• Rafael J. Wysocki's avatar
    ACPI / hotplug / PCI: Fix NULL pointer dereference in cleanup_bridge() · 1aaac071
    Rafael J. Wysocki authored
    After commit bbd34fcd (ACPI / hotplug / PCI: Register all devices
    under the given bridge) register_slot() is called for all PCI
    devices under a given bridge that have corresponding objects in
    the ACPI namespace, but it calls acpiphp_register_hotplug_slot()
    only for devices satisfying specific criteria.  Still,
    cleanup_bridge() calls acpiphp_unregister_hotplug_slot() for all
    objects created by register_slot(), although it should only call it
    for the ones that acpiphp_register_hotplug_slot() has been called
    for (successfully).  This causes a NULL pointer to be dereferenced
    by the acpiphp_unregister_hotplug_slot() executed by cleanup_bridge()
    if the object it is called for has not been passed to
    acpiphp_register_hotplug_slot().
    
    To fix this problem, check if the 'slot' field of the object passed
    to acpiphp_unregister_hotplug_slot() in cleanup_bridge() is not NULL,
    which only is the case if acpiphp_register_hotplug_slot() has been
    executed for that object.  In addition to that, make register_slot()
    reset the 'slot' field to NULL if acpiphp_register_hotplug_slot() has
    failed for the given object to prevent stale pointers from being
    used by acpiphp_unregister_hotplug_slot().
    Reported-and-tested-by: default avatarYinghai Lu <yinghai@kernel.org>
    Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
    1aaac071
acpiphp_glue.c 26.5 KB