From 6c350eb9af2e36c40f4c1f2122e4b5b270c011b2 Mon Sep 17 00:00:00 2001
From: Weiping Zhang <zhangweiping@didiglobal.com>
Date: Fri, 8 Nov 2019 23:43:55 +0800
Subject: [PATCH 5/5] fix invalid pointer dereference banned_cpumask_from_ui

The memory of cpu_ban_string was release in sock_handle function,
so the banned_cpumask_from_ui will dereference an invalid memory.

Fix this issue by delay release memory.

Reproduce:
echo "settings cpus 0-3" | nc -U `find /var/run/irqbalance/ -name *sock`

Signed-off-by: Weiping Zhang <zhangweiping@didiglobal.com>
---
 cputree.c    |  7 ++++++-
 irqbalance.c | 21 ++++++++++++++++++---
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/cputree.c b/cputree.c
index 305f617..4c5fdf5 100644
--- a/cputree.c
+++ b/cputree.c
@@ -39,6 +39,7 @@
 #include "irqbalance.h"
 
 extern char *banned_cpumask_from_ui;
+extern char *cpu_ban_string;
 
 GList *cpus;
 GList *cache_domains;
@@ -104,9 +105,13 @@ static void setup_banned_cpus(void)
 	cpus_clear(nohz_full);
 
 	/* A manually specified cpumask overrides auto-detection. */
-	if (banned_cpumask_from_ui != NULL) {
+	if (cpu_ban_string != NULL && banned_cpumask_from_ui != NULL) {
 		cpulist_parse(banned_cpumask_from_ui,
 			strlen(banned_cpumask_from_ui), banned_cpus);
+		/* release it safety, it was allocated in sock_handle */
+		free(cpu_ban_string);
+		cpu_ban_string = NULL;
+		banned_cpumask_from_ui = NULL;
 		goto out;
 	}
 	if (getenv("IRQBALANCE_BANNED_CPUS"))  {
diff --git a/irqbalance.c b/irqbalance.c
index c9379ad..7630e38 100644
--- a/irqbalance.c
+++ b/irqbalance.c
@@ -65,6 +65,7 @@ int sleep_interval = SLEEP_INTERVAL;
 int last_interval;
 GMainLoop *main_loop;
 
+char *cpu_ban_string = NULL;
 char *banned_cpumask_from_ui = NULL;
 
 static void sleep_approx(int seconds)
@@ -469,7 +470,14 @@ gboolean sock_handle(gint fd, GIOCondition condition, gpointer user_data __attri
 				free(irq_string);
 			} else if (!(strncmp(buff + strlen("settings "), "cpus ",
 							strlen("cpus")))) {
-				char *cpu_ban_string = malloc(
+				/*
+				 * if cpu_ban_string has not been consumed,
+				 * just ignore this request.
+				 */
+				if (cpu_ban_string != NULL)
+					goto out_close;
+
+				cpu_ban_string = malloc(
 						sizeof(char) * (recv_size - strlen("settings cpus ")));
 				if (!cpu_ban_string)
 					goto out_close;
@@ -479,9 +487,16 @@ gboolean sock_handle(gint fd, GIOCondition condition, gpointer user_data __attri
 				banned_cpumask_from_ui = strtok(cpu_ban_string, " ");
 				if (!strncmp(banned_cpumask_from_ui, "NULL", strlen("NULL"))) {
 					banned_cpumask_from_ui = NULL;
+					free(cpu_ban_string);
+					cpu_ban_string = NULL;;
+				} else {
+					/*
+					 * don't free cpu_ban_string at here, it will be
+					 * released after we have store it to @banned_cpus
+					 * in setup_banned_cpus function.
+					 */
+					need_rescan = 1;
 				}
-				need_rescan = 1;
-				free(cpu_ban_string);
 			}
 		}
 		if (!strncmp(buff, "setup", strlen("setup"))) {
-- 
1.8.3.1