Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp33090705rwd; Sat, 8 Jul 2023 05:09:52 -0700 (PDT) X-Google-Smtp-Source: APBJJlF7YFdc/I3/TmwGPti9v7Ed42t/xeJ8g8grVBYpSEJpk8U2dCrtVSQ0grpp/HcJ+c555m1e X-Received: by 2002:a9d:73c6:0:b0:6b8:7db8:680f with SMTP id m6-20020a9d73c6000000b006b87db8680fmr9964019otk.32.1688818192541; Sat, 08 Jul 2023 05:09:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688818192; cv=none; d=google.com; s=arc-20160816; b=IjxfinWP6ck67oj0cLrm4YLKz5JAf0IaWSs8rwFN0X6p1R/yAH5avUl6eWGiQ5Banh Gu0Ui6be7kb1j1plO/SVg+M4654StpJ2pkX4krs1WBEJJhzQDRYdhIinYi7yOjUl9t/t jPWIn+ZRV5BARdAB7oniySMpKLDrgf7gVSzwRoiKSTkTR1sNe/Egz9YuFT66V2DRcIdc jqNj3gFovhL31WG1fJhbNLHr0ciF09m++CHHeTRhBFdhH2cmyMwKFGtk3zHgsAIh5pXz 1EMaXl6LY0vlhqcr5f9WI/EBuEuPeI8crdp2pEIgOex8Vgt46nOVSMYRgx4PeFChQoqW 4T7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=o6aDgNkiO1Qr0rxKpahxYBF6JwFtYEyPGBK/MGbfYy4=; fh=oREYu+TWeGQMqNDlsk9ppZjkWQIjn+uvG0Vh9DLIc6Y=; b=zoTIzTtmd/p6jQWxp+XNiJYeso33coYl0Zk3N5jMa7058n4Dd8PYVXjgRjs/okH6lv AlCkPlI5gR/TgPaNgUFwhhG3tGkrQfjN6ouJumH81x2DiYsqk5VMFEqzZFEh+ob2TqYu jSAdHpapWc3u3v09wA7Zrj6rytk/9TDR8cYnogATUbFYc89xORMy+m+UDmWlvRxrPC53 1Rt2kJAhqYffEexRmAKCbRtzM+k+djhAoYI8CaL34Kt/j34mxUx1SoY5sgQUlzwq7JhI 1LZhdAyqzmFIlCrNO2Dc5BvSsofBVG/KNu9Zma9bixY9ylR3kudo611ax9vUTLdjPr84 RJPA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p8-20020a631e48000000b0055acc7f805bsi5607674pgm.334.2023.07.08.05.09.38; Sat, 08 Jul 2023 05:09:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230107AbjGHL2Q (ORCPT + 99 others); Sat, 8 Jul 2023 07:28:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58124 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230040AbjGHL2P (ORCPT ); Sat, 8 Jul 2023 07:28:15 -0400 Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de [IPv6:2001:67c:670:201:290:27ff:fe1d:cc33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B02981997 for ; Sat, 8 Jul 2023 04:28:03 -0700 (PDT) Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qI66T-0002PN-BZ; Sat, 08 Jul 2023 13:27:53 +0200 Received: from [2a0a:edc0:0:1101:1d::54] (helo=dude05.red.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.94.2) (envelope-from ) id 1qI66S-00CwkO-Lz; Sat, 08 Jul 2023 13:27:52 +0200 Received: from afa by dude05.red.stw.pengutronix.de with local (Exim 4.96) (envelope-from ) id 1qI66S-00C9mn-07; Sat, 08 Jul 2023 13:27:52 +0200 From: Ahmad Fatoum To: "Rafael J. Wysocki" , Daniel Lezcano , Amit Kucheria , Zhang Rui Cc: kernel@pengutronix.de, Ahmad Fatoum , linux-pm@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 2/2] thermal: of: fix double-free on unregistration Date: Sat, 8 Jul 2023 13:27:20 +0200 Message-Id: <20230708112720.2897484-2-a.fatoum@pengutronix.de> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230708112720.2897484-1-a.fatoum@pengutronix.de> References: <20230708112720.2897484-1-a.fatoum@pengutronix.de> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: afa@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Since commit 3d439b1a2ad3 ("thermal/core: Alloc-copy-free the thermal zone parameters structure"), thermal_zone_device_register() allocates a copy of the tzp argument and frees it when unregistering, so