| Message ID | 1451694421-5277-1-git-send-email-colin.king@canonical.com (mailing list archive) |
|---|---|
| State | New, archived |
| Delegated to: | Bjorn Helgaas |
| Headers | show |
On Sat, Jan 02, 2016 at 12:27:01AM +0000, Colin King wrote: > From: Colin Ian King <colin.king@canonical.com> > > ibm_slot_from_id can return null if the des header signature is > not aPCI or if the kmalloc for the return acpi descriptore fails, > causing potential null pointer dereferences on the return null > descriptor. > > Handle the null case with appropriate check and error return. > > Signed-off-by: Colin Ian King <colin.king@canonical.com> Applied to pci/hotplug for v4.5, thanks, Colin! > --- > drivers/pci/hotplug/acpiphp_ibm.c | 17 ++++++++++++++--- > 1 file changed, 14 insertions(+), 3 deletions(-) > > diff --git a/drivers/pci/hotplug/acpiphp_ibm.c b/drivers/pci/hotplug/acpiphp_ibm.c > index 6ca2399..9d16c9d 100644 > --- a/drivers/pci/hotplug/acpiphp_ibm.c > +++ b/drivers/pci/hotplug/acpiphp_ibm.c > @@ -154,7 +154,8 @@ static union apci_descriptor *ibm_slot_from_id(int id) > ibm_slot_done: > if (ret) { > ret = kmalloc(sizeof(union apci_descriptor), GFP_KERNEL); > - memcpy(ret, des, sizeof(union apci_descriptor)); > + if (ret) > + memcpy(ret, des, sizeof(union apci_descriptor)); > } > kfree(table); > return ret; > @@ -175,8 +176,13 @@ static int ibm_set_attention_status(struct hotplug_slot *slot, u8 status) > acpi_status stat; > unsigned long long rc; > union apci_descriptor *ibm_slot; > + int id = hpslot_to_sun(slot); > > - ibm_slot = ibm_slot_from_id(hpslot_to_sun(slot)); > + ibm_slot = ibm_slot_from_id(id); > + if (!ibm_slot) { > + pr_err("APLS null ACPI descriptor for slot %d\n", id); > + return -ENODEV; > + } > > pr_debug("%s: set slot %d (%d) attention status to %d\n", __func__, > ibm_slot->slot.slot_num, ibm_slot->slot.slot_id, > @@ -215,8 +221,13 @@ static int ibm_set_attention_status(struct hotplug_slot *slot, u8 status) > static int ibm_get_attention_status(struct hotplug_slot *slot, u8 *status) > { > union apci_descriptor *ibm_slot; > + int id = hpslot_to_sun(slot); > > - ibm_slot = ibm_slot_from_id(hpslot_to_sun(slot)); > + ibm_slot = ibm_slot_from_id(id); > + if (!ibm_slot) { > + pr_err("APLS null ACPI descriptor for slot %d\n", id); > + return -ENODEV; > + } > > if (ibm_slot->slot.attn & 0xa0 || ibm_slot->slot.status[1] & 0x08) > *status = 1; > -- > 2.6.4 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-acpi" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-pci" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/pci/hotplug/acpiphp_ibm.c b/drivers/pci/hotplug/acpiphp_ibm.c index 6ca2399..9d16c9d 100644 --- a/drivers/pci/hotplug/acpiphp_ibm.c +++ b/drivers/pci/hotplug/acpiphp_ibm.c @@ -154,7 +154,8 @@ static union apci_descriptor *ibm_slot_from_id(int id) ibm_slot_done: if (ret) { ret = kmalloc(sizeof(union apci_descriptor), GFP_KERNEL); - memcpy(ret, des, sizeof(union apci_descriptor)); + if (ret) + memcpy(ret, des, sizeof(union apci_descriptor)); } kfree(table); return ret; @@ -175,8 +176,13 @@ static int ibm_set_attention_status(struct hotplug_slot *slot, u8 status) acpi_status stat; unsigned long long rc; union apci_descriptor *ibm_slot; + int id = hpslot_to_sun(slot); - ibm_slot = ibm_slot_from_id(hpslot_to_sun(slot)); + ibm_slot = ibm_slot_from_id(id); + if (!ibm_slot) { + pr_err("APLS null ACPI descriptor for slot %d\n", id); + return -ENODEV; + } pr_debug("%s: set slot %d (%d) attention status to %d\n", __func__, ibm_slot->slot.slot_num, ibm_slot->slot.slot_id, @@ -215,8 +221,13 @@ static int ibm_set_attention_status(struct hotplug_slot *slot, u8 status) static int ibm_get_attention_status(struct hotplug_slot *slot, u8 *status) { union apci_descriptor *ibm_slot; + int id = hpslot_to_sun(slot); - ibm_slot = ibm_slot_from_id(hpslot_to_sun(slot)); + ibm_slot = ibm_slot_from_id(id); + if (!ibm_slot) { + pr_err("APLS null ACPI descriptor for slot %d\n", id); + return -ENODEV; + } if (ibm_slot->slot.attn & 0xa0 || ibm_slot->slot.status[1] & 0x08) *status = 1;