From e2ca326dd4ba90ecc3c346645bf11606985681ae Mon Sep 17 00:00:00 2001 From: Ziqin Liu Date: Sat, 6 May 2023 14:58:42 +0800 Subject: [PATCH] x86/perf: fix use-after-free bug in uncore_pci_remove() zhaoxin inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7066J CVE: NA Reference: N/A ---------------------------------------------------------------- since the dereferencing freed memory 'box' in uncore_pci_remove() will trigger a use-after-free bug, use a variable 'name' to store the value of box->pmu->type->name, so that the memory 'box' won't be dereferenced after being released. Signed-off-by: Ziqin Liu --- arch/x86/events/zhaoxin/uncore.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/x86/events/zhaoxin/uncore.c b/arch/x86/events/zhaoxin/uncore.c index 19264e48db5d..a8245771cf5d 100644 --- a/arch/x86/events/zhaoxin/uncore.c +++ b/arch/x86/events/zhaoxin/uncore.c @@ -1671,6 +1671,7 @@ static void uncore_pci_remove(struct pci_dev *pdev) struct zhaoxin_uncore_box **boxes = pci_get_drvdata(pdev); struct zhaoxin_uncore_box *box; struct zhaoxin_uncore_pmu *pmu; + const char *name; int subnode_id; int i = 0; @@ -1681,6 +1682,7 @@ static void uncore_pci_remove(struct pci_dev *pdev) again: box = boxes[i]; pmu = box->pmu; + name = box->pmu->type->name; if (WARN_ON_ONCE(subnode_id != box->subnode_id)) return; @@ -1691,7 +1693,7 @@ static void uncore_pci_remove(struct pci_dev *pdev) uncore_box_exit(box); kfree(box); - if (!strcmp(box->pmu->type->name, "mc0")) { + if (!strcmp(name, "mc0")) { i++; goto again; } -- Gitee