Re: [PATCH v8 2/2] cpufreq: Add boost_freq_req QoS request

Next message: Leon Hwang: "Re: [PATCH bpf-next 1/3] bpf: Disallow freplace on XDP with mismatched xdp_has_frags values"
Previous message: Li Wang: "Re: [PATCH v2] selftests/mm: skip hugetlb_dio tests when DIO alignment is incompatible"
In reply to: Zhongqiu Han: "Re: [PATCH v8 2/2] cpufreq: Add boost_freq_req QoS request"
Next in thread: Zhongqiu Han: "Re: [PATCH v8 2/2] cpufreq: Add boost_freq_req QoS request"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Viresh Kumar

Date: Mon Mar 30 2026 - 01:20:57 EST

On 29-03-26, 17:00, Zhongqiu Han wrote:
> Sorry for the late follow-up on v8. While re-reading the patch, I
> noticed a potential UAF issue on an error path — I might be missing
> something, so I'd appreciate a double-check.
>
> min_freq_req, max_freq_req and boost_freq_req all point into the same
> contiguous kzalloc'd block:
>
> slot0 (min_freq_req + 0) -> min_freq_req
> slot1 (min_freq_req + 1) -> max_freq_req
> slot2 (min_freq_req + 2) -> boost_freq_req
>
> If boost_freq_req is successfully added to the QoS constraints list, but
> the subsequent freq_qos_add_request() for min_freq_req fails, the error
> path does:
>
> kfree(policy->min_freq_req); /* frees the entire block, including slot2
> */
> policy->min_freq_req = NULL;
> goto out_destroy_policy;
>
> policy->boost_freq_req is not set to NULL here, so it becomes a dangling
> pointer into freed memory.

Nice catch.

The right solution to this I guess is to do kfree and setting min_freq_req to
NULL if boost_freq_req fails (just like what happens in min_freq_req failure
now) and then for later failures, don't do kfree at all but just set the failed
qos feature to NULL (like what is done for max_freq_req now).

--
viresh