Re: [PATCH mainline-linux] thermal/core: Populate max_state before setting up cooling dev sysfs

[Daniel Lezcano]

On 5/20/26 18:58, Ovidiu Panait wrote:
> Since commit 13f4e660a126 ("thermal/core:
> Split __thermal_cooling_device_register() into two functions"),
> thermal_cooling_device_setup_sysfs() is called before the
> ->get_max_state() callback in thermal_cooling_device_add().
> However, cooling_device_stats_setup() allocates space based on
> cdev->max_state, which is not initialized at that point.
>
> With CONFIG_THERMAL_STATISTICS=y, an out of bounds access happens
> inside thermal_cooling_device_stats_update(), followed by a kernel
> crash:
>
> Unable to handle kernel paging request at virtual address ffff800081329e60
> Call trace:
>   queued_spin_lock_slowpath+0x1cc/0x320 (P)
>   thermal_cooling_device_stats_update+0x28/0xa4
>   __thermal_cdev_update+0x74/0x88
>   thermal_cdev_update+0x44/0x58
>   step_wise_manage+0x1b8/0x300
>   __thermal_zone_device_update+0x270/0x414
>   thermal_zone_device_check+0x28/0x40
>   process_one_work+0x150/0x290
>   worker_thread+0x18c/0x300
>   kthread+0x114/0x120
>   ret_from_fork+0x10/0x20
>
> To fix this, restore the original ordering of ->get_max_state() and
> thermal_cooling_device_setup_sysfs(). Note that with this reordering,
> the dev_set_name() and ->get_max_state() error paths now reach
> thermal_cdev_release() without setup_sysfs() having run. This is safe
> because cdev->stats is NULL in that case and destroy_sysfs() is a no-op.
>
> Fixes: 13f4e660a126 ("thermal/core: Split __thermal_cooling_device_register() into two functions")
> Signed-off-by: Ovidiu Panait <ovidiu.panait.rb@xxxxxxxxxxx>
> ---

Thanks for fixing this !

Reviewed-by: Daniel Lezcano <daniel.lezcano@xxxxxxxxxxxxxxxx>