Headline
CVE-2023-3312: cpufreq: qcom-cpufreq-hw: fix double IO unmap and resource release on exit
A vulnerability was found in drivers/cpufreq/qcom-cpufreq-hw.c in cpufreq subsystem in the Linux Kernel. This flaw, during device unbind will lead to double release problem leading to denial of service.
@@ -43,7 +43,6 @@ struct qcom_cpufreq_soc_data {
struct qcom_cpufreq_data { void __iomem *base; - struct resource *res;
/\*
\* Mutex to synchronize between de-init sequence and re-starting LMh
@@ -590,16 +589,12 @@ static int qcom_cpufreq_hw_cpu_exit(struct cpufreq_policy *policy) { struct device *cpu_dev = get_cpu_device(policy->cpu); struct qcom_cpufreq_data *data = policy->driver_data; - struct resource *res = data->res; - void __iomem *base = data->base;
dev\_pm\_opp\_remove\_all\_dynamic(cpu\_dev);
dev\_pm\_opp\_of\_cpumask\_remove\_table(policy->related\_cpus);
qcom\_cpufreq\_hw\_lmh\_exit(data);
kfree(policy->freq\_table);
kfree(data);
- iounmap(base); - release_mem_region(res->start, resource_size(res));
return 0;
} @@ -718,17 +713,15 @@ static int qcom_cpufreq_hw_driver_probe(struct platform_device *pdev) for (i = 0; i < num_domains; i++) { struct qcom_cpufreq_data *data = &qcom_cpufreq.data[i]; struct clk_init_data clk_init = {}; - struct resource *res; void __iomem *base;
- base = devm_platform_get_and_ioremap_resource(pdev, i, &res);
base = devm\_platform\_ioremap\_resource(pdev, i); if (IS\_ERR(base)) {
- dev_err(dev, "Failed to map resource %pR\n", res);
dev\_err(dev, "Failed to map resource index %d\\n", i); return PTR\_ERR(base); } data->base = base;
- data->res = res;
/\* Register CPU clock for each frequency domain \*/
clk\_init.name = kasprintf(GFP\_KERNEL, "qcom\_cpufreq%d", i);
Related news
Ubuntu Security Notice 6283-1 - Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did not properly perform permissions checks when handling HCI sockets. A physically proximate attacker could use this to cause a denial of service. Zheng Zhang discovered that the device-mapper implementation in the Linux kernel did not properly handle locking during table_clear operations. A local attacker could use this to cause a denial of service.