pass: Remove use-after-free of policy->pass_table during pass_exit_resource()

During the pass_exit_resource(), pass_put_table() frees the
g_pass->policy->pass_table, and after that, pass_hotplug_stop() is
called and uses the pointer. Remove the use-after-free by clearing
policy->pass_table from pass_put_table() instead of
__pass_governor_exit() and checking null from pass_hot_plug_stop().

Change-Id: I00d57320dd9ed9f0bcaed406f066bdce37215656
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>

diff --git a/src/pass/pass-gov.c b/src/pass/pass-gov.c
index c51d1a9..25586b6 100644 (file)
--- a/src/pass/pass-gov.c
+++ b/src/pass/pass-gov.c
@@ -103,7 +103,7 @@ static void pass_hotplug_stop(struct pass_policy *policy)
        struct pass_table *table = policy->pass_table;
        int level = policy->max_level;
 
-       if (!policy->hotplug)
+       if (!policy->hotplug || !table)
                return;
 
        policy->hotplug->online = table[level].limit_min_cpu;
@@ -439,7 +439,6 @@ static int __pass_governor_exit(struct pass_policy *policy)
        policy->max_level = 0;
        policy->level_up_threshold = 0;
 
-       policy->pass_table = NULL;
        policy->num_pass_cpu_stats = 0;
 
        policy->gov_timeout = 0;

diff --git a/src/pass/pass-parser.c b/src/pass/pass-parser.c
index 1add5fb..e42f10d 100644 (file)
--- a/src/pass/pass-parser.c
+++ b/src/pass/pass-parser.c
@@ -477,8 +477,10 @@ int pass_get_table(struct pass_policy *policy, char *pass_conf_path)
 
 void pass_put_table(struct pass_policy *policy)
 {
-       if (policy->pass_table)
+       if (policy->pass_table) {
                free(policy->pass_table);
+               policy->pass_table = NULL;
+       }
 
        if (policy->scenario.list)
                free(policy->scenario.list);