{"id":"CVE-2024-36961","summary":"thermal/debugfs: Fix two locking issues with thermal zone debug","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/debugfs: Fix two locking issues with thermal zone debug\n\nWith the current thermal zone locking arrangement in the debugfs code,\nuser space can open the \"mitigations\" file for a thermal zone before\nthe zone's debugfs pointer is set which will result in a NULL pointer\ndereference in tze_seq_start().\n\nMoreover, thermal_debug_tz_remove() is not called under the thermal\nzone lock, so it can run in parallel with the other functions accessing\nthe thermal zone's struct thermal_debugfs object.  Then, it may clear\ntz-\u003edebugfs after one of those functions has checked it and the\nstruct thermal_debugfs object may be freed prematurely.\n\nTo address the first problem, pass a pointer to the thermal zone's\nstruct thermal_debugfs object to debugfs_create_file() in\nthermal_debug_tz_add() and make tze_seq_start(), tze_seq_next(),\ntze_seq_stop(), and tze_seq_show() retrieve it from s-\u003eprivate\ninstead of a pointer to the thermal zone object.  This will ensure\nthat tz_debugfs will be valid across the \"mitigations\" file accesses\nuntil thermal_debugfs_remove_id() called by thermal_debug_tz_remove()\nremoves that file.\n\nTo address the second problem, use tz-\u003elock in thermal_debug_tz_remove()\naround the tz-\u003edebugfs value check (in case the same thermal zone is\nremoved at the same time in two different threads) and its reset to NULL.\n\nCc :6.8+ \u003cstable@vger.kernel.org\u003e # 6.8+","modified":"2026-04-02T12:16:35.619541Z","published":"2024-06-03T07:49:59.621Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/36xxx/CVE-2024-36961.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/6c57bdd0505422d5ccd2df541d993aec978c842e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c7f7c37271787a7f77d7eedc132b0b419a76b4c8"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/36xxx/CVE-2024-36961.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36961"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"7ef01f228c9f54c6260319858be138a8a7e9e704"},{"fixed":"6c57bdd0505422d5ccd2df541d993aec978c842e"},{"fixed":"c7f7c37271787a7f77d7eedc132b0b419a76b4c8"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-36961.json"}}],"schema_version":"1.7.5"}