From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932587AbcAHSOv (ORCPT ); Fri, 8 Jan 2016 13:14:51 -0500 Received: from mail.kernel.org ([198.145.29.136]:35165 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932350AbcAHSOr (ORCPT ); Fri, 8 Jan 2016 13:14:47 -0500 Date: Fri, 8 Jan 2016 12:14:42 -0600 From: Bjorn Helgaas To: Colin King Cc: "Rafael J . Wysocki" , Len Brown , Bjorn Helgaas , linux-acpi@vger.kernel.org, linux-pci@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] PCI: acpiphp_ibm: fix null dereferences on null ibm_slot Message-ID: <20160108181442.GE5354@localhost> References: <1451694421-5277-1-git-send-email-colin.king@canonical.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1451694421-5277-1-git-send-email-colin.king@canonical.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jan 02, 2016 at 12:27:01AM +0000, Colin King wrote: > From: Colin Ian King > > ibm_slot_from_id can return null if the des header signature is > not aPCI or if the kmalloc for the return acpi descriptore fails, > causing potential null pointer dereferences on the return null > descriptor. > > Handle the null case with appropriate check and error return. > > Signed-off-by: Colin Ian King Applied to pci/hotplug for v4.5, thanks, Colin! > --- > drivers/pci/hotplug/acpiphp_ibm.c | 17 ++++++++++++++--- > 1 file changed, 14 insertions(+), 3 deletions(-) > > diff --git a/drivers/pci/hotplug/acpiphp_ibm.c b/drivers/pci/hotplug/acpiphp_ibm.c > index 6ca2399..9d16c9d 100644 > --- a/drivers/pci/hotplug/acpiphp_ibm.c > +++ b/drivers/pci/hotplug/acpiphp_ibm.c > @@ -154,7 +154,8 @@ static union apci_descriptor *ibm_slot_from_id(int id) > ibm_slot_done: > if (ret) { > ret = kmalloc(sizeof(union apci_descriptor), GFP_KERNEL); > - memcpy(ret, des, sizeof(union apci_descriptor)); > + if (ret) > + memcpy(ret, des, sizeof(union apci_descriptor)); > } > kfree(table); > return ret; > @@ -175,8 +176,13 @@ static int ibm_set_attention_status(struct hotplug_slot *slot, u8 status) > acpi_status stat; > unsigned long long rc; > union apci_descriptor *ibm_slot; > + int id = hpslot_to_sun(slot); > > - ibm_slot = ibm_slot_from_id(hpslot_to_sun(slot)); > + ibm_slot = ibm_slot_from_id(id); > + if (!ibm_slot) { > + pr_err("APLS null ACPI descriptor for slot %d\n", id); > + return -ENODEV; > + } > > pr_debug("%s: set slot %d (%d) attention status to %d\n", __func__, > ibm_slot->slot.slot_num, ibm_slot->slot.slot_id, > @@ -215,8 +221,13 @@ static int ibm_set_attention_status(struct hotplug_slot *slot, u8 status) > static int ibm_get_attention_status(struct hotplug_slot *slot, u8 *status) > { > union apci_descriptor *ibm_slot; > + int id = hpslot_to_sun(slot); > > - ibm_slot = ibm_slot_from_id(hpslot_to_sun(slot)); > + ibm_slot = ibm_slot_from_id(id); > + if (!ibm_slot) { > + pr_err("APLS null ACPI descriptor for slot %d\n", id); > + return -ENODEV; > + } > > if (ibm_slot->slot.attn & 0xa0 || ibm_slot->slot.status[1] & 0x08) > *status = 1; > -- > 2.6.4 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-acpi" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html