Commit 6946c726 authored Dec 10, 2025 by Junrui Luo Committed by Guenter Roeck Dec 14, 2025

hwmon: (ibmpex) fix use-after-free in high/low store



The ibmpex_high_low_store() function retrieves driver data using
dev_get_drvdata() and uses it without validation. This creates a race
condition where the sysfs callback can be invoked after the data
structure is freed, leading to use-after-free.

Fix by adding a NULL check after dev_get_drvdata(), and reordering
operations in the deletion path to prevent TOCTOU.

Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: 57c7c3a0 ("hwmon: IBM power meter driver")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://lore.kernel.org/r/MEYPR01MB7886BE2F51BFE41875B74B60AFA0A@MEYPR01MB7886.ausprd01.prod.outlook.com


Signed-off-by: Guenter Roeck <linux@roeck-us.net>

parent 46c28bbb

drivers/hwmon/ibmpex.c

+7 −2

Original line number	Diff line number	Diff line
		@@ -277,6 +277,9 @@ static ssize_t ibmpex_high_low_store(struct device *dev,
		{
		struct ibmpex_bmc_data *data = dev_get_drvdata(dev);

		if (!data)
		return -ENODEV;

		ibmpex_reset_high_low_data(data);

		return count;
		@@ -508,6 +511,9 @@ static void ibmpex_bmc_delete(struct ibmpex_bmc_data *data)
		{
		int i, j;

		hwmon_device_unregister(data->hwmon_dev);
		dev_set_drvdata(data->bmc_device, NULL);

		device_remove_file(data->bmc_device,
		&sensor_dev_attr_reset_high_low.dev_attr);
		device_remove_file(data->bmc_device, &dev_attr_name.attr);
		@@ -521,8 +527,7 @@ static void ibmpex_bmc_delete(struct ibmpex_bmc_data *data)
		}

		list_del(&data->list);
		dev_set_drvdata(data->bmc_device, NULL);
		hwmon_device_unregister(data->hwmon_dev);

		ipmi_destroy_user(data->user);
		kfree(data->sensors);
		kfree(data);