6.11-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki rafael.j.wysocki@intel.com
commit 827a07525c099f54d3b15110408824541ec66b3c upstream.
The object pointed to by tz->tzp may still be accessed after being freed in thermal_zone_device_unregister(), so move the freeing of it to the point after the removal completion has been completed at which it cannot be accessed any more.
Fixes: 3d439b1a2ad3 ("thermal/core: Alloc-copy-free the thermal zone parameters structure") Cc: 6.8+ stable@vger.kernel.org # 6.8+ Signed-off-by: Rafael J. Wysocki rafael.j.wysocki@intel.com Reviewed-by: Lukasz Luba lukasz.luba@arm.com Link: https://patch.msgid.link/4623516.LvFx2qVVIh@rjwysocki.net Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/thermal/thermal_core.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/thermal/thermal_core.c +++ b/drivers/thermal/thermal_core.c @@ -1647,14 +1647,12 @@ void thermal_zone_device_unregister(stru ida_destroy(&tz->ida);
device_del(&tz->device); - - kfree(tz->tzp); - put_device(&tz->device);
thermal_notify_tz_delete(tz);
wait_for_completion(&tz->removal); + kfree(tz->tzp); kfree(tz); } EXPORT_SYMBOL_GPL(thermal_zone_device_unregister);