From patchwork Sun Sep 2 21:54:14 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yinghai Lu X-Patchwork-Id: 1397901 Return-Path: X-Original-To: patchwork-linux-acpi@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork2.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork2.kernel.org (Postfix) with ESMTP id 29E16DF283 for ; Sun, 2 Sep 2012 21:59:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755943Ab2IBV6t (ORCPT ); Sun, 2 Sep 2012 17:58:49 -0400 Received: from acsinet15.oracle.com ([141.146.126.227]:20009 "EHLO acsinet15.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756041Ab2IBVyf (ORCPT ); Sun, 2 Sep 2012 17:54:35 -0400 Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by acsinet15.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id q82LsQl3005774 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 2 Sep 2012 21:54:27 GMT Received: from acsmt356.oracle.com (acsmt356.oracle.com [141.146.40.156]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id q82LsPhR012035 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 2 Sep 2012 21:54:26 GMT Received: from abhmt111.oracle.com (abhmt111.oracle.com [141.146.116.63]) by acsmt356.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id q82LsPDt001000; Sun, 2 Sep 2012 16:54:25 -0500 Received: from linux-siqj.site (/75.55.221.75) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 02 Sep 2012 14:54:25 -0700 From: Yinghai Lu To: Bjorn Helgaas , Taku Izumi , Jiang Liu , x86 Cc: Andrew Morton , Linus Torvalds , Greg Kroah-Hartman , linux-pci@vger.kernel.org, linux-kernel@vger.kernel.org, linux-acpi@vger.kernel.org, Yinghai Lu Subject: [PATCH part4 04/11] PCI: Fix an access-after-free issue in function pci_stop_and_remove_bus() Date: Sun, 2 Sep 2012 14:54:14 -0700 Message-Id: <1346622861-30865-5-git-send-email-yinghai@kernel.org> X-Mailer: git-send-email 1.7.7 In-Reply-To: <1346622861-30865-1-git-send-email-yinghai@kernel.org> References: <1346622861-30865-1-git-send-email-yinghai@kernel.org> X-Source-IP: ucsinet21.oracle.com [156.151.31.93] Sender: linux-acpi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-acpi@vger.kernel.org From: Jiang Liu If pci_stop_and_remove_bus() is called to remove a pci root bus, the host_bridge structure may have already been freed after returning from pci_remove_bus(). To avoid that, hold an extra reference count to the root bus before calling pci_remove_bus(), so we can safely access the pci_host_bridge structure after returning from function pci_remove_bus(). Signed-off-by: Jiang Liu Signed-off-by: Yinghai Lu --- drivers/pci/remove.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/drivers/pci/remove.c b/drivers/pci/remove.c index 94407d4..40f8148 100644 --- a/drivers/pci/remove.c +++ b/drivers/pci/remove.c @@ -154,6 +154,7 @@ void pci_stop_and_remove_bus(struct pci_bus *bus) if (pci_is_root_bus(bus)) { host_bridge = to_pci_host_bridge(bus->bridge); + get_device(&host_bridge->dev); pci_stop_host_bridge(host_bridge); } else pci_bridge = bus->self; @@ -162,8 +163,10 @@ void pci_stop_and_remove_bus(struct pci_bus *bus) pci_remove_bus(bus); - if (host_bridge) + if (host_bridge) { host_bridge->bus = NULL; + put_device(&host_bridge->dev); + } if (pci_bridge) pci_bridge->subordinate = NULL;