Received: by 2002:ab2:3c46:0:b0:1f5:f2ab:c469 with SMTP id x6csp145704lqf; Fri, 26 Apr 2024 02:19:01 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVDwnjO2oJDibXQ884x+lljIKJ6F8Il5CqzxKPj4qv5VbnwNbAMURlWUMwD6PBSfWm4+dhbAmvRmY+ZXtEtsZtMiF+rSSoXYwp53bXRag== X-Google-Smtp-Source: AGHT+IF9k2Ts05Tqx3sdMy1Me0UY4Wj/tY56KySoYfTpiLLDV4iDVhV8cNHz3+/zOY7gBkWs6kX4 X-Received: by 2002:a05:6902:246:b0:dcd:5187:a032 with SMTP id k6-20020a056902024600b00dcd5187a032mr2568120ybs.43.1714123140993; Fri, 26 Apr 2024 02:19:00 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714123140; cv=pass; d=google.com; s=arc-20160816; b=emsgGPr6rbyJRyBbCRj201x4etYhvU5gyIwzMoj/+Fc89TZp1yZN45LVTiB33k1SIY NgS+0NNUXKU9XnYNxpaVFsb/GB7Px1siVQV+IhBwidq8CWcg4Mr+PHqkeauXs0SO9Cto I32t+LmGRJ9w233XB7I6m6Xe8AW7u0NyTPTet41DSaTttsNfnXwxEXsxMnxJLvJeu2N+ l6srqDALjLgSCV3o2IMRn4c9uURRTRCuT7Fp4H5KYaSkT3BtMviDLfjYp+gae57FC/O/ uDuu2aoId3eTNclq3NNR7OhpMy6/m+5Ebs3KKXlSOpCibNORxyU3Ekxt/AX25gJscWGm 3sig== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=rdwoKhXx+K6kAIMj85TqRwUIPumWWeo0Ixd/RsusxBU=; fh=9Bh+Cp7UtadjKiqV9KOFWIruoqvrBx6r92mdHcoKXzQ=; b=Vnk220Paqg1JVxgdlfl1K5TbFKIn95tKtbcN2KkZd69B5eiTZetM1YRADC8wBlFlNL MbRdWzi9hh5eTRWXsEDhd3RRLersASn/EiTkL2pnKjcWQEQQb5CXI81h0OZ0kUDKypyZ wnQRoituRseDwdfEfCfFWJExWy740i6le5lVn1RI+eDVCEM6Tdk1udmb9GmfN8e2JQFt H62ergbylSv0ZTnJkIK7erCHuJo99DSVVMC7hKr3xjQ1BKDyzoiPdk9ShFGw5LqQ+yxa xDnPpwPf5jZhCo5hWkFBSOW7jzPBBKjt+sYi5u0EpZ60YSCBvjNUpPYzLsX/AfzHuBPb boZQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=FaHFHHfW; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-159770-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-159770-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id f20-20020a05620a15b400b0079089139e20si6796681qkk.472.2024.04.26.02.19.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 26 Apr 2024 02:19:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-159770-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=FaHFHHfW; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-159770-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-159770-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id B48111C21915 for ; Fri, 26 Apr 2024 09:19:00 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 75AAC13D8B5; Fri, 26 Apr 2024 09:18:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="FaHFHHfW" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 98FB113DDC7; Fri, 26 Apr 2024 09:18:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714123126; cv=none; b=a1G0PMMy9njr18wtZ4IquNTS6vC1hh1c+p4fHfnD6pg8vZRaNr0WVWHboxXJou7AIoVVEHOP0FEY695K3eQztMoSHqhajSQcNJNqxSVPryFdok3jPsjkRfuU427G7RZCTercKg7czFR3s3xHcU5Rf4MwAYN5IFYa8CptDRDSXwc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714123126; c=relaxed/simple; bh=ObriMzg6+L/x9BJ1E3PFmuN8pqe21fkjPDIG4bbt3wA=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=jBjEMxJvfkrJJxz92+VJCzvaeysi8d8hA4TIChe01jKovcwf5Ypn9bOOdV6vmXfhCJCHC/m2DKHsSPXjJDgu6Jm4WVQMtTX73smedZMGqh33eyE/r+BwXwdKfpybEQW1DyX8LBLl0y2+1FmusEvIJk9hlrbzjZa6tN4dL3p8oFs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=FaHFHHfW; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 02858C32783; Fri, 26 Apr 2024 09:18:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1714123126; bh=ObriMzg6+L/x9BJ1E3PFmuN8pqe21fkjPDIG4bbt3wA=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=FaHFHHfWwKwzcEmF1pwKNCXfScoG4HqOBfOprvzLNT8czdXB6igccNGPEtyqlwurf