Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp2288491pxb; Fri, 17 Sep 2021 06:35:32 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxsMA9WFJp3LlROPzE+GNbBnOPpEV9140kcBMA9q9MMS8uNRYjuAPzbIi6IUh8hgCM+xOiw X-Received: by 2002:a1c:a5d8:: with SMTP id o207mr15162055wme.104.1631885732598; Fri, 17 Sep 2021 06:35:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631885732; cv=none; d=google.com; s=arc-20160816; b=XNwCM4prfqBgR4wvM6g7u8GFyEUR9CU5Va6L65wZDAzTOKa9rtSxbTqgr4v4NMf+rP VQcbythJ3MGtJZLtepampvD949NeNFYXCH+y2H+AB8YYlubhS5bnyTV2zunWTB/7WIUY wMeO73s1uoD2141epSBAOURUuhBeZYA0r3c+Xlvyi5511OP1WdeEGubY1bEf3rVYsSMu O4phHyTbpdbj9IV5jginxnnRxlwClTsm08QlvqASA7uoOVZGV0psDL3GOfr0sPBMGXc5 +Fqc6AzPXF8WEfwaG3fA6K9p2yhl/O0zlwtwt8TAdeTys2M0OLvMWrTrvQO+o1cGN7R/ Iawg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=QTIEOKxWLANQY5Sj91t8yOn88f8yDa6LMFP2RHaNCbU=; b=l3HOw35x6jBeXh3HEDahLcGG8NsQWAsOfV2CcymU9rK3TyKotr7sMSiZ3xMvLqa9DI qNKHmyBNIehcyTPjr2cLoXLxLrS/E/rG8S7AtARHmichvvM6NI4IGWJ9iibfZ6h6JJSv DQwwvA7DeFDQ2ezUDoDYwHqBATfvshDSoDbkm9J6upK3PbDmeIem3iryO4PVmH1lUval e//9sciyEDMNE7FjUQLTKA8YnN7f9iztobq5R3g96w5SEoZIAdG31cAWCNncILa7TF6c JtawqUEJqd7Y4NBdEGb3a8R2K35AhhB0srwqmtnfbw2eDrQZJKZ/SbQ0nv4mRh0FLPnF +h4g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=GKjKa7mQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n9si6909404ejj.544.2021.09.17.06.35.07; Fri, 17 Sep 2021 06:35:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=GKjKa7mQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239164AbhIQJce (ORCPT + 99 others); Fri, 17 Sep 2021 05:32:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52218 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236075AbhIQJcZ (ORCPT ); Fri, 17 Sep 2021 05:32:25 -0400 Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com [IPv6:2a00:1450:4864:20::432]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C937BC061766 for ; Fri, 17 Sep 2021 02:31:03 -0700 (PDT) Received: by mail-wr1-x432.google.com with SMTP id d21so14063874wra.12 for ; Fri, 17 Sep 2021 02:31:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=QTIEOKxWLANQY5Sj91t8yOn88f8yDa6LMFP2RHaNCbU=; b=GKjKa7mQ/CCe6yL2G2vt6fueccCqqIcdpTBpt403pgw36KTYxx/xRwKNVVCvnjlxnN hFuNy8EHYO68vINTCh2lakvwsgY0MQRjluMi9brGpT4tkZe3xVdHrFuPgSUgicqF06Cg FHuzn8TTmjiTEncwmE+0iZoOPizXLfGAAi9KDuSUQUSD5OrEORjMMNrIXy6A4HSRuUbZ 2RRQzQZzwdSLvUIpG78ztrfBQSlI2iZeojPpmfLp2QrcaZIxIgHk2P3rOTEvCybDQ+Qr rqHgtpW5W3565sOjX0x0+W6l0LHBS/WFSMvchC5L31J7kVXq/W0k/EMOZOj+SnwOjqrQ 8jHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=QTIEOKxWLANQY5Sj91t8yOn88f8yDa6LMFP2RHaNCbU=; b=E59YgIYDvEeTScgfdjrlMInymGoPKPWkJ7j8ZBJISCuGcfxEG8q1ZMbR9ygB9omlMo U/1JXrSsqQR2xKIYygM1KiYBrn7rQDA8+1Es78W/6XTyY6ymkrcaNMYTS4rGyz/wl3F+ clBxGN3NmeYR0XP39Rw5MuHa64EM1mqXc7S71Vm+bUJNONdFT58FQ0CIUEvF0JdzlYm3 lSLNw7oyNy3/9FP1myHUN9L4Awg2qyOBz2z5H7v9c5aueCggzvCarimDK9ejwF2iVaP8 bVjrYm04wQP1RRDq8p8SdKiJWEDWBVPicPxzx0wJlRzArgQDYYqhkvWxO/+tIXhcsJRn a1zw== X-Gm-Message-State: AOAM533LNQjeflVQ+7jzbznuISfRiYsXYgASYn6vT2Rl+wuKYyULWKj2 uDbqxRGbvdipUKZh4c1BJmgOyQ== X-Received: by 2002:a5d:444a:: with SMTP id x10mr10915654wrr.360.1631871062127; Fri, 17 Sep 2021 02:31:02 -0700 (PDT) Received: from ?IPv6:2a01:e34:ed2f:f020:cf95:6508:8470:7171? ([2a01:e34:ed2f:f020:cf95:6508:8470:7171]) by smtp.googlemail.com with ESMTPSA id q19sm10215879wmq.29.2021.09.17.02.31.00 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 17 Sep 2021 02:31:01 -0700 (PDT) Subject: Re: [PATCH v2] thermal: Fix a NULL pointer dereference To: Subbaraman Narayanamurthy , Zhang Rui , Amit Kucheria Cc: linux-pm@vger.kernel.org, linux-kernel@vger.kernel.org, David Collins , Manaf Meethalavalappu Pallikunhi , Ram Chandrasekar , stable@vger.kernel.org References: <1631041289-11804-1-git-send-email-quic_subbaram@quicinc.com> From: Daniel Lezcano Message-ID: <55999619-22c7-63fd-7006-f91f144e4a60@linaro.org> Date: Fri, 17 Sep 2021 11:31:00 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 MIME-Version: 1.0 In-Reply-To: <1631041289-11804-1-git-send-email-quic_subbaram@quicinc.