thermal: core: Fix thermal zone lookup by ID

When a thermal zone is looked up by an ID and no zone is found matching
that ID, the thermal_zone_get_by_id() function will return a pointer to
the thermal zone list head which isn't actually a valid thermal zone.

This can lead to a subsequent crash because a valid pointer is returned
to the called, but dereferencing that pointer as struct thermal_zone is
not safe.

Fixes: 329b064fbd13 ("thermal: core: Get thermal zone by id")
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Link: https://lore.kernel.org/r/20200724170105.2705467-1-thierry.reding@gmail.com

diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
index 007f961..9748fbb 100644 (file)
--- a/drivers/thermal/thermal_core.c
+++ b/drivers/thermal/thermal_core.c
@@ -751,16 +751,18 @@ int for_each_thermal_zone(int (*cb)(struct thermal_zone_device *, void *),
 
 struct thermal_zone_device *thermal_zone_get_by_id(int id)
 {
-       struct thermal_zone_device *tz = NULL;
+       struct thermal_zone_device *tz, *match = NULL;
 
        mutex_lock(&thermal_list_lock);
        list_for_each_entry(tz, &thermal_tz_list, node) {
-               if (tz->id == id)
+               if (tz->id == id) {
+                       match = tz;
                        break;
+               }
        }
        mutex_unlock(&thermal_list_lock);
 
-       return tz;
+       return match;
 }
 
 void thermal_zone_device_unbind_exception(struct thermal_zone_device *tz,