[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20180905165327.GA1841@localhost.localdomain>
Date: Wed, 5 Sep 2018 09:53:29 -0700
From: Eduardo Valentin <edubezval@...il.com>
To: Dmitry Osipenko <digetx@...il.com>
Cc: Zhang Rui <rui.zhang@...el.com>,
Viresh Kumar <viresh.kumar@...aro.org>,
linux-pm@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v1] thermal: core: Fix use-after-free in
thermal_cooling_device_destroy_sysfs
On Mon, Aug 13, 2018 at 08:14:00PM +0300, Dmitry Osipenko wrote:
> This patch fixes use-after-free that was detected by KASAN. The bug is
> triggered on a CPUFreq driver module unload by freeing 'cdev' on device
> unregister and then using the freed structure during of the cdev's sysfs
> data destruction. The solution is to unregister the sysfs at first, then
> destroy sysfs data and finally release the cooling device.
>
> Cc: <stable@...r.kernel.org> # v4.17+
> Fixes: 8ea229511e06 ("thermal: Add cooling device's statistics in sysfs")
> Signed-off-by: Dmitry Osipenko <digetx@...il.com>
Acked-by: Eduardo Valentin <edubezval@...il.com>
Rui, can you please queue this one?
> ---
> drivers/thermal/thermal_core.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
> index 6ab982309e6a..441778100887 100644
> --- a/drivers/thermal/thermal_core.c
> +++ b/drivers/thermal/thermal_core.c
> @@ -1102,8 +1102,9 @@ void thermal_cooling_device_unregister(struct thermal_cooling_device *cdev)
> mutex_unlock(&thermal_list_lock);
>
> ida_simple_remove(&thermal_cdev_ida, cdev->id);
> - device_unregister(&cdev->device);
> + device_del(&cdev->device);
> thermal_cooling_device_destroy_sysfs(cdev);
> + put_device(&cdev->device);
> }
> EXPORT_SYMBOL_GPL(thermal_cooling_device_unregister);
>
> --
> 2.18.0
>
Powered by blists - more mailing lists