Commit 8ef588aa authored by Rafael J. Wysocki's avatar Rafael J. Wysocki Committed by Xiongfeng Wang
Browse files

thermal: core: Reference count the zone in thermal_zone_get_by_id() 

mainline inclusion
from mainline-v6.12-rc3
commit a42a5839f400e929c489bb1b58f54596c4535167
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRF5
CVE: CVE-2024-50028

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a42a5839f400e929c489bb1b58f54596c4535167



--------------------------------

There are places in the thermal netlink code where nothing prevents
the thermal zone object from going away while being accessed after it
has been returned by thermal_zone_get_by_id().

To address this, make thermal_zone_get_by_id() get a reference on the
thermal zone device object to be returned with the help of get_device(),
under thermal_list_lock, and adjust all of its callers to this change
with the help of the cleanup.h infrastructure.

Fixes: 1ce50e7d ("thermal: core: genetlink support for events/cmd/sampling")
Cc: 6.8+ <stable@vger.kernel.org> # 6.8+
Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: default avatarLukasz Luba <lukasz.luba@arm.com>
Link: https://patch.msgid.link/6112242.lOV4Wx5bFT@rjwysocki.net



Conflicts:
	drivers/thermal/thermal_core.h
	drivers/thermal/thermal_netlink.c
[wangxiongfeng: fix context conflicts]
Signed-off-by: default avatarXiongfeng Wang <wangxiongfeng2@huawei.com>
parent 1fd61a1a

drivers/thermal/thermal_core.c

+1 −0
Original line number Diff line number Diff line
@@ -582,6 +582,7 @@ struct thermal_zone_device *thermal_zone_get_by_id(int id) 
	mutex_lock(&thermal_list_lock);

	list_for_each_entry(tz, &thermal_tz_list, node) {

		if (tz->id == id) {

			get_device(&tz->device);

			match = tz;

			break;

		}

drivers/thermal/thermal_core.h

+3 −0
Original line number Diff line number Diff line
@@ -56,6 +56,9 @@ int for_each_thermal_governor(int (*cb)(struct thermal_governor *, void *), 


struct thermal_zone_device *thermal_zone_get_by_id(int id);



DEFINE_CLASS(thermal_zone_get_by_id, struct thermal_zone_device *,

	     if (_T) put_device(&_T->device), thermal_zone_get_by_id(id), int id)



struct thermal_attr {

	struct device_attribute attr;

	char name[THERMAL_NAME_LENGTH];

drivers/thermal/thermal_netlink.c

+3 −6
Original line number Diff line number Diff line
@@ -450,7 +450,6 @@ static int thermal_genl_cmd_tz_get_id(struct param *p) 
static int thermal_genl_cmd_tz_get_trip(struct param *p)

{

	struct sk_buff *msg = p->msg;

	struct thermal_zone_device *tz;

	struct nlattr *start_trip;

	struct thermal_trip trip;

	int ret, i, id;
@@ -460,7 +459,7 @@ static int thermal_genl_cmd_tz_get_trip(struct param *p) 


	id = nla_get_u32(p->attrs[THERMAL_GENL_ATTR_TZ_ID]);



	tz = thermal_zone_get_by_id(id);

	CLASS(thermal_zone_get_by_id, tz)(id);

	if (!tz)

		return -EINVAL;
@@ -498,7 +497,6 @@ static int thermal_genl_cmd_tz_get_trip(struct param *p) 
static int thermal_genl_cmd_tz_get_temp(struct param *p)

{

	struct sk_buff *msg = p->msg;

	struct thermal_zone_device *tz;

	int temp, ret, id;



	if (!p->attrs[THERMAL_GENL_ATTR_TZ_ID])
@@ -506,7 +504,7 @@ static int thermal_genl_cmd_tz_get_temp(struct param *p) 


	id = nla_get_u32(p->attrs[THERMAL_GENL_ATTR_TZ_ID]);



	tz = thermal_zone_get_by_id(id);

	CLASS(thermal_zone_get_by_id, tz)(id);

	if (!tz)

		return -EINVAL;
@@ -524,7 +522,6 @@ static int thermal_genl_cmd_tz_get_temp(struct param *p) 
static int thermal_genl_cmd_tz_get_gov(struct param *p)

{

	struct sk_buff *msg = p->msg;

	struct thermal_zone_device *tz;

	int id, ret = 0;



	if (!p->attrs[THERMAL_GENL_ATTR_TZ_ID])
@@ -532,7 +529,7 @@ static int thermal_genl_cmd_tz_get_gov(struct param *p) 


	id = nla_get_u32(p->attrs[THERMAL_GENL_ATTR_TZ_ID]);



	tz = thermal_zone_get_by_id(id);

	CLASS(thermal_zone_get_by_id, tz)(id);

	if (!tz)

		return -EINVAL;