[PATCH 3/3] hwmon: (occ) Fix potential NULL dereference in p9_sbe_occ_remove()

Next message: Thomas Bogendoerfer: "Re: [PATCH v4 1/6] MIPS: loongson64: Override arch_dynirq_lower_bound to reserve LPC IRQs"
Previous message: Pradhan, Sanman: "[PATCH 2/3] hwmon: (occ) Fix missing newline in occ_show_extended()"
In reply to: Guenter Roeck: "Re: [PATCH 2/3] hwmon: (occ) Fix missing newline in occ_show_extended()"
Next in thread: Pradhan, Sanman: "Re: [PATCH 0/3] hwmon: (occ) Fix bugs in power sensor, extended sensor, and remove path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pradhan, Sanman

Date: Thu Mar 26 2026 - 18:48:25 EST

From: Sanman Pradhan <psanman@xxxxxxxxxxx>

In p9_sbe_occ_remove(), ctx->sbe is set to NULL before
occ_shutdown() is called. Since occ_shutdown() calls
hwmon_device_unregister(), there is a window between clearing
ctx->sbe and the hwmon device being unregistered where a
concurrent sysfs read could trigger p9_sbe_occ_send_cmd(),
which calls fsi_occ_submit() with a NULL sbe pointer, causing
a NULL pointer dereference.

Fix this by calling occ_shutdown() first to unregister the hwmon
device. hwmon_device_unregister() drains pending sysfs readers
via kernfs_drain(), so after it returns no more callbacks can
access ctx->sbe.

Fixes: 5b5513b88002 ("hwmon: Add On-Chip Controller (OCC) hwmon driver")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Sanman Pradhan <psanman@xxxxxxxxxxx>
---
drivers/hwmon/occ/p9_sbe.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/hwmon/occ/p9_sbe.c b/drivers/hwmon/occ/p9_sbe.c
index 1e3749dfa598..0f5f87836dbd 100644
--- a/drivers/hwmon/occ/p9_sbe.c
+++ b/drivers/hwmon/occ/p9_sbe.c
@@ -174,8 +174,8 @@ static void p9_sbe_occ_remove(struct platform_device *pdev)

device_remove_bin_file(occ->bus_dev, &bin_attr_ffdc);

- ctx->sbe = NULL;
occ_shutdown(occ);
+ ctx->sbe = NULL;

kvfree(ctx->ffdc);
}
--
2.34.1