linux-stable/drivers/thermal
Ziyang Xuan 0a5c26712f thermal/core: fix a UAF bug in __thermal_cooling_device_register()
When device_register() return failed, program will goto out_kfree_type
to release 'cdev->device' by put_device(). That will call thermal_release()
to free 'cdev'. But the follow-up processes access 'cdev' continually.
That trggers the UAF bug.

====================================================================
BUG: KASAN: use-after-free in __thermal_cooling_device_register+0x75b/0xa90
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 dump_stack_lvl+0xe2/0x152
 print_address_description.constprop.0+0x21/0x140
 ? __thermal_cooling_device_register+0x75b/0xa90
 kasan_report.cold+0x7f/0x11b
 ? __thermal_cooling_device_register+0x75b/0xa90
 __thermal_cooling_device_register+0x75b/0xa90
 ? memset+0x20/0x40
 ? __sanitizer_cov_trace_pc+0x1d/0x50
 ? __devres_alloc_node+0x130/0x180
 devm_thermal_of_cooling_device_register+0x67/0xf0
 max6650_probe.cold+0x557/0x6aa
......

Freed by task 258:
 kasan_save_stack+0x1b/0x40
 kasan_set_track+0x1c/0x30
 kasan_set_free_info+0x20/0x30
 __kasan_slab_free+0x109/0x140
 kfree+0x117/0x4c0
 thermal_release+0xa0/0x110
 device_release+0xa7/0x240
 kobject_put+0x1ce/0x540
 put_device+0x20/0x30
 __thermal_cooling_device_register+0x731/0xa90
 devm_thermal_of_cooling_device_register+0x67/0xf0
 max6650_probe.cold+0x557/0x6aa [max6650]

Do not use 'cdev' again after put_device() to fix the problem like doing
in thermal_zone_device_register().

[dlezcano]: as requested by Rafael, change the affectation into two statements.

