diff options
| author | Woody Lin <woodylin@google.com> | 2018-07-06 17:31:28 +0800 |
|---|---|---|
| committer | John Dias <joaodias@google.com> | 2018-08-10 16:40:16 -0700 |
| commit | bc782cded23900c0d2d3818139bc3c39ee9df136 (patch) | |
| tree | f36e130b68f40a9b6f5ab1639e8e6bc36c90b659 /net/lapb/lapb_timer.c | |
| parent | 703ca6bddbf3823a26b1cf93054748f62c9b2149 (diff) | |
cpufreq_stats: Reset cpufreq_task_stats right after dup_task_struct
The `time_in_state' on current task (caller of fork) might be freed
because of error handler `bad_fork_free' of copy_process:
p = dup_task_struct(current, node);
...
... /* Field `time_in_state' on newly created `p' was cloned from
* `current' */
...
if /* some error condition */
goto bad_fork_free; ------> (0)
...
retval = sched_fork(clone_flags, p);
/* `time_in_state' is only reset by sched_fork ->
* __sched_fork -> cpufreq_task_stats_init, but which is not
* reached in this scenario. */
...
bad_fork_free: <------------------ (0)
free_task(p);
--> cpufreq_task_stats_free(tsk); /* p == tsk */
--> kfree(tsk->time_in_state); /* `time_in_state' of `current' is freed unexpectedly */
Later, when current task ifself exits or next failure of copy_process
happens, the `time_in_state' is freed again. Thus "KASAN: double-free or
invalid-free" is detected.
==================================================================
BUG: KASAN: double-free or invalid-free in (null)
CPU: 4 PID: 16252 Comm: syz-executor Tainted: G C 4.4.116-gcff1ae5d4f72 #1
Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT)
Call trace:
[<>] dump_backtrace+0x0/0x34c
[<>] show_stack+0x1c/0x24
[<>] dump_stack+0xb8/0xe8
[<>] print_address_description+0x94/0x334
[<>] kasan_report_double_free+0x74/0x8c
[<>] kasan_slab_free+0x164/0x1c0
[<>] kfree+0x8c/0x2b4
[<>] process_notifier+0xb8/0xe4
[<>] blocking_notifier_call_chain+0x9c/0xf4
[<>] profile_task_exit+0x2c/0x34
[<>] do_exit+0x3c/0x110c
[<>] do_group_exit+0x7c/0x128
[<>] get_signal+0x374/0x904
[<>] do_signal+0x230/0x1408
[<>] do_notify_resume+0x84/0x88
[<>] work_pending+0x10/0x14
Allocated by task 16248:
[<>] save_stack_trace_tsk+0x0/0x204
[<>] save_stack_trace+0x20/0x28
[<>] kasan_kmalloc.part.5+0x50/0x124
[<>] kasan_kmalloc+0xc4/0xe4
[<>] __kmalloc+0x138/0x29c
[<>] cpufreq_task_stats_alloc+0x70/0x140
[<>] sched_fork+0x1b4/0x4e8
[<>] copy_process.isra.66+0x7a4/0x276c
[<>] _do_fork+0x98/0x5c8
[<>] SyS_clone+0x40/0x4c
[<>] el0_svc_naked+0x24/0x28
Freed by task 16252:
[<>] save_stack_trace_tsk+0x0/0x204
[<>] save_stack_trace+0x20/0x28
[<>] kasan_slab_free+0xb0/0x1c0
[<>] kfree+0x8c/0x2b4
[<>] cpufreq_task_stats_free+0x24/0x50
[<>] free_task+0x28/0x18c
[<>] copy_process.isra.66+0x800/0x276c
[<>] _do_fork+0x98/0x5c8
[<>] SyS_clone+0x40/0x4c
[<>] el0_svc_naked+0x24/0x28
To fix this issue, add a `cpufreq_task_stats_init' before `goto
bad_fork_free' to make sure that all cpufreq stats relative structure
members are initialized before any chance the fields is being freed.
Verify: Not reproducible w/ original fuzz testing.
Bug: 111081202
Change-Id: I585dc28417fee740301e3ae1c1c974e84fdb19fe
Signed-off-by: Woody Lin <woodylin@google.com>
Diffstat (limited to 'net/lapb/lapb_timer.c')
0 files changed, 0 insertions, 0 deletions