| Message ID | 4623516.LvFx2qVVIh@rjwysocki.net (mailing list archive) |
|---|---|
| State | Mainlined, archived |
| Headers | show |
| Series | thermal: core: Fix potential use-after-free issues | expand |
On 10/3/24 13:27, Rafael J. Wysocki wrote: > From: Rafael J. Wysocki <rafael.j.wysocki@intel.com> > > The object pointed to by tz->tzp may still be accessed after being > freed in thermal_zone_device_unregister(), so move the freeing of it > to the point after the removal completion has been completed at which > it cannot be accessed any more. > > Fixes: 3d439b1a2ad3 ("thermal/core: Alloc-copy-free the thermal zone parameters structure") > Cc: 6.8+ <stable@vger.kernel.org> # 6.8+ > Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> > --- > > v1 -> v2: No changes > > --- > drivers/thermal/thermal_core.c | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > Index: linux-pm/drivers/thermal/thermal_core.c > =================================================================== > --- linux-pm.orig/drivers/thermal/thermal_core.c > +++ linux-pm/drivers/thermal/thermal_core.c > @@ -1606,14 +1606,12 @@ void thermal_zone_device_unregister(stru > ida_destroy(&tz->ida); > > device_del(&tz->device); > - > - kfree(tz->tzp); > - > put_device(&tz->device); > > thermal_notify_tz_delete(tz); > > wait_for_completion(&tz->removal); > + kfree(tz->tzp); > kfree(tz); > } > EXPORT_SYMBOL_GPL(thermal_zone_device_unregister); > > > Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>
Index: linux-pm/drivers/thermal/thermal_core.c =================================================================== --- linux-pm.orig/drivers/thermal/thermal_core.c +++ linux-pm/drivers/thermal/thermal_core.c @@ -1606,14 +1606,12 @@ void thermal_zone_device_unregister(stru ida_destroy(&tz->ida); device_del(&tz->device); - - kfree(tz->tzp); - put_device(&tz->device); thermal_notify_tz_delete(tz); wait_for_completion(&tz->removal); + kfree(tz->tzp); kfree(tz); } EXPORT_SYMBOL_GPL(thermal_zone_device_unregister);