Message ID | 20211015083230.67658-1-songyuanzheng@huawei.com (mailing list archive) |
---|---|
State | New, archived |
Delegated to: | Daniel Lezcano |
Headers | show |
Series | [-next] Fix null pointer dereference in thermal_release() | expand |
On 15/10/2021 10:32, Yuanzheng Song wrote: > If both dev_set_name() and device_register() failed, then > null pointer dereference occurs in thermal_release() which > will use strncmp() to compare the name. > > So fix it by adding dev_set_name() return value check. > > Signed-off-by: Yuanzheng Song <songyuanzheng@huawei.com> Applied, thanks > --- > drivers/thermal/thermal_core.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c > index 9e243d9f929e..6904b97fd6ea 100644 > --- a/drivers/thermal/thermal_core.c > +++ b/drivers/thermal/thermal_core.c > @@ -904,6 +904,10 @@ __thermal_cooling_device_register(struct device_node *np, > goto out_kfree_cdev; > cdev->id = ret; > > + ret = dev_set_name(&cdev->device, "cooling_device%d", cdev->id); > + if (ret) > + goto out_ida_remove; > + > cdev->type = kstrdup(type ? type : "", GFP_KERNEL); > if (!cdev->type) { > ret = -ENOMEM; > @@ -918,7 +922,6 @@ __thermal_cooling_device_register(struct device_node *np, > cdev->device.class = &thermal_class; > cdev->devdata = devdata; > thermal_cooling_device_setup_sysfs(cdev); > - dev_set_name(&cdev->device, "cooling_device%d", cdev->id); > ret = device_register(&cdev->device); > if (ret) > goto out_kfree_type; > @@ -1229,6 +1232,10 @@ thermal_zone_device_register(const char *type, int trips, int mask, > tz->id = id; > strlcpy(tz->type, type, sizeof(tz->type)); > > + result = dev_set_name(&tz->device, "thermal_zone%d", tz->id); > + if (result) > + goto remove_id; > + > if (!ops->critical) > ops->critical = thermal_zone_device_critical; > > @@ -1250,7 +1257,6 @@ thermal_zone_device_register(const char *type, int trips, int mask, > /* A new thermal zone needs to be updated anyway. */ > atomic_set(&tz->need_update, 1); > > - dev_set_name(&tz->device, "thermal_zone%d", tz->id); > result = device_register(&tz->device); > if (result) > goto release_device; >
diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c index 9e243d9f929e..6904b97fd6ea 100644 --- a/drivers/thermal/thermal_core.c +++ b/drivers/thermal/thermal_core.c @@ -904,6 +904,10 @@ __thermal_cooling_device_register(struct device_node *np, goto out_kfree_cdev; cdev->id = ret; + ret = dev_set_name(&cdev->device, "cooling_device%d", cdev->id); + if (ret) + goto out_ida_remove; + cdev->type = kstrdup(type ? type : "", GFP_KERNEL); if (!cdev->type) { ret = -ENOMEM; @@ -918,7 +922,6 @@ __thermal_cooling_device_register(struct device_node *np, cdev->device.class = &thermal_class; cdev->devdata = devdata; thermal_cooling_device_setup_sysfs(cdev); - dev_set_name(&cdev->device, "cooling_device%d", cdev->id); ret = device_register(&cdev->device); if (ret) goto out_kfree_type; @@ -1229,6 +1232,10 @@ thermal_zone_device_register(const char *type, int trips, int mask, tz->id = id; strlcpy(tz->type, type, sizeof(tz->type)); + result = dev_set_name(&tz->device, "thermal_zone%d", tz->id); + if (result) + goto remove_id; + if (!ops->critical) ops->critical = thermal_zone_device_critical; @@ -1250,7 +1257,6 @@ thermal_zone_device_register(const char *type, int trips, int mask, /* A new thermal zone needs to be updated anyway. */ atomic_set(&tz->need_update, 1); - dev_set_name(&tz->device, "thermal_zone%d", tz->id); result = device_register(&tz->device); if (result) goto release_device;
If both dev_set_name() and device_register() failed, then null pointer dereference occurs in thermal_release() which will use strncmp() to compare the name. So fix it by adding dev_set_name() return value check. Signed-off-by: Yuanzheng Song <songyuanzheng@huawei.com> --- drivers/thermal/thermal_core.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)