[v2] thermal: core: Fix potential use-after-free issues

[PATCH v2 2/2] thermal: core: Free tzp copy along with the thermal zone

Posted by Rafael J. Wysocki 1 month, 3 weeks ago

From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

The object pointed to by tz->tzp may still be accessed after being
freed in thermal_zone_device_unregister(), so move the freeing of it
to the point after the removal completion has been completed at which
it cannot be accessed any more.

Fixes: 3d439b1a2ad3 ("thermal/core: Alloc-copy-free the thermal zone parameters structure")
Cc: 6.8+ <stable@vger.kernel.org> # 6.8+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
---

v1 -> v2: No changes

---
 drivers/thermal/thermal_core.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

Index: linux-pm/drivers/thermal/thermal_core.c
===================================================================
--- linux-pm.orig/drivers/thermal/thermal_core.c
+++ linux-pm/drivers/thermal/thermal_core.c
@@ -1606,14 +1606,12 @@ void thermal_zone_device_unregister(stru
 	ida_destroy(&tz->ida);
 
 	device_del(&tz->device);
-
-	kfree(tz->tzp);
-
 	put_device(&tz->device);
 
 	thermal_notify_tz_delete(tz);
 
 	wait_for_completion(&tz->removal);
+	kfree(tz->tzp);
 	kfree(tz);
 }
 EXPORT_SYMBOL_GPL(thermal_zone_device_unregister);

Re: [PATCH v2 2/2] thermal: core: Free tzp copy along with the thermal zone

Posted by Lukasz Luba 1 month, 3 weeks ago


On 10/3/24 13:27, Rafael J. Wysocki wrote:
> From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
> 
> The object pointed to by tz->tzp may still be accessed after being
> freed in thermal_zone_device_unregister(), so move the freeing of it
> to the point after the removal completion has been completed at which
> it cannot be accessed any more.
> 
> Fixes: 3d439b1a2ad3 ("thermal/core: Alloc-copy-free the thermal zone parameters structure")
> Cc: 6.8+ <stable@vger.kernel.org> # 6.8+
> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
> ---
> 
> v1 -> v2: No changes
> 
> ---
>   drivers/thermal/thermal_core.c |    4 +---
>   1 file changed, 1 insertion(+), 3 deletions(-)
> 
> Index: linux-pm/drivers/thermal/thermal_core.c
> ===================================================================
> --- linux-pm.orig/drivers/thermal/thermal_core.c
> +++ linux-pm/drivers/thermal/thermal_core.c
> @@ -1606,14 +1606,12 @@ void thermal_zone_device_unregister(stru
>   	ida_destroy(&tz->ida);
>   
>   	device_del(&tz->device);
> -
> -	kfree(tz->tzp);
> -
>   	put_device(&tz->device);
>   
>   	thermal_notify_tz_delete(tz);
>   
>   	wait_for_completion(&tz->removal);
> +	kfree(tz->tzp);
>   	kfree(tz);
>   }
>   EXPORT_SYMBOL_GPL(thermal_zone_device_unregister);
> 
> 
> 


Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>

[PATCH v2 1/2] thermal: core: Reference count the zone in thermal_zone_get_by_id()
[PATCH v2 2/2] thermal: core: Free tzp copy along with the thermal zone