Linux Kernel Thermal Zone Device Registration Error Handling Vulnerability

A vulnerability exists in the Linux kernel's thermal management subsystem, specifically in the handling of thermal zone device registrations. When the function 'thermal_zone_device_register_with_trips()' fails after a thermal zone device has been registered, it does not properly wait for the removal of the device to complete. This oversight can lead to a premature release of the device's resources, causing a NULL pointer dereference. The issue arises because user space may have taken a reference to the thermal zone device's kobject, preventing the 'thermal_release()' function from being called as needed. The vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability can cause a NULL pointer dereference, leading to a crash of the kernel or the affected process.

Reproduction

To reproduce this vulnerability, register a thermal zone device using the 'thermal_zone_device_register_with_trips()' function. If the registration fails, the error handling path does not wait for the device's removal to complete, which can cause a NULL pointer dereference if the device's kobject reference has been taken by user space. This can be observed by monitoring the thermal zone device registration process and introducing a failure condition that triggers the error handling without proper cleanup.

Remediation

The vulnerability has been addressed by adding the missing 'wait_for_completion()' call to the thermal zone device registration error path. Users should upgrade to the latest version of the Linux kernel where this fix has been applied.