CVE-2021-47387

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cpufreq: schedutil: Use kobject release() method to free sugov_tunables<br /> <br /> The struct sugov_tunables is protected by the kobject, so we can&amp;#39;t free<br /> it directly. Otherwise we would get a call trace like this:<br /> ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x30<br /> WARNING: CPU: 3 PID: 720 at lib/debugobjects.c:505 debug_print_object+0xb8/0x100<br /> Modules linked in:<br /> CPU: 3 PID: 720 Comm: a.sh Tainted: G W 5.14.0-rc1-next-20210715-yocto-standard+ #507<br /> Hardware name: Marvell OcteonTX CN96XX board (DT)<br /> pstate: 40400009 (nZcv daif +PAN -UAO -TCO BTYPE=--)<br /> pc : debug_print_object+0xb8/0x100<br /> lr : debug_print_object+0xb8/0x100<br /> sp : ffff80001ecaf910<br /> x29: ffff80001ecaf910 x28: ffff00011b10b8d0 x27: ffff800011043d80<br /> x26: ffff00011a8f0000 x25: ffff800013cb3ff0 x24: 0000000000000000<br /> x23: ffff80001142aa68 x22: ffff800011043d80 x21: ffff00010de46f20<br /> x20: ffff800013c0c520 x19: ffff800011d8f5b0 x18: 0000000000000010<br /> x17: 6e6968207473696c x16: 5f72656d6974203a x15: 6570797420746365<br /> x14: 6a626f2029302065 x13: 303378302f307830 x12: 2b6e665f72656d69<br /> x11: ffff8000124b1560 x10: ffff800012331520 x9 : ffff8000100ca6b0<br /> x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 0000000000000001<br /> x5 : ffff800011d8c000 x4 : ffff800011d8c740 x3 : 0000000000000000<br /> x2 : ffff0001108301c0 x1 : ab3c90eedf9c0f00 x0 : 0000000000000000<br /> Call trace:<br /> debug_print_object+0xb8/0x100<br /> __debug_check_no_obj_freed+0x1c0/0x230<br /> debug_check_no_obj_freed+0x20/0x88<br /> slab_free_freelist_hook+0x154/0x1c8<br /> kfree+0x114/0x5d0<br /> sugov_exit+0xbc/0xc0<br /> cpufreq_exit_governor+0x44/0x90<br /> cpufreq_set_policy+0x268/0x4a8<br /> store_scaling_governor+0xe0/0x128<br /> store+0xc0/0xf0<br /> sysfs_kf_write+0x54/0x80<br /> kernfs_fop_write_iter+0x128/0x1c0<br /> new_sync_write+0xf0/0x190<br /> vfs_write+0x2d4/0x478<br /> ksys_write+0x74/0x100<br /> __arm64_sys_write+0x24/0x30<br /> invoke_syscall.constprop.0+0x54/0xe0<br /> do_el0_svc+0x64/0x158<br /> el0_svc+0x2c/0xb0<br /> el0t_64_sync_handler+0xb0/0xb8<br /> el0t_64_sync+0x198/0x19c<br /> irq event stamp: 5518<br /> hardirqs last enabled at (5517): [] console_unlock+0x554/0x6c8<br /> hardirqs last disabled at (5518): [] el1_dbg+0x28/0xa0<br /> softirqs last enabled at (5504): [] __do_softirq+0x4d0/0x6c0<br /> softirqs last disabled at (5483): [] irq_exit+0x1b0/0x1b8<br /> <br /> So split the original sugov_tunables_free() into two functions,<br /> sugov_clear_global_tunables() is just used to clear the global_tunables<br /> and the new sugov_tunables_free() is used as kobj_type::release to<br /> release the sugov_tunables safely.