diff mbox

[2/2] ACPI / bind: Use (put|get)_device() on ACPI device objects too

Message ID 9712243.It8gvaRCs0@vostro.rjw.lan (mailing list archive)
State New, archived
Delegated to: Bjorn Helgaas
Headers show

Commit Message

Rafael J. Wysocki Nov. 13, 2013, 11:26 p.m. UTC
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

When associating a "physical" device with an ACPI device object
acpi_bind_one() only uses get_device() to increment the reference
counter of the former, but there is no reason not to do that with
the latter too.  Among other things, that may help to avoid
use-after-free when an ACPI device object is freed without calling
acpi_unbind_one() for all "physical" devices associated with it
(that only can happen in buggy code, but then it's better if the
kernel doesn't crash as a result of a bug).

For this reason, modify acpi_bind_one() to apply get_device() to
the ACPI device object too and update acpi_unbind_one() to drop
that reference using put_device() as appropriate.

Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
---
 drivers/acpi/glue.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)


--
To unsubscribe from this list: send the line "unsubscribe linux-pci" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Greg KH Nov. 14, 2013, 2:43 a.m. UTC | #1
On Thu, Nov 14, 2013 at 12:26:47AM +0100, Rafael J. Wysocki wrote:
> From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
> 
> When associating a "physical" device with an ACPI device object
> acpi_bind_one() only uses get_device() to increment the reference
> counter of the former, but there is no reason not to do that with
> the latter too.  Among other things, that may help to avoid
> use-after-free when an ACPI device object is freed without calling
> acpi_unbind_one() for all "physical" devices associated with it
> (that only can happen in buggy code, but then it's better if the
> kernel doesn't crash as a result of a bug).
> 
> For this reason, modify acpi_bind_one() to apply get_device() to
> the ACPI device object too and update acpi_unbind_one() to drop
> that reference using put_device() as appropriate.
> 
> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-pci" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
lan,Tianyu Nov. 14, 2013, 7:20 a.m. UTC | #2
On 2013?11?14? 07:26, Rafael J. Wysocki wrote:
> From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
> 
> When associating a "physical" device with an ACPI device object
> acpi_bind_one() only uses get_device() to increment the reference
> counter of the former, but there is no reason not to do that with
> the latter too.  Among other things, that may help to avoid
> use-after-free when an ACPI device object is freed without calling
> acpi_unbind_one() for all "physical" devices associated with it
> (that only can happen in buggy code, but then it's better if the
> kernel doesn't crash as a result of a bug).
> 
> For this reason, modify acpi_bind_one() to apply get_device() to
> the ACPI device object too and update acpi_unbind_one() to drop
> that reference using put_device() as appropriate.
> 
> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
> ---
>  drivers/acpi/glue.c |    6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> Index: linux-pm/drivers/acpi/glue.c
> ===================================================================
> --- linux-pm.orig/drivers/acpi/glue.c
> +++ linux-pm/drivers/acpi/glue.c
> @@ -217,6 +217,7 @@ int acpi_bind_one(struct device *dev, ac
>  	if (!acpi_dev)
>  		return -EINVAL;
>  
> +	get_device(&acpi_dev->dev);
>  	get_device(dev);
>  	physical_node = kzalloc(sizeof(*physical_node), GFP_KERNEL);
>  	if (!physical_node) {
> @@ -243,6 +244,7 @@ int acpi_bind_one(struct device *dev, ac
>  				goto err;
>  
>  			put_device(dev);
> +			put_device(&acpi_dev->dev);
>  			return 0;
>  		}
>  		if (pn->node_id == node_id) {
> @@ -282,6 +284,7 @@ int acpi_bind_one(struct device *dev, ac
>   err:
>  	ACPI_COMPANION_SET(dev, NULL);
>  	put_device(dev);
> +	put_device(&acpi_dev->dev);
>  	return retval;
>  }
>  EXPORT_SYMBOL_GPL(acpi_bind_one);
> @@ -307,8 +310,9 @@ int acpi_unbind_one(struct device *dev)
>  			sysfs_remove_link(&acpi_dev->dev.kobj, physnode_name);
>  			sysfs_remove_link(&dev->kobj, "firmware_node");
>  			ACPI_COMPANION_SET(dev, NULL);
> -			/* acpi_bind_one() increase refcnt by one. */
> +			/* Drop references taken by acpi_bind_one(). */
>  			put_device(dev);
> +			put_device(&acpi_dev->dev);
>  			kfree(entry);
>  			break;
>  		}
> 

Reviewed-by: Lan Tianyu <tianyu.lan@intel.com>
diff mbox

Patch

Index: linux-pm/drivers/acpi/glue.c
===================================================================
--- linux-pm.orig/drivers/acpi/glue.c
+++ linux-pm/drivers/acpi/glue.c
@@ -217,6 +217,7 @@  int acpi_bind_one(struct device *dev, ac
 	if (!acpi_dev)
 		return -EINVAL;
 
+	get_device(&acpi_dev->dev);
 	get_device(dev);
 	physical_node = kzalloc(sizeof(*physical_node), GFP_KERNEL);
 	if (!physical_node) {
@@ -243,6 +244,7 @@  int acpi_bind_one(struct device *dev, ac
 				goto err;
 
 			put_device(dev);
+			put_device(&acpi_dev->dev);
 			return 0;
 		}
 		if (pn->node_id == node_id) {
@@ -282,6 +284,7 @@  int acpi_bind_one(struct device *dev, ac
  err:
 	ACPI_COMPANION_SET(dev, NULL);
 	put_device(dev);
+	put_device(&acpi_dev->dev);
 	return retval;
 }
 EXPORT_SYMBOL_GPL(acpi_bind_one);
@@ -307,8 +310,9 @@  int acpi_unbind_one(struct device *dev)
 			sysfs_remove_link(&acpi_dev->dev.kobj, physnode_name);
 			sysfs_remove_link(&dev->kobj, "firmware_node");
 			ACPI_COMPANION_SET(dev, NULL);
-			/* acpi_bind_one() increase refcnt by one. */
+			/* Drop references taken by acpi_bind_one(). */
 			put_device(dev);
+			put_device(&acpi_dev->dev);
 			kfree(entry);
 			break;
 		}