npEIcaGUdHcOgBP4CkaApDoxm6mnuub7US1pyNb4D1TfdBHwqM269E/UfilpxNvdl3 8D4UQTLIghMvr924l+FTl7Wjq2iTlCv5QqdPVBFsxLaNLiKDI54XmGxluPNJeWSF0e ziWI+MpWDT4cY6+9BvQSqmB6Esp9G9ge849kuZ7MPA8dG2786Rc5QU4q7tEtJA7/Md sVVpAzOdMtRUkcNhjl1kW84t9Ewby9y+aeZ9+TMYGcNU13g3+Jm3F4cv5e2wpQccL1 0k99iVY2gsf0Q== Received: by mail-oo1-f53.google.com with SMTP id 006d021491bc7-5aa17bf8cf0so200074eaf.1; Fri, 26 Apr 2024 02:18:45 -0700 (PDT) X-Forwarded-Encrypted: i=1; AJvYcCVZEHXgpcmgZpnuNLfLT5I9t+n6Crep0AiUAb3vceOPEGOwwL+igakqZs0bF+ZBkUffXAoiOd+aLu+wVIwAY5Z7weHHzI2h/u48cSwsn++l0RPdd6lN/2+ubRPwJl/pfnfmcSKsQno= X-Gm-Message-State: AOJu0YxpQeE+8cb0fB2riVEgoGU/0ezGIo170Fg2FFHpKKpL9VsZ53Jb 3VuIltbMkLoVAa2LNI1UUSIxFN4WHIbyGOmk4a7uWnHJnFogfEI5evso1Q8qAUHnCvFEgKBGvTb 2ErWmdxC+lHMhSvmGyDxOl0bVhpA= X-Received: by 2002:a05:6870:7b52:b0:239:6927:6826 with SMTP id ji18-20020a0568707b5200b0023969276826mr2279073oab.0.1714123125211; Fri, 26 Apr 2024 02:18:45 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <12427744.O9o76ZdvQC@kreacher> <13503555.uLZWGnKmhe@kreacher> In-Reply-To: From: "Rafael J. Wysocki" Date: Fri, 26 Apr 2024 11:18:33 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v1 3/3] thermal/debugfs: Prevent use-after-free from occurring after cdev removal To: Lukasz Luba Cc: "Rafael J. Wysocki" , Linux PM , LKML , "Rafael J. Wysocki" , Daniel Lezcano Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, Apr 26, 2024 at 12:05=E2=80=AFAM Lukasz Luba = wrote: > > > > On 4/25/24 14:57, Rafael J. Wysocki wrote: > > From: Rafael J. Wysocki > > > > Since thermal_debug_cdev_remove() does not run under cdev->lock, it can > > run in parallel with thermal_debug_cdev_state_update() and it may free > > the struct thermal_debugfs object used by the latter after it has been > > checked against NULL. > > > > If that happens, thermal_debug_cdev_state_update() will access memory > > that has been freed already causing the kernel to crash. > > > > Address this by using cdev->lock in thermal_debug_cdev_remove() around > > the cdev->debugfs value check (in case the same cdev is removed at the > > same time in two differet threads) and its reset to NULL. > > s/differet/different/ > > > > > Fixes: 755113d76786 ("thermal/debugfs: Add thermal cooling device debug= fs information") > > Cc :6.8+ # 6.8+ > > Signed-off-by: Rafael J. Wysocki > > --- > > drivers/thermal/thermal_debugfs.c | 10 ++++++++-- > > 1 file changed, 8 insertions(+), 2 deletions(-) > > > > Index: linux-pm/drivers/thermal/thermal_debugfs.c > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > --- linux-pm.orig/drivers/thermal/thermal_debugfs.c > > +++ linux-pm/drivers/thermal/thermal_debugfs.c > > @@ -503,15 +503,21 @@ void thermal_debug_cdev_add(struct therm > > */ > > void thermal_debug_cdev_remove(struct thermal_cooling_device *cdev) > > { > > - struct thermal_debugfs *thermal_dbg =3D cdev->debugfs; > > + struct thermal_debugfs *thermal_dbg; > > > > + mutex_lock(&cdev->lock); > > + > > + thermal_dbg =3D cdev->debugfs; > > if (!thermal_dbg) > > mutex_unlock(&cdev->lock) missing here Good catch, thanks! Ho-hum, I'm not sure why I haven't added it here ... I'll send a v2 of this patch shortly. > > return; > > > > + cdev->debugfs =3D NULL; > > + > > + mutex_unlock(&cdev->lock); > > + > > mutex_lock(&thermal_dbg->lock); > > > > thermal_debugfs_cdev_clear(&thermal_dbg->cdev_dbg); > > - cdev->debugfs =3D NULL; > > > > mutex_unlock(&thermal_dbg->lock); > > > > > > > > > > >