diff mbox series

[v1] thermal: core: Fix NULL pointer dereference in zone registration error path

Message ID 5737641.DvuYhMxLoT@kreacher
State New
Headers show
Series [v1] thermal: core: Fix NULL pointer dereference in zone registration error path | expand

Commit Message

Rafael J. Wysocki Dec. 14, 2023, 10:52 a.m. UTC 
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

If device_register() in thermal_zone_device_register_with_trips()
returns an error, the tz variable is set to NULL and subsequently
dereferenced in kfree(tz->tzp).

Commit adc8749b150c ("thermal/drivers/core: Use put_device() if
device_register() fails") added the tz = NULL assignment in question to
avoid a possible double-free after dropping the reference to the zone
device.  However, after commit 4649620d9404 ("thermal: core: Make
thermal_zone_device_unregister() return after freeing the zone"), that
assignment has become redundant, because dropping the reference to the
zone device does not cause the zone object to be freed any more.

Drop it to address the NULL pointer dereference.

Fixes: 3d439b1a2ad3 ("thermal/core: Alloc-copy-free the thermal zone parameters structure")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
---
 drivers/thermal/thermal_core.c |    1 -
 1 file changed, 1 deletion(-)

Comments

Lukasz Luba Dec. 15, 2023, 3:31 p.m. UTC | #1 
On 12/14/23 10:52, Rafael J. Wysocki wrote:
> From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
> 
> If device_register() in thermal_zone_device_register_with_trips()
> returns an error, the tz variable is set to NULL and subsequently
> dereferenced in kfree(tz->tzp).
> 
> Commit adc8749b150c ("thermal/drivers/core: Use put_device() if
> device_register() fails") added the tz = NULL assignment in question to
> avoid a possible double-free after dropping the reference to the zone
> device.  However, after commit 4649620d9404 ("thermal: core: Make
> thermal_zone_device_unregister() return after freeing the zone"), that
> assignment has become redundant, because dropping the reference to the
> zone device does not cause the zone object to be freed any more.
> 
> Drop it to address the NULL pointer dereference.
> 
> Fixes: 3d439b1a2ad3 ("thermal/core: Alloc-copy-free the thermal zone parameters structure")
> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
> ---
>   drivers/thermal/thermal_core.c |    1 -
>   1 file changed, 1 deletion(-)
> 
> Index: linux-pm/drivers/thermal/thermal_core.c
> ===================================================================
> --- linux-pm.orig/drivers/thermal/thermal_core.c
> +++ linux-pm/drivers/thermal/thermal_core.c
> @@ -1394,7 +1394,6 @@ unregister:
>   	device_del(&tz->device);
>   release_device:
>   	put_device(&tz->device);
> -	tz = NULL;
>   remove_id:
>   	ida_free(&thermal_tz_ida, id);
>   free_tzp:
> 
> 
> 

Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>
diff mbox series

Patch

Index: linux-pm/drivers/thermal/thermal_core.c
===================================================================
--- linux-pm.orig/drivers/thermal/thermal_core.c
+++ linux-pm/drivers/thermal/thermal_core.c
@@ -1394,7 +1394,6 @@  unregister:
 	device_del(&tz->device);
 release_device:
 	put_device(&tz->device);
-	tz = NULL;
 remove_id:
 	ida_free(&thermal_tz_ida, id);
 free_tzp: