CVE-2024-36961

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.8

Description The issue arises from two locking problems in the thermal zone debug code within the Linux kernel. The first problem occurs when user space opens the "mitigations" file for a thermal zone before the zone's debugfs pointer is set, resulting in a NULL pointer dereference in tze seq start(). The second problem is that thermal debug tz remove() is not called under the thermal zone lock, allowing it to run in parallel with other functions accessing the thermal zone's struct thermal debugfs object. This can lead to the premature freeing of the struct thermal debugfs object.

Recommendations To address the first problem, pass a pointer to the thermal zone's struct thermal debugfs object to debugfs create file() in thermal debug tz add() and make tze seq start(), tze seq next(), tze seq stop(), and tze seq show() retrieve it from s->private instead of a pointer to the thermal zone object. To address the second problem, use tz->lock in thermal debug tz remove() around the tz->debugfs value check and its reset to NULL. Update to Linux kernel version 6.8 or later to resolve the issue.