Message ID | 1573103297-7252-1-git-send-email-shenkai8@huawei.com (mailing list archive) |
---|---|
State | Mainlined, archived |
Headers | show |
Series | [v3] cpufreq: add NULL check to the store method of cpufreq | expand |
On 07-11-19, 05:08, Shen Kai wrote: > From: Kai Shen <shenkai8@huawei.com> > > Add NULL check in the store function here to avoid NULL callback invoking. > Though some interfaces of cpufreq are set as read-only, user can still get > write permission using chmod which can lead to a kernel crash. > > The following operations can lead to a kernel crash. > > chmod +w /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq > echo 1 > /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq > > This bug was found on linux 4.19 > > Signed-off-by: Kai Shen <shenkai8@huawei.com> > Reported-by: Feilong Lin <linfeilong@huawei.com> > Reviewed-by: Feilong Lin <linfeilong@huawei.com> > Acked-by: Viresh Kumar <viresh.kumar@linaro.org> > --- > V2->V3 > - use return value -EIO instead. > - do NULL check in show method too. > > drivers/cpufreq/cpufreq.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c > index 48a224a..bc19d6c 100644 > --- a/drivers/cpufreq/cpufreq.c > +++ b/drivers/cpufreq/cpufreq.c > @@ -933,6 +933,9 @@ static ssize_t show(struct kobject *kobj, struct attribute *attr, char *buf) > struct freq_attr *fattr = to_attr(attr); > ssize_t ret; > > + if (!fattr->show) > + return -EIO; > + > down_read(&policy->rwsem); > ret = fattr->show(policy, buf); > up_read(&policy->rwsem); > @@ -947,6 +950,9 @@ static ssize_t store(struct kobject *kobj, struct attribute *attr, > struct freq_attr *fattr = to_attr(attr); > ssize_t ret = -EINVAL; > > + if (!fattr->store) > + return -EIO; > + > /* > * cpus_read_trylock() is used here to work around a circular lock > * dependency problem with respect to the cpufreq_register_driver(). Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
On Thursday, November 7, 2019 6:08:17 AM CET Shen Kai wrote: > From: Kai Shen <shenkai8@huawei.com> > > Add NULL check in the store function here to avoid NULL callback invoking. > Though some interfaces of cpufreq are set as read-only, user can still get > write permission using chmod which can lead to a kernel crash. > > The following operations can lead to a kernel crash. > > chmod +w /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq > echo 1 > /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq > > This bug was found on linux 4.19 > > Signed-off-by: Kai Shen <shenkai8@huawei.com> > Reported-by: Feilong Lin <linfeilong@huawei.com> > Reviewed-by: Feilong Lin <linfeilong@huawei.com> > Acked-by: Viresh Kumar <viresh.kumar@linaro.org> > --- > V2->V3 > - use return value -EIO instead. > - do NULL check in show method too. > > drivers/cpufreq/cpufreq.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c > index 48a224a..bc19d6c 100644 > --- a/drivers/cpufreq/cpufreq.c > +++ b/drivers/cpufreq/cpufreq.c > @@ -933,6 +933,9 @@ static ssize_t show(struct kobject *kobj, struct attribute *attr, char *buf) > struct freq_attr *fattr = to_attr(attr); > ssize_t ret; > > + if (!fattr->show) > + return -EIO; > + > down_read(&policy->rwsem); > ret = fattr->show(policy, buf); > up_read(&policy->rwsem); > @@ -947,6 +950,9 @@ static ssize_t store(struct kobject *kobj, struct attribute *attr, > struct freq_attr *fattr = to_attr(attr); > ssize_t ret = -EINVAL; > > + if (!fattr->store) > + return -EIO; > + > /* > * cpus_read_trylock() is used here to work around a circular lock > * dependency problem with respect to the cpufreq_register_driver(). > Applying as 5.5 material with updated subject and changelog (the original ones did not mention the show() function). Thanks!
diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c index 48a224a..bc19d6c 100644 --- a/drivers/cpufreq/cpufreq.c +++ b/drivers/cpufreq/cpufreq.c @@ -933,6 +933,9 @@ static ssize_t show(struct kobject *kobj, struct attribute *attr, char *buf) struct freq_attr *fattr = to_attr(attr); ssize_t ret; + if (!fattr->show) + return -EIO; + down_read(&policy->rwsem); ret = fattr->show(policy, buf); up_read(&policy->rwsem); @@ -947,6 +950,9 @@ static ssize_t store(struct kobject *kobj, struct attribute *attr, struct freq_attr *fattr = to_attr(attr); ssize_t ret = -EINVAL; + if (!fattr->store) + return -EIO; + /* * cpus_read_trylock() is used here to work around a circular lock * dependency problem with respect to the cpufreq_register_driver().