From 090d920be96f1a02d67ca9b07b798d74b4f631fc Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 28 Jul 2022 09:36:50 +0200 Subject: [PATCH] Revert "thermal/core: fix a UAF bug in __thermal_cooling_device_register()" This reverts commit b132abaa6515e14e0db292389c25007d666e1925 which is commit 0a5c26712f963f0500161a23e0ffff8d29f742ab upstream. It breaks the Android kernel ABI and is not needed for Android devices, so it is safe to revert for now. If it is determined that it is needed in the future, it can be brought back in an abi-preserving way. Bug: 161946584 Signed-off-by: Greg Kroah-Hartman Change-Id: Ibaaab9a23fa0cbb5b11204cd6dc59b29215ee8a1 --- drivers/thermal/thermal_core.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c index 8e78a18f9a83..a1721cdf37ec 100644 --- a/drivers/thermal/thermal_core.c +++ b/drivers/thermal/thermal_core.c @@ -1095,7 +1095,7 @@ __thermal_cooling_device_register(struct device_node *np, { struct thermal_cooling_device *cdev; struct thermal_zone_device *pos = NULL; - int id, ret; + int ret; if (!ops || !ops->get_max_state || !ops->get_cur_state || !ops->set_cur_state) @@ -1109,7 +1109,6 @@ __thermal_cooling_device_register(struct device_node *np, if (ret < 0) goto out_kfree_cdev; cdev->id = ret; - id = ret; cdev->type = kstrdup(type ? type : "", GFP_KERNEL); if (!cdev->type) { @@ -1151,9 +1150,8 @@ out_kfree_type: thermal_cooling_device_destroy_sysfs(cdev); kfree(cdev->type); put_device(&cdev->device); - cdev = NULL; out_ida_remove: - ida_simple_remove(&thermal_cdev_ida, id); + ida_simple_remove(&thermal_cdev_ida, cdev->id); out_kfree_cdev: return ERR_PTR(ret); }