diff mbox series

[v1,1/2] thermal: core: Reference count the zone in thermal_zone_get_by_id()

Message ID 6104329.lOV4Wx5bFT@rjwysocki.net
State New
Headers show
Series thermal: core: Fix potential use-after-free issues | expand

Commit Message

Rafael J. Wysocki Oct. 2, 2024, 2:57 p.m. UTC 
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

There are places in the thermal netlink code where nothing prevents
a thermal zone object from going away while being accessed after it
has been returned by thermal_zone_get_by_id().

To address this, make thermal_zone_get_by_id() get a reference on the
thermal zone device object to be returned with the help of get_device(),
under thermal_list_lock, and adjust all of its callers to this change.

Fixes: 1ce50e7d408e ("thermal: core: genetlink support for events/cmd/sampling")
Cc: 6.8+ <stable@vger.kernel.org> # 6.8+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
---
 drivers/thermal/thermal_core.c    |    1 +
 drivers/thermal/thermal_core.h    |    5 +++++
 drivers/thermal/thermal_netlink.c |   22 ++++++++++++++--------
 3 files changed, 20 insertions(+), 8 deletions(-)
diff mbox series

Patch

Index: linux-pm/drivers/thermal/thermal_core.c
===================================================================
--- linux-pm.orig/drivers/thermal/thermal_core.c
+++ linux-pm/drivers/thermal/thermal_core.c
@@ -728,6 +728,7 @@  struct thermal_zone_device *thermal_zone
 	mutex_lock(&thermal_list_lock);
 	list_for_each_entry(tz, &thermal_tz_list, node) {
 		if (tz->id == id) {
+			get_device(&tz->device);
 			match = tz;
 			break;
 		}
Index: linux-pm/drivers/thermal/thermal_core.h
===================================================================
--- linux-pm.orig/drivers/thermal/thermal_core.h
+++ linux-pm/drivers/thermal/thermal_core.h
@@ -194,6 +194,11 @@  int for_each_thermal_governor(int (*cb)(
 
 struct thermal_zone_device *thermal_zone_get_by_id(int id);
 
+static inline void thermal_zone_put(struct thermal_zone_device *tz)
+{
+	put_device(&tz->device);
+}
+
 static inline bool cdev_is_power_actor(struct thermal_cooling_device *cdev)
 {
 	return cdev->ops->get_requested_power && cdev->ops->state2power &&
Index: linux-pm/drivers/thermal/thermal_netlink.c
===================================================================
--- linux-pm.orig/drivers/thermal/thermal_netlink.c
+++ linux-pm/drivers/thermal/thermal_netlink.c
@@ -445,7 +445,7 @@  static int thermal_genl_cmd_tz_get_trip(
 	const struct thermal_trip_desc *td;
 	struct thermal_zone_device *tz;
 	struct nlattr *start_trip;
-	int id;
+	int id, ret = -EMSGSIZE;
 
 	if (!p->attrs[THERMAL_GENL_ATTR_TZ_ID])
 		return -EINVAL;
@@ -458,7 +458,7 @@  static int thermal_genl_cmd_tz_get_trip(
 
 	start_trip = nla_nest_start(msg, THERMAL_GENL_ATTR_TZ_TRIP);
 	if (!start_trip)
-		return -EMSGSIZE;
+		goto out_put;
 
 	mutex_lock(&tz->lock);
 
@@ -470,19 +470,20 @@  static int thermal_genl_cmd_tz_get_trip(
 		    nla_put_u32(msg, THERMAL_GENL_ATTR_TZ_TRIP_TYPE, trip->type) ||
 		    nla_put_u32(msg, THERMAL_GENL_ATTR_TZ_TRIP_TEMP, trip->temperature) ||
 		    nla_put_u32(msg, THERMAL_GENL_ATTR_TZ_TRIP_HYST, trip->hysteresis))
-			goto out_cancel_nest;
+			goto out_unlock;
 	}
 
-	mutex_unlock(&tz->lock);
-
 	nla_nest_end(msg, start_trip);
 
-	return 0;
+	ret = 0;
 
-out_cancel_nest:
+out_unlock:
 	mutex_unlock(&tz->lock);
 
-	return -EMSGSIZE;
+out_put:
+	thermal_zone_put(tz);
+
+	return ret;
 }
 
 static int thermal_genl_cmd_tz_get_temp(struct param *p)
@@ -501,6 +502,9 @@  static int thermal_genl_cmd_tz_get_temp(
 		return -EINVAL;
 
 	ret = thermal_zone_get_temp(tz, &temp);
+
+	thermal_zone_put(tz);
+
 	if (ret)
 		return ret;
 
@@ -535,6 +539,8 @@  static int thermal_genl_cmd_tz_get_gov(s
 
 	mutex_unlock(&tz->lock);
 
+	thermal_zone_put(tz);
+
 	return ret;
 }