thermal_of_zone_register() now ends up leaking its original tzp and double-freeing the tzp copy. Fix this by locating tzp on stack instead. Fixes: 3d439b1a2ad3 ("thermal/core: Alloc-copy-free the thermal zone parameters structure") Signed-off-by: Ahmad Fatoum --- drivers/thermal/thermal_of.c | 27 ++++++--------------------- 1 file changed, 6 insertions(+), 21 deletions(-) diff --git a/drivers/thermal/thermal_of.c b/drivers/thermal/thermal_of.c index 6fb14e521197..bc07ae1c284c 100644 --- a/drivers/thermal/thermal_of.c +++ b/drivers/thermal/thermal_of.c @@ -238,17 +238,13 @@ static int thermal_of_monitor_init(struct device_node *np, int *delay, int *pdel return 0; } -static struct thermal_zone_params *thermal_of_parameters_init(struct device_node *np) +static void thermal_of_parameters_init(struct device_node *np, + struct thermal_zone_params *tzp) { - struct thermal_zone_params *tzp; int coef[2]; int ncoef = ARRAY_SIZE(coef); int prop, ret; - tzp = kzalloc(sizeof(*tzp), GFP_KERNEL); - if (!tzp) - return ERR_PTR(-ENOMEM); - tzp->no_hwmon = true; if (!of_property_read_u32(np, "sustainable-power", &prop)) @@ -267,8 +263,6 @@ static struct thermal_zone_params *thermal_of_parameters_init(struct device_node tzp->slope = coef[0]; tzp->offset = coef[1]; - - return tzp; } static struct device_node *thermal_of_zone_get_by_name(struct thermal_zone_device *tz) @@ -442,13 +436,11 @@ static int thermal_of_unbind(struct thermal_zone_device *tz, static void thermal_of_zone_unregister(struct thermal_zone_device *tz) { struct thermal_trip *trips = tz->trips; - struct thermal_zone_params *tzp = tz->tzp; struct thermal_zone_device_ops *ops = tz->ops; thermal_zone_device_disable(tz); thermal_zone_device_unregister(tz); kfree(trips); - kfree(tzp); kfree(ops); } @@ -477,7 +469,7 @@ static struct thermal_zone_device *thermal_of_zone_register(struct device_node * { struct thermal_zone_device *tz; struct thermal_trip *trips; - struct thermal_zone_params *tzp; + struct thermal_zone_params tzp = {}; struct thermal_zone_device_ops *of_ops; struct device_node *np; int delay, pdelay; @@ -509,12 +501,7 @@ static struct thermal_zone_device *thermal_of_zone_register(struct device_node * goto out_kfree_trips; } - tzp = thermal_of_parameters_init(np); - if (IS_ERR(tzp)) { - ret = PTR_ERR(tzp); - pr_err("Failed to initialize parameter from %pOFn: %d\n", np, ret); - goto out_kfree_trips; - } + thermal_of_parameters_init(np, &tzp); of_ops->bind = thermal_of_bind; of_ops->unbind = thermal_of_unbind; @@ -522,12 +509,12 @@ static struct thermal_zone_device *thermal_of_zone_register(struct device_node * mask = GENMASK_ULL((ntrips) - 1, 0); tz = thermal_zone_device_register_with_trips(np->name, trips, ntrips, - mask, data, of_ops, tzp, + mask, data, of_ops, &tzp, pdelay, delay); if (IS_ERR(tz)) { ret = PTR_ERR(tz); pr_err("Failed to register thermal zone %pOFn: %d\n", np, ret); - goto out_kfree_tzp; + goto out_kfree_trips; } ret = thermal_zone_device_enable(tz); @@ -540,8 +527,6 @@ static struct thermal_zone_device *thermal_of_zone_register(struct device_node * return tz; -out_kfree_tzp: - kfree(tzp); out_kfree_trips: kfree(trips); out_kfree_of_ops: -- 2.39.2