Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp3363032imm; Mon, 13 Aug 2018 10:19:44 -0700 (PDT) X-Google-Smtp-Source: AA+uWPzZkLeS842q32E3cwDu866mEUK9xjXwPNQw5WDq0yVWfFMXwo++Tje9RztPoSSHDFNMxPbL X-Received: by 2002:a65:60cf:: with SMTP id r15-v6mr17666874pgv.41.1534180784828; Mon, 13 Aug 2018 10:19:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534180784; cv=none; d=google.com; s=arc-20160816; b=fXOHGPmrNOpC/i19+s1hm+mJ/egnF2NHKsJH+QsCY5avaNx13fUXWSZw5oCvK2xyHe Q0W1xbujZGJEweTAzUHPXyq19i+Pg08gr1i+p+gMxAWT7yXSiXsl01J4mVOxd56tuehj LCAr4wi581VgkvPNcD6VBXTFk1/t7VIaBvYFuY9i+DtQII1YuCt5RCSI7xuluFffHncr nkfskCiSB7PQvCK8IfE/KCg2Bd2/O0E1nmws1xZSdDW0geH3JmQ58opc10gvLuhT3845 Q3QOqL/eVN9/sWz+rSZWWtptBPg7kpkpk9klL28E1bXN+dyoFIzV3ksTLkq0twHMEZp9 tLcg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=DuFSKhyYXiiAEi/6GXubJA51ktpXVO+UL/noS/eZw5s=; b=FbL1rJ9r+29Jmwh6HkYYxaB9/BnGp/ED0hatwYXaf7eteXxAX2w7g2eFUH5i4TE3tx ZErLYam7Md3W6KcvV7rL8qpELKoT4t4YXIqwo2p3+Qjpg3ctKmBWDD+MHlKqs+PmA6v4 K9lCxMr+RZlwzHvGSD6W6t7O30utGD5rOdRKWR3zMdVlfr2wx/x7Ytpw0QY4ozopdI0Z +rjn8W1bodr7lnFkOnBOTtDzzbCx+VuMXqMWcRU1Oh/zOhsm2jNCMwkBAsquO/XQgUdJ aX3vyv9Sg+avIs4NyAUjyWTJ5YMW78MoGcCUHLtntD0DTALcBcAJq6CTlBKrM8Zd+J+k DmTQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=M1aWeDxZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l26-v6si16626961pfo.325.2018.08.13.10.19.29; Mon, 13 Aug 2018 10:19:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=M1aWeDxZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730403AbeHMT64 (ORCPT + 99 others); Mon, 13 Aug 2018 15:58:56 -0400 Received: from mail-lf1-f66.google.com ([209.85.167.66]:46541 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729070AbeHMT64 (ORCPT ); Mon, 13 Aug 2018 15:58:56 -0400 Received: by mail-lf1-f66.google.com with SMTP id l16-v6so11774714lfc.13; Mon, 13 Aug 2018 10:15:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=DuFSKhyYXiiAEi/6GXubJA51ktpXVO+UL/noS/eZw5s=; b=M1aWeDxZA9y32NI8Ibcp8r2rNIoZ/JCA0gAI2nbSKhmjpjG3Qamyww68PYGbmz127c /I/FqwPC7ah/KQC3VTUsrrO9M5XvmxSDVH6etdKfWaZ/yZ/FqC512uue9Ia3ioXadFja IWd57U144aonVc/aElZIo/l6gbRRwGBcplCWvbcC4Toex9b5fqrxeaGWKkshzi01s8mX PeRBVRo3KRCKAIfgeY89knwSlens4UWthO/ThU9TjEEBZrMK2CWx2HJPyG/ZF/Rl6jro JB18RgmmMXKdIBaa9+UYKi10xaDU0nOxsZ+rI1h+MNseE+dn5IKkrcHhn/IHZPgxo7ex sCTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=DuFSKhyYXiiAEi/6GXubJA51ktpXVO+UL/noS/eZw5s=; b=XgM76cyGudRNSxku5Rgd1zd738CHGfCyQuNQf6AvbdqEWmTyZtO0jsnMD3zlg7cvCr jzolJw32boxmq7t+duumYwNzEm+cPaxxl9TVlLVwu2O1x0f3GN1WfwJN4IQuGh/nWRbG P8/WKuRE60sX/eMAp56AY0PrQpxoout2VNVpnigskiRDofy9KXmt1J34LEZNez93MNzQ giRqN+0CnHtGgu7/Xii3raIwTxqbupYOghK+UXW8b+Em42+L8Hz+K89eM+RZGG19gXvL 1kcvTH4Px5NMyZ9B0d2+TTliOSqTi42QRHCk2Ijlrgj1vanxJJNeuvej3gJqxoPApPah U4nw== X-Gm-Message-State: AOUpUlFDD3gfDL7QBNw6ZSMosny+yFBfWPhKyH3VtU1dh8/SFf1YwhPa OXOyZfCaWUzyU8C6u+OxNYw= X-Received: by 2002:a19:c954:: with SMTP id z81-v6mr11075308lff.107.1534180548614; Mon, 13 Aug 2018 10:15:48 -0700 (PDT) Received: from localhost.localdomain (109-252-90-13.nat.spd-mgts.ru. [109.252.90.13]) by smtp.gmail.com with ESMTPSA id i1-v6sm3098709ljg.43.2018.08.13.10.15.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 Aug 2018 10:15:47 -0700 (PDT) From: Dmitry Osipenko To: Zhang Rui , Eduardo Valentin , Viresh Kumar Cc: linux-pm@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v1] thermal: core: Fix use-after-free in thermal_cooling_device_destroy_sysfs Date: Mon, 13 Aug 2018 20:14:00 +0300 Message-Id: <20180813171400.15345-1-digetx@gmail.com> X-Mailer: git-send-email 2.18.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patch fixes use-after-free that was detected by KASAN. The bug is triggered on a CPUFreq driver module unload by freeing 'cdev' on device unregister and then using the freed structure during of the cdev's sysfs data destruction. The solution is to unregister the sysfs at first, then destroy sysfs data and finally release the cooling device. Cc: # v4.17+ Fixes: 8ea229511e06 ("thermal: Add cooling device's statistics in sysfs") Signed-off-by: Dmitry Osipenko --- drivers/thermal/thermal_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c index 6ab982309e6a..441778100887 100644 --- a/drivers/thermal/thermal_core.c +++ b/drivers/thermal/thermal_core.c @@ -1102,8 +1102,9 @@ void thermal_cooling_device_unregister(struct thermal_cooling_device *cdev) mutex_unlock(&thermal_list_lock); ida_simple_remove(&thermal_cdev_ida, cdev->id); - device_unregister(&cdev->device); + device_del(&cdev->device); thermal_cooling_device_destroy_sysfs(cdev); + put_device(&cdev->device); } EXPORT_SYMBOL_GPL(thermal_cooling_device_unregister); -- 2.18.0