hwmon: (occ) Fix bugs in power sensor, extended sensor, and remove path

[PATCH 3/3] hwmon: (occ) Fix potential NULL dereference in p9_sbe_occ_remove()

Posted by Pradhan, Sanman 6 days, 20 hours ago

From: Sanman Pradhan <psanman@juniper.net>

In p9_sbe_occ_remove(), ctx->sbe is set to NULL before
occ_shutdown() is called. Since occ_shutdown() calls
hwmon_device_unregister(), there is a window between clearing
ctx->sbe and the hwmon device being unregistered where a
concurrent sysfs read could trigger p9_sbe_occ_send_cmd(),
which calls fsi_occ_submit() with a NULL sbe pointer, causing
a NULL pointer dereference.

Fix this by calling occ_shutdown() first to unregister the hwmon
device. hwmon_device_unregister() drains pending sysfs readers
via kernfs_drain(), so after it returns no more callbacks can
access ctx->sbe.

Fixes: 5b5513b88002 ("hwmon: Add On-Chip Controller (OCC) hwmon driver")
Cc: stable@vger.kernel.org
Signed-off-by: Sanman Pradhan <psanman@juniper.net>
---
 drivers/hwmon/occ/p9_sbe.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/hwmon/occ/p9_sbe.c b/drivers/hwmon/occ/p9_sbe.c
index 1e3749dfa598..0f5f87836dbd 100644
--- a/drivers/hwmon/occ/p9_sbe.c
+++ b/drivers/hwmon/occ/p9_sbe.c
@@ -174,8 +174,8 @@ static void p9_sbe_occ_remove(struct platform_device *pdev)
 
 	device_remove_bin_file(occ->bus_dev, &bin_attr_ffdc);
 
-	ctx->sbe = NULL;
 	occ_shutdown(occ);
+	ctx->sbe = NULL;
 
 	kvfree(ctx->ffdc);
 }
-- 
2.34.1

[PATCH 1/3] hwmon: (occ) Fix division by zero in occ_show_power_1()
[PATCH 2/3] hwmon: (occ) Fix missing newline in occ_show_extended()
[PATCH 3/3] hwmon: (occ) Fix potential NULL dereference in p9_sbe_occ_remove()