[PATCH openEuler-1.0-LTS 0/2] CVE-2026-43328 - Kernel - mailweb.openeuler.org

newer
[PATCH OLK-6.6] netfilter:...

[PATCH openEuler-1.0-LTS 0/2] CVE-2026-43328

older
[PATCH openEuler-1.0-LTS 0/2]...

Xinyu Zheng

27 May 2026 27 May '26

3:59 p.m.

Guangshuo Li (1): cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path Liao Chang (1): cpufreq: governor: Free dbs_data directly when gov->init() fails drivers/cpufreq/cpufreq_governor.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) -- 2.34.1

Reply

Sign in to reply online Use email software

Show replies by date

Xinyu Zheng

27 May 27 May

3:59 p.m.

New subject: [PATCH openEuler-1.0-LTS 1/2] cpufreq: governor: Free dbs_data directly when gov->init() fails

From: Liao Chang <liaochang1@huawei.com> stable inclusion from stable-v5.10.253 commit 4c950a43b16aaef6613e18fc009706a346a97e32 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14886 CVE: CVE-2026-43328 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit 916f13884042f615cfbfc0b42cc68dadee826f2a ] Due to the kobject embedded in the dbs_data doest not has a release() method yet, it needs to use kfree() to free dbs_data directly when governor fails to allocate the tunner field of dbs_data. Signed-off-by: Liao Chang <liaochang1@huawei.com> Acked-by: Viresh Kumar <viresh.kumar@linaro.org> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Stable-dep-of: 6dcf9d0064ce ("cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflicts: drivers/cpufreq/cpufreq_governor.c [fix context conflicts] Signed-off-by: Lin Yujun <linyujun809@h-partners.com> Signed-off-by: Xinyu Zheng <zhengxinyu6@huawei.com> --- drivers/cpufreq/cpufreq_governor.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/cpufreq/cpufreq_governor.c b/drivers/cpufreq/cpufreq_governor.c index 7a7884816b90..66a36e389c28 100644 --- a/drivers/cpufreq/cpufreq_governor.c +++ b/drivers/cpufreq/cpufreq_governor.c @@ -463,7 +463,7 @@ int cpufreq_dbs_governor_init(struct cpufreq_policy *policy) ret = gov->init(dbs_data); if (ret) - goto free_policy_dbs_info; + goto free_dbs_data; /* * The sampling interval should not be less than the transition latency @@ -498,6 +498,8 @@ int cpufreq_dbs_governor_init(struct cpufreq_policy *policy) if (!have_governor_per_policy()) gov->gdbs_data = NULL; gov->exit(dbs_data); + +free_dbs_data: kfree(dbs_data); free_policy_dbs_info: -- 2.34.1

Reply

Sign in to reply online Use email software

Xinyu Zheng

3:59 p.m.

New subject: [PATCH openEuler-1.0-LTS 2/2] cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path

From: Guangshuo Li <lgs201920130244@gmail.com> mainline inclusion from mainline-v7.0-rc7 commit 6dcf9d0064ce2f3e3dfe5755f98b93abe6a98e1e category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14886 CVE: CVE-2026-43328 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- When kobject_init_and_add() fails, cpufreq_dbs_governor_init() calls kobject_put(&dbs_data->attr_set.kobj). The kobject release callback cpufreq_dbs_data_release() calls gov->exit(dbs_data) and kfree(dbs_data), but the current error path then calls gov->exit(dbs_data) and kfree(dbs_data) again, causing a double free. Keep the direct kfree(dbs_data) for the gov->init() failure path, but after kobject_init_and_add() has been called, let kobject_put() handle the cleanup through cpufreq_dbs_data_release(). Fixes: 4ebe36c94aed ("cpufreq: Fix kobject memleak") Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com> Reviewed-by: Zhongqiu Han <zhongqiu.han@oss.qualcomm.com> Acked-by: Viresh Kumar <viresh.kumar@linaro.org> Cc: All applicable <stable@vger.kernel.org> Link: https://patch.msgid.link/20260401024535.1395801-1-lgs201920130244@gmail.com Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by: Xinyu Zheng <zhengxinyu6@huawei.com> --- drivers/cpufreq/cpufreq_governor.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/cpufreq/cpufreq_governor.c b/drivers/cpufreq/cpufreq_governor.c index 66a36e389c28..ec155dacea5f 100644 --- a/drivers/cpufreq/cpufreq_governor.c +++ b/drivers/cpufreq/cpufreq_governor.c @@ -491,13 +491,13 @@ int cpufreq_dbs_governor_init(struct cpufreq_policy *policy) /* Failure, so roll back. */ pr_err("initialization failed (dbs_data kobject init error %d)\n", ret); - kobject_put(&dbs_data->attr_set.kobj); - policy->governor_data = NULL; if (!have_governor_per_policy()) gov->gdbs_data = NULL; - gov->exit(dbs_data); + + kobject_put(&dbs_data->attr_set.kobj); + goto free_policy_dbs_info; free_dbs_data: kfree(dbs_data); -- 2.34.1

Reply

Sign in to reply online Use email software

patchwork bot

4:23 p.m.

反馈：您发送到kernel@openeuler.org的补丁/补丁集，已成功转换为PR！ PR链接地址： https://atomgit.com/openeuler/kernel/merge_requests/22984 邮件列表地址：https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/PDN... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://atomgit.com/openeuler/kernel/merge_requests/22984 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/PDN...

Reply

Sign in to reply online Use email software

0

Age (days ago)

0

Last active (days ago)

3 comments

2 participants

tags

participants (2)

patchwork bot
Xinyu Zheng