thermal: core: Fix use-after-free in thermal_zone_device_unregister()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The user-after-free bug in thermal_zone_device_unregister() is reported by
KASAN. It happens because struct thermal_zone_device is released during of
device_unregister() invocation, and hence the "tz" variable shouldn't be
touched by thermal_notify_tz_delete(tz->id).

Fixes: 55cdf0a283b8 ("thermal: core: Add notifications call in the framework")
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Link: https://lore.kernel.org/r/20200817235854.26816-1-digetx@gmail.com

authored by

Dmitry Osipenko and committed by

Daniel Lezcano 5 years ago a5f785ce 0ffdab6f

+3 -2

1 changed file

expand all

drivers

thermal

thermal_core.c

+3 -2

drivers/thermal/thermal_core.c

··· 1516 1516 */ 1517 1517 void thermal_zone_device_unregister(struct thermal_zone_device *tz) 1518 1518 { 1519 - int i; 1519 + int i, tz_id; 1520 1520 const struct thermal_zone_params *tzp; 1521 1521 struct thermal_cooling_device *cdev; 1522 1522 struct thermal_zone_device *pos = NULL; ··· 1525 1525 return; 1526 1526 1527 1527 tzp = tz->tzp; 1528 + tz_id = tz->id; 1528 1529 1529 1530 mutex_lock(&thermal_list_lock); 1530 1531 list_for_each_entry(pos, &thermal_tz_list, node) ··· 1568 1567 mutex_destroy(&tz->lock); 1569 1568 device_unregister(&tz->device); 1570 1569 1571 - thermal_notify_tz_delete(tz->id); 1570 + thermal_notify_tz_delete(tz_id); 1572 1571 } 1573 1572 EXPORT_SYMBOL_GPL(thermal_zone_device_unregister); 1574 1573