On 06-01-20, 14:52, chenqiwu wrote:
> On Mon, Jan 06, 2020 at 11:18:11AM +0530, Viresh Kumar wrote:
> > On 28-12-19, 14:43, qiwuchen55@xxxxxxxxx wrote:
> > > From: chenqiwu <chenqiwu@xxxxxxxxxx>
> > >
> > > There is a potential UAF issue in xxx_cpufreq_reboot_notifier_evt() that
> > > the cpufreq policy of cpu0 has been released before using it. So we should
> > > make a judgement to avoid it.
> >
> > There is no UAF problem here, but that we do cpufreq_cpu_get() with a
> > corresponding cpufreq_cpu_put().
> >
> > > Signed-off-by: chenqiwu <chenqiwu@xxxxxxxxxx>
> > > ---
> > > drivers/cpufreq/s3c2416-cpufreq.c | 11 ++++++++++-
> > > drivers/cpufreq/s5pv210-cpufreq.c | 10 +++++++++-
> > > 2 files changed, 19 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/drivers/cpufreq/s3c2416-cpufreq.c b/drivers/cpufreq/s3c2416-cpufreq.c
> > > index 1069103..0f576ba 100644
> > > --- a/drivers/cpufreq/s3c2416-cpufreq.c
> > > +++ b/drivers/cpufreq/s3c2416-cpufreq.c
> > > @@ -304,6 +304,7 @@ static int s3c2416_cpufreq_reboot_notifier_evt(struct notifier_block *this,
> > > {
> > > struct s3c2416_data *s3c_freq = &s3c2416_cpufreq;
> > > int ret;
> > > + struct cpufreq_policy policy;
> > >
> > > mutex_lock(&cpufreq_lock);
> > >
> > > @@ -318,7 +319,15 @@ static int s3c2416_cpufreq_reboot_notifier_evt(struct notifier_block *this,
> > > */
> > > if (s3c_freq->is_dvs) {
> > > pr_debug("cpufreq: leave dvs on reboot\n");
> > > - ret = cpufreq_driver_target(cpufreq_cpu_get(0), FREQ_SLEEP, 0);
> > > +
> > > + memset(&policy, 0, sizeof(policy));
> > > + ret = cpufreq_get_policy(&policy, 0);
> > > + if (ret < 0) {
> > > + pr_debug("cpufreq: get no policy for cpu0\n");
> > > + return NOTIFY_BAD;
> > > + }
> > > +
> >
> > This doesn't make sense to me, why don't you do cpufreq_cpu_get() and
> > put() instead ?
> >
> Hi viresh,
> I can't explain which approach is better, but I think both approaches are
> effective for the situation.
The second one is better as it doesn't make copy of the policy, but
rather just increments the counter.
> By the way, there is a possibility that the cpu0 hotplug thread will call
> cpufreq_policy_free() to free cpufreq policy if cpu0 hotplug failed.
> I think there should be a judgement to avoid this UAF risk if necessary,
> or we just do panic if cpu0's cpufreq policy is free.
I think there are enough locks in place to avoid such issues and they
shouldn't happen.
> > > + ret = cpufreq_driver_target(&policy, FREQ_SLEEP, 0);
> > > if (ret < 0)
> > > return NOTIFY_BAD;
> > > }
> > > diff --git a/drivers/cpufreq/s5pv210-cpufreq.c b/drivers/cpufreq/s5pv210-cpufreq.c
> > > index 5d10030..d99b4b1 100644
> > > --- a/drivers/cpufreq/s5pv210-cpufreq.c
> > > +++ b/drivers/cpufreq/s5pv210-cpufreq.c
> > > @@ -555,8 +555,16 @@ static int s5pv210_cpufreq_reboot_notifier_event(struct notifier_block *this,
> > > unsigned long event, void *ptr)
> > > {
> > > int ret;
> > > + struct cpufreq_policy *policy;
> > >
> > > - ret = cpufreq_driver_target(cpufreq_cpu_get(0), SLEEP_FREQ, 0);
> > > + policy = cpufreq_cpu_get(0);
> > > + if (!policy) {
> > > + pr_debug("cpufreq: get no policy for cpu0\n");
> > > + return NOTIFY_BAD;
> > > + }
> > > +
> > > + ret = cpufreq_driver_target(policy, SLEEP_FREQ, 0);
> > > + cpufreq_cpu_put(policy);
> >
> > Like what is done here.
> >
> > Also add a blank line here.
> >
> > > if (ret < 0)
> > > return NOTIFY_BAD;
> > >
> > > --
> > > 1.9.1
> >
> > --
> > viresh
>
> Thanks for your review!
> Qiwu
--
viresh
