From: Ovidiu Panait Date: Wed, 20 May 2026 16:58:34 +0000 (+0000) Subject: thermal/core: Populate max_state before setting up cooling dev sysfs X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f5d4d76ec1390d490c14848d787ef27bf7b9c0a8;p=thirdparty%2Flinux.git thermal/core: Populate max_state before setting up cooling dev sysfs Since commit 13f4e660a126 ("thermal/core: Split __thermal_cooling_device_register() into two functions") thermal_cooling_device_setup_sysfs() is called before the ->get_max_state() callback in thermal_cooling_device_add(). However, cooling_device_stats_setup() allocates space based on cdev->max_state, which is not initialized at that point. With CONFIG_THERMAL_STATISTICS=y, an out of bounds access happens inside thermal_cooling_device_stats_update(), followed by a kernel crash: Unable to handle kernel paging request at virtual address ffff800081329e60 Call trace: queued_spin_lock_slowpath+0x1cc/0x320 (P) thermal_cooling_device_stats_update+0x28/0xa4 __thermal_cdev_update+0x74/0x88 thermal_cdev_update+0x44/0x58 step_wise_manage+0x1b8/0x300 __thermal_zone_device_update+0x270/0x414 thermal_zone_device_check+0x28/0x40 process_one_work+0x150/0x290 worker_thread+0x18c/0x300 kthread+0x114/0x120 ret_from_fork+0x10/0x20 To fix this, restore the original ordering of ->get_max_state() and thermal_cooling_device_setup_sysfs(). Note that with this reordering, the dev_set_name() and ->get_max_state() error paths now reach thermal_cdev_release() without setup_sysfs() having run. This is safe because cdev->stats is NULL in that case and destroy_sysfs() is a no-op. Fixes: 13f4e660a126 ("thermal/core: Split __thermal_cooling_device_register() into two functions") Signed-off-by: Ovidiu Panait Reviewed-by: Daniel Lezcano Link: https://patch.msgid.link/20260520165835.90974-1-ovidiu.panait.rb@renesas.com Signed-off-by: Rafael J. Wysocki --- diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c index 4e2a17fdb6a75..9b9fa51067bd4 100644 --- a/drivers/thermal/thermal_core.c +++ b/drivers/thermal/thermal_core.c @@ -1015,8 +1015,6 @@ static int thermal_cooling_device_add(struct thermal_cooling_device *cdev, void device_initialize(&cdev->device); cdev->devdata = devdata; - thermal_cooling_device_setup_sysfs(cdev); - ret = dev_set_name(&cdev->device, "cooling_device%d", cdev->id); if (ret) goto out_put_device; @@ -1037,6 +1035,8 @@ static int thermal_cooling_device_add(struct thermal_cooling_device *cdev, void if (ret) current_state = ULONG_MAX; + thermal_cooling_device_setup_sysfs(cdev); + ret = device_add(&cdev->device); if (ret) goto out_put_device;