CVE-2024-36961

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thermal/debugfs: Fix two locking issues with thermal zone debug<br /> <br /> With the current thermal zone locking arrangement in the debugfs code,<br /> user space can open the "mitigations" file for a thermal zone before<br /> the zone&amp;#39;s debugfs pointer is set which will result in a NULL pointer<br /> dereference in tze_seq_start().<br /> <br /> Moreover, thermal_debug_tz_remove() is not called under the thermal<br /> zone lock, so it can run in parallel with the other functions accessing<br /> the thermal zone&amp;#39;s struct thermal_debugfs object. Then, it may clear<br /> tz-&gt;debugfs after one of those functions has checked it and the<br /> struct thermal_debugfs object may be freed prematurely.<br /> <br /> To address the first problem, pass a pointer to the thermal zone&amp;#39;s<br /> struct thermal_debugfs object to debugfs_create_file() in<br /> thermal_debug_tz_add() and make tze_seq_start(), tze_seq_next(),<br /> tze_seq_stop(), and tze_seq_show() retrieve it from s-&gt;private<br /> instead of a pointer to the thermal zone object. This will ensure<br /> that tz_debugfs will be valid across the "mitigations" file accesses<br /> until thermal_debugfs_remove_id() called by thermal_debug_tz_remove()<br /> removes that file.<br /> <br /> To address the second problem, use tz-&gt;lock in thermal_debug_tz_remove()<br /> around the tz-&gt;debugfs value check (in case the same thermal zone is<br /> removed at the same time in two different threads) and its reset to NULL.<br /> <br /> Cc :6.8+ # 6.8+