* [PATCH] PCI: acpiphp_ibm: fix null dereferences on null ibm_slot
@ 2016-01-02 0:27 Colin King
2016-01-08 18:14 ` Bjorn Helgaas
0 siblings, 1 reply; 2+ messages in thread
From: Colin King @ 2016-01-02 0:27 UTC (permalink / raw)
To: Rafael J . Wysocki, Len Brown, Bjorn Helgaas, linux-acpi, linux-pci
Cc: linux-kernel
From: Colin Ian King <colin.king@canonical.com>
ibm_slot_from_id can return null if the des header signature is
not aPCI or if the kmalloc for the return acpi descriptore fails,
causing potential null pointer dereferences on the return null
descriptor.
Handle the null case with appropriate check and error return.
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
drivers/pci/hotplug/acpiphp_ibm.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/drivers/pci/hotplug/acpiphp_ibm.c b/drivers/pci/hotplug/acpiphp_ibm.c
index 6ca2399..9d16c9d 100644
--- a/drivers/pci/hotplug/acpiphp_ibm.c
+++ b/drivers/pci/hotplug/acpiphp_ibm.c
@@ -154,7 +154,8 @@ static union apci_descriptor *ibm_slot_from_id(int id)
ibm_slot_done:
if (ret) {
ret = kmalloc(sizeof(union apci_descriptor), GFP_KERNEL);
- memcpy(ret, des, sizeof(union apci_descriptor));
+ if (ret)
+ memcpy(ret, des, sizeof(union apci_descriptor));
}
kfree(table);
return ret;
@@ -175,8 +176,13 @@ static int ibm_set_attention_status(struct hotplug_slot *slot, u8 status)
acpi_status stat;
unsigned long long rc;
union apci_descriptor *ibm_slot;
+ int id = hpslot_to_sun(slot);
- ibm_slot = ibm_slot_from_id(hpslot_to_sun(slot));
+ ibm_slot = ibm_slot_from_id(id);
+ if (!ibm_slot) {
+ pr_err("APLS null ACPI descriptor for slot %d\n", id);
+ return -ENODEV;
+ }
pr_debug("%s: set slot %d (%d) attention status to %d\n", __func__,
ibm_slot->slot.slot_num, ibm_slot->slot.slot_id,
@@ -215,8 +221,13 @@ static int ibm_set_attention_status(struct hotplug_slot *slot, u8 status)
static int ibm_get_attention_status(struct hotplug_slot *slot, u8 *status)
{
union apci_descriptor *ibm_slot;
+ int id = hpslot_to_sun(slot);
- ibm_slot = ibm_slot_from_id(hpslot_to_sun(slot));
+ ibm_slot = ibm_slot_from_id(id);
+ if (!ibm_slot) {
+ pr_err("APLS null ACPI descriptor for slot %d\n", id);
+ return -ENODEV;
+ }
if (ibm_slot->slot.attn & 0xa0 || ibm_slot->slot.status[1] & 0x08)
*status = 1;
--
2.6.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] PCI: acpiphp_ibm: fix null dereferences on null ibm_slot
2016-01-02 0:27 [PATCH] PCI: acpiphp_ibm: fix null dereferences on null ibm_slot Colin King
@ 2016-01-08 18:14 ` Bjorn Helgaas
0 siblings, 0 replies; 2+ messages in thread
From: Bjorn Helgaas @ 2016-01-08 18:14 UTC (permalink / raw)
To: Colin King
Cc: Rafael J . Wysocki, Len Brown, Bjorn Helgaas, linux-acpi,
linux-pci, linux-kernel
On Sat, Jan 02, 2016 at 12:27:01AM +0000, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
>
> ibm_slot_from_id can return null if the des header signature is
> not aPCI or if the kmalloc for the return acpi descriptore fails,
> causing potential null pointer dereferences on the return null
> descriptor.
>
> Handle the null case with appropriate check and error return.
>
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
Applied to pci/hotplug for v4.5, thanks, Colin!
> ---
> drivers/pci/hotplug/acpiphp_ibm.c | 17 ++++++++++++++---
> 1 file changed, 14 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/pci/hotplug/acpiphp_ibm.c b/drivers/pci/hotplug/acpiphp_ibm.c
> index 6ca2399..9d16c9d 100644
> --- a/drivers/pci/hotplug/acpiphp_ibm.c
> +++ b/drivers/pci/hotplug/acpiphp_ibm.c
> @@ -154,7 +154,8 @@ static union apci_descriptor *ibm_slot_from_id(int id)
> ibm_slot_done:
> if (ret) {
> ret = kmalloc(sizeof(union apci_descriptor), GFP_KERNEL);
> - memcpy(ret, des, sizeof(union apci_descriptor));
> + if (ret)
> + memcpy(ret, des, sizeof(union apci_descriptor));
> }
> kfree(table);
> return ret;
> @@ -175,8 +176,13 @@ static int ibm_set_attention_status(struct hotplug_slot *slot, u8 status)
> acpi_status stat;
> unsigned long long rc;
> union apci_descriptor *ibm_slot;
> + int id = hpslot_to_sun(slot);
>
> - ibm_slot = ibm_slot_from_id(hpslot_to_sun(slot));
> + ibm_slot = ibm_slot_from_id(id);
> + if (!ibm_slot) {
> + pr_err("APLS null ACPI descriptor for slot %d\n", id);
> + return -ENODEV;
> + }
>
> pr_debug("%s: set slot %d (%d) attention status to %d\n", __func__,
> ibm_slot->slot.slot_num, ibm_slot->slot.slot_id,
> @@ -215,8 +221,13 @@ static int ibm_set_attention_status(struct hotplug_slot *slot, u8 status)
> static int ibm_get_attention_status(struct hotplug_slot *slot, u8 *status)
> {
> union apci_descriptor *ibm_slot;
> + int id = hpslot_to_sun(slot);
>
> - ibm_slot = ibm_slot_from_id(hpslot_to_sun(slot));
> + ibm_slot = ibm_slot_from_id(id);
> + if (!ibm_slot) {
> + pr_err("APLS null ACPI descriptor for slot %d\n", id);
> + return -ENODEV;
> + }
>
> if (ibm_slot->slot.attn & 0xa0 || ibm_slot->slot.status[1] & 0x08)
> *status = 1;
> --
> 2.6.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-acpi" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-01-08 18:14 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-01-02 0:27 [PATCH] PCI: acpiphp_ibm: fix null dereferences on null ibm_slot Colin King
2016-01-08 18:14 ` Bjorn Helgaas
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).