CVE-2024-36961

In the Linux kernel, the following vulnerability has been resolved:

thermal/debugfs: Fix two locking issues with thermal zone debug

With the current thermal zone locking arrangement in the debugfs code, user space can open the "mitigations" file for a thermal zone before the zone's debugfs pointer is set which will result in a NULL pointer dereference in tzeseqstart().

Moreover, thermaldebugtzremove() is not called under the thermal zone lock, so it can run in parallel with the other functions accessing the thermal zone's struct thermaldebugfs object. Then, it may clear tz->debugfs after one of those functions has checked it and the struct thermal_debugfs object may be freed prematurely.

To address the first problem, pass a pointer to the thermal zone's struct thermaldebugfs object to debugfscreatefile() in thermaldebugtzadd() and make tzeseqstart(), tzeseqnext(), tzeseqstop(), and tzeseqshow() retrieve it from s->private instead of a pointer to the thermal zone object. This will ensure that tzdebugfs will be valid across the "mitigations" file accesses until thermaldebugfsremoveid() called by thermaldebugtz_remove() removes that file.

To address the second problem, use tz->lock in thermaldebugtz_remove() around the tz->debugfs value check (in case the same thermal zone is removed at the same time in two different threads) and its reset to NULL.

Cc :6.8+ stable@vger.kernel.org # 6.8+