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 07/09/2021 21:01, Subbaraman Narayanamurthy wrote: > of_parse_thermal_zones() parses the thermal-zones node and registers a > thermal_zone device for each subnode. However, if a thermal zone is > consuming a thermal sensor and that thermal sensor device hasn't probed > yet, an attempt to set trip_point_*_temp for that thermal zone device > can cause a NULL pointer dereference. Fix it. > > console:/sys/class/thermal/thermal_zone87 # echo 120000 > trip_point_0_temp > ... > Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 > ... > Call trace: > of_thermal_set_trip_temp+0x40/0xc4 > trip_point_temp_store+0xc0/0x1dc > dev_attr_store+0x38/0x88 > sysfs_kf_write+0x64/0xc0 > kernfs_fop_write_iter+0x108/0x1d0 > vfs_write+0x2f4/0x368 > ksys_write+0x7c/0xec > __arm64_sys_write+0x20/0x30 > el0_svc_common.llvm.7279915941325364641+0xbc/0x1bc > do_el0_svc+0x28/0xa0 > el0_svc+0x14/0x24 > el0_sync_handler+0x88/0xec > el0_sync+0x1c0/0x200 > > While at it, fix the possible NULL pointer dereference in other > functions as well: of_thermal_get_temp(), of_thermal_set_emul_temp(), > of_thermal_get_trend(). > > Cc: stable@vger.kernel.org > Suggested-by: David Collins > Signed-off-by: Subbaraman Narayanamurthy > --- > Changes for v2: > - Added checks in of_thermal_get_temp(), of_thermal_set_emul_temp(), of_thermal_get_trend(). > > drivers/thermal/thermal_of.c | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) > > diff --git a/drivers/thermal/thermal_of.c b/drivers/thermal/thermal_of.c > index 6379f26..9233f7e 100644 > --- a/drivers/thermal/thermal_of.c > +++ b/drivers/thermal/thermal_of.c > @@ -89,7 +89,7 @@ static int of_thermal_get_temp(struct thermal_zone_device *tz, > { > struct __thermal_zone *data = tz->devdata; > > - if (!data->ops->get_temp) > + if (!data->ops || !data->ops->get_temp) comment (1) AFAICT, if data->ops != NULL then data->ops->get_temp is also != NULL because of the code allocating/freeing the ops structure. The tests can be replaced by (!data->ops), no ? > return -EINVAL; > > return data->ops->get_temp(data->sensor_data, temp); > @@ -186,6 +186,9 @@ static int of_thermal_set_emul_temp(struct thermal_zone_device *tz, > { > struct __thermal_zone *data = tz->devdata; > > + if (!data->ops || !data->ops->set_emul_temp) > + return -EINVAL; > + comment (2) The test looks pointless here (I mean both of them). If of_thermal_set_emul_temp() is called it is because the callback was set in thermal_zone_of_add_sensor(). This one does: tz->ops = ops; and if (ops->set_emul_temp) tzd->ops->set_emul_temp = of_thermal_set_emul_temp; If I'm not wrong if we are called, then data->ops && data->ops->set_emul_temp is always true, right ? > return data->ops->set_emul_temp(data->sensor_data, temp); > } > > @@ -194,7 +197,7 @@ static int of_thermal_get_trend(struct thermal_zone_device *tz, int trip, > { > struct __thermal_zone *data = tz->devdata; > > - if (!data->ops->get_trend) > + if (!data->ops || !data->ops->get_trend) > return -EINVAL; Same comment as (1) > return data->ops->get_trend(data->sensor_data, trip, trend); > @@ -301,7 +304,7 @@ static int of_thermal_set_trip_temp(struct thermal_zone_device *tz, int trip, > if (trip >= data->ntrips || trip < 0) > return -EDOM; > > - if (data->ops->set_trip_temp) { > + if (data->ops && data->ops->set_trip_temp) { Same comment as (2) > int ret; > > ret = data->ops->set_trip_temp(data->sensor_data, trip, temp); > -- Linaro.org │ Open source software for ARM SoCs Follow Linaro: Facebook | Twitter | Blog