Re: [PATCH] hwmon: (ibmpex) fix use-after-free in high/low store

Next message: syzbot: "Re: [PATCH] gfs2: Fix slab-use-after-free in gfs2_qd_dispose"
Previous message: Guenter Roeck: "Re: [PATCH] hwmon: (dell-smm) Limit fan multiplier to avoid overflow"
In reply to: Junrui Luo: "[PATCH] hwmon: (ibmpex) fix use-after-free in high/low store"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Guenter Roeck

Date: Sun Dec 14 2025 - 12:36:24 EST

On Wed, Dec 10, 2025 at 05:48:08PM +0800, Junrui Luo wrote:
> The ibmpex_high_low_store() function retrieves driver data using
> dev_get_drvdata() and uses it without validation. This creates a race
> condition where the sysfs callback can be invoked after the data
> structure is freed, leading to use-after-free.
>
> Fix by adding a NULL check after dev_get_drvdata(), and reordering
> operations in the deletion path to prevent TOCTOU.
>
> Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
> Reported-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
> Fixes: 57c7c3a0fdea ("hwmon: IBM power meter driver")
> Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>

Applied.

Thanks,
Guenter