Hi Ido,
On 14/03/2021 10:53, Ido Schimmel wrote: > On Fri, Mar 12, 2021 at 06:03:12PM +0100, Daniel Lezcano wrote: >> diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c >> index 996c038f83a4..9ef8090eb645 100644 >> --- a/drivers/thermal/thermal_core.c >> +++ b/drivers/thermal/thermal_core.c >> @@ -960,10 +960,7 @@ __thermal_cooling_device_register(struct device_node >> *np, [ ... ] >> /** >> @@ -1172,6 +1177,7 @@ void thermal_cooling_device_unregister(struct >> thermal_cooling_device *cdev) >> device_del(&cdev->device); >> thermal_cooling_device_destroy_sysfs(cdev); >> put_device(&cdev->device); >> + kfree(cdev->type); >> } >> EXPORT_SYMBOL_GPL(thermal_cooling_device_unregister); > > I'm getting the following user-after-free with this patch [1]. Fixed by: > > diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c > index 9ef8090eb645..c8d4010940ef 100644 > --- a/drivers/thermal/thermal_core.c > +++ b/drivers/thermal/thermal_core.c > @@ -1176,8 +1176,8 @@ void thermal_cooling_device_unregister(struct > thermal_cooling_device *cdev) > ida_simple_remove(&thermal_cdev_ida, cdev->id); > device_del(&cdev->device); > thermal_cooling_device_destroy_sysfs(cdev); > - put_device(&cdev->device); > kfree(cdev->type); > + put_device(&cdev->device); Indeed 'thermal_release' frees the cdev pointer and is called by put_device, then kfree use the pointer right after. Thanks for the fix -- Daniel -- <http://www.linaro.org/> Linaro.org │ Open source software for ARM SoCs Follow Linaro: <http://www.facebook.com/pages/Linaro> Facebook | <http://twitter.com/#!/linaroorg> Twitter | <http://www.linaro.org/linaro-blog/> Blog
