From 3c587768271e9c20276522025729e4ebca51583b Mon Sep 17 00:00:00 2001 From: Dmitry Osipenko Date: Mon, 13 Aug 2018 20:14:00 +0300 Subject: thermal: core: Fix use-after-free in thermal_cooling_device_destroy_sysfs This patch fixes use-after-free that was detected by KASAN. The bug is triggered on a CPUFreq driver module unload by freeing 'cdev' on device unregister and then using the freed structure during of the cdev's sysfs data destruction. The solution is to unregister the sysfs at first, then destroy sysfs data and finally release the cooling device. Cc: # v4.17+ Fixes: 8ea229511e06 ("thermal: Add cooling device's statistics in sysfs") Signed-off-by: Dmitry Osipenko Acked-by: Viresh Kumar Acked-by: Eduardo Valentin Signed-off-by: Zhang Rui --- drivers/thermal/thermal_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'drivers/thermal') diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c index 6ab982309e6a..441778100887 100644 --- a/drivers/thermal/thermal_core.c +++ b/drivers/thermal/thermal_core.c @@ -1102,8 +1102,9 @@ void thermal_cooling_device_unregister(struct thermal_cooling_device *cdev) mutex_unlock(&thermal_list_lock); ida_simple_remove(&thermal_cdev_ida, cdev->id); - device_unregister(&cdev->device); + device_del(&cdev->device); thermal_cooling_device_destroy_sysfs(cdev); + put_device(&cdev->device); } EXPORT_SYMBOL_GPL(thermal_cooling_device_unregister); -- cgit v1.2.3 From c2b59d279dbbac750958f6a1bc4841e431d934e3 Mon Sep 17 00:00:00 2001 From: Jeson Gao Date: Tue, 4 Sep 2018 15:14:08 +0800 Subject: thermal: core: using power_efficient_wq for thermal worker For SMP systems, thermal worker should use power_efficient_wq in power saving mode, that will make scheduler more flexible on selecting an active core for running work handler to avoid keeping work handler always running on a single core, that will save some power. Even if 'power_efficient_wq' relevant configs are disabled 'system_freezable_power_efficient_wq' is identical to system_freezable_wq, behavior is unchanged. Signed-off-by: Jeson Gao Signed-off-by: Chunyan Zhang Signed-off-by: Zhang Rui --- drivers/thermal/thermal_core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'drivers/thermal') diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c index 441778100887..d6ebc1cf6aa9 100644 --- a/drivers/thermal/thermal_core.c +++ b/drivers/thermal/thermal_core.c @@ -290,10 +290,12 @@ static void thermal_zone_device_set_polling(struct thermal_zone_device *tz, int delay) { if (delay > 1000) - mod_delayed_work(system_freezable_wq, &tz->poll_queue, + mod_delayed_work(system_freezable_power_efficient_wq, + &tz->poll_queue, round_jiffies(msecs_to_jiffies(delay))); else if (delay) - mod_delayed_work(system_freezable_wq, &tz->poll_queue, + mod_delayed_work(system_freezable_power_efficient_wq, + &tz->poll_queue, msecs_to_jiffies(delay)); else cancel_delayed_work(&tz->poll_queue); -- cgit v1.2.3