Fixes: 5848376181 ("thermal/drivers/core: Use a char pointer for the cooling device name")
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Reported-by: kernel test robot <lkp@intel.com>
Link: https://lore.kernel.org/r/20211015024504.947520-1-william.xuanziyang@huawei.com
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
2021-10-15 15:38:48 +02:00
..
broadcom thermal/drivers/bcm2835: Remove redundant dev_err call in bcm2835_thermal_probe() 2021-04-20 08:58:47 +02:00
intel thermal/drivers/int340x: Do not set a wrong tcc offset on resume 2021-09-14 19:53:24 +02:00
qcom thermal/drivers/qcom/spmi-adc-tm5: Add support for HC variant 2021-10-15 09:13:55 +02:00
samsung thermal/drivers/exynos: Fix an error code in exynos_tmu_probe() 2021-08-14 12:40:35 +02:00
st thermal/drivers/st: Use devm_platform_get_and_ioremap_resource() 2021-06-14 19:01:15 +02:00
tegra thermal/drivers/tegra-soctherm: Silence message about clamped temperature 2021-08-14 15:44:15 +02:00
ti-soc-thermal thermal/ti-soc-thermal: Fix kernel-doc 2021-05-24 22:38:05 +02:00
amlogic_thermal.c thermal: amlogic: Omit superfluous error message in amlogic_thermal_probe() 2021-03-10 12:52:55 +01:00
armada_thermal.c thermal: Explicitly enable non-changing thermal zone devices 2020-06-29 20:26:37 +02:00
cpufreq_cooling.c thermal/cpufreq_cooling: Update offline CPUs per-cpu thermal_pressure 2021-06-17 14:11:43 +02:00
cpuidle_cooling.c thermal/drivers/cpuidle_cooling: Fix use after error 2021-04-15 13:21:26 +02:00
da9062-thermal.c thermal/core: Remove ms based delay fields 2021-01-19 22:23:49 +01:00
db8500_thermal.c
devfreq_cooling.c thermal/drivers/devfreq_cooling: use HZ macros 2021-09-08 11:50:25 -07:00
dove_thermal.c thermal: Explicitly enable non-changing thermal zone devices 2020-06-29 20:26:37 +02:00
gov_bang_bang.c
gov_fair_share.c thermal/core/fair share: Use the lockless __thermal_cdev_update() function 2021-04-22 23:51:32 +02:00
gov_power_allocator.c thermal/core/power allocator: Use the lockless __thermal_cdev_update() function 2021-04-22 23:51:32 +02:00
gov_step_wise.c thermal/core: Remove the 'forced_passive' option 2021-01-19 22:22:45 +01:00
gov_user_space.c thermal/governors: Prefix all source files with gov_ 2020-05-22 18:48:54 +02:00
hisi_thermal.c thermal/drivers/hisi: Remove redundant dev_err call in hisi_thermal_probe() 2021-04-20 09:18:57 +02:00
imx8mm_thermal.c thermal: imx8mm: Disable the clock on probe failure 2020-12-04 20:46:03 +01:00
imx_sc_thermal.c thermal/drivers/imx_sc: Add missing of_node_put for loop iteration 2021-06-14 22:41:00 +02:00
imx_thermal.c thermal: imx: Use dev_err_probe() to simplify error handling 2020-10-12 12:08:34 +02:00
k3_bandgap.c thermal: k3: Add support for bandgap sensors 2020-04-14 11:41:12 +02:00
Kconfig thermal/drivers/zx: Remove zx driver 2021-02-03 09:17:47 +01:00
khadas_mcu_fan.c thermal/core: Make cooling device state change private 2021-01-19 22:31:10 +01:00
kirkwood_thermal.c thermal: Explicitly enable non-changing thermal zone devices 2020-06-29 20:26:37 +02:00
Makefile thermal/drivers/zx: Remove zx driver 2021-02-03 09:17:47 +01:00
max77620_thermal.c
mtk_thermal.c thermal/drivers/mediatek: Add sensors-support 2021-07-04 18:28:04 +02:00
qoriq_thermal.c thermal: qoriq: Update the settings for TMUv2 2020-05-29 20:26:51 +02:00
rcar_gen3_thermal.c thermal: rcar_gen3_thermal: Read calibration from hardware 2021-10-15 09:15:52 +02:00
rcar_thermal.c thermal/drivers/rcar: Remove notification usage 2020-12-15 17:01:55 +01:00
rockchip_thermal.c thermal/drivers/rockchip: Support RK3568 SoCs in the thermal driver 2021-06-11 11:30:30 +02:00
spear_thermal.c thermal: Explicitly enable non-changing thermal zone devices 2020-06-29 20:26:37 +02:00
sprd_thermal.c thermal/drivers/sprd: Add missing of_node_put for loop iteration 2021-06-14 22:42:09 +02:00
sun8i_thermal.c thermal: Fix couple of spellos in the file sun8i_thermal.c 2021-03-10 12:54:58 +01:00
thermal-generic-adc.c
thermal_core.c thermal/core: fix a UAF bug in __thermal_cooling_device_register() 2021-10-15 15:38:48 +02:00
thermal_core.h thermal/core: Create a helper __thermal_cdev_update() without a lock 2021-04-22 14:10:28 +02:00
thermal_helpers.c thermal/core: Create a helper __thermal_cdev_update() without a lock 2021-04-22 14:10:28 +02:00
thermal_hwmon.c thermal/drivers/hwmon: Cleanup coding style a bit 2020-11-12 11:24:01 +01:00
thermal_hwmon.h
thermal_mmio.c thermal/drivers/thermal_mmio: Constify static struct thermal_mmio_ops 2021-10-07 15:18:31 +02:00
thermal_netlink.c thermal/drivers/netlink: Add the temperature when crossing a trip point 2021-10-07 15:41:38 +02:00
thermal_netlink.h thermal/drivers/netlink: Add the temperature when crossing a trip point 2021-10-07 15:41:38 +02:00
thermal_of.c thermal/core/thermal_of: Stop zone device before unregistering it 2021-07-04 18:28:04 +02:00
thermal_sysfs.c thermal/core: Add NULL pointer check before using cooling device stats 2021-03-17 09:55:58 +01:00
uniphier_thermal.c