

		return;
@@ -1691,7 +1693,7 @@ static void uncore_pci_remove(struct pci_dev *pdev) 
	uncore_box_exit(box);

	kfree(box);



	if (!strcmp(box->pmu->type->name, "mc0")) {

	if (!strcmp(name, "mc0")) {

		i++;

		goto again;

	}