linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Rafael J. Wysocki" <rjw@rjwysocki.net>
To: ACPI Devel Maling List <linux-acpi@vger.kernel.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
	Linux PCI <linux-pci@vger.kernel.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Bjorn Helgaas <bhelgaas@google.com>,
	Aaron Lu <aaron.lu@intel.com>,
	Jarkko Nikula <jarkko.nikula@linux.intel.com>,
	Lan Tianyu <tianyu.lan@intel.com>,
	Mika Westerberg <mika.westerberg@linux.intel.com>,
	"Luck, Tony" <tony.luck@intel.com>
Subject: [PATCH 2/2] ACPI / bind: Use (put|get)_device() on ACPI device objects too
Date: Thu, 14 Nov 2013 00:26:47 +0100	[thread overview]
Message-ID: <9712243.It8gvaRCs0@vostro.rjw.lan> (raw)
In-Reply-To: <1803808.ghCmmaO2Cj@vostro.rjw.lan>

From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

When associating a "physical" device with an ACPI device object
acpi_bind_one() only uses get_device() to increment the reference
counter of the former, but there is no reason not to do that with
the latter too.  Among other things, that may help to avoid
use-after-free when an ACPI device object is freed without calling
acpi_unbind_one() for all "physical" devices associated with it
(that only can happen in buggy code, but then it's better if the
kernel doesn't crash as a result of a bug).

For this reason, modify acpi_bind_one() to apply get_device() to
the ACPI device object too and update acpi_unbind_one() to drop
that reference using put_device() as appropriate.

Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
---
 drivers/acpi/glue.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Index: linux-pm/drivers/acpi/glue.c
===================================================================
--- linux-pm.orig/drivers/acpi/glue.c
+++ linux-pm/drivers/acpi/glue.c
@@ -217,6 +217,7 @@ int acpi_bind_one(struct device *dev, ac
 	if (!acpi_dev)
 		return -EINVAL;
 
+	get_device(&acpi_dev->dev);
 	get_device(dev);
 	physical_node = kzalloc(sizeof(*physical_node), GFP_KERNEL);
 	if (!physical_node) {
@@ -243,6 +244,7 @@ int acpi_bind_one(struct device *dev, ac
 				goto err;
 
 			put_device(dev);
+			put_device(&acpi_dev->dev);
 			return 0;
 		}
 		if (pn->node_id == node_id) {
@@ -282,6 +284,7 @@ int acpi_bind_one(struct device *dev, ac
  err:
 	ACPI_COMPANION_SET(dev, NULL);
 	put_device(dev);
+	put_device(&acpi_dev->dev);
 	return retval;
 }
 EXPORT_SYMBOL_GPL(acpi_bind_one);
@@ -307,8 +310,9 @@ int acpi_unbind_one(struct device *dev)
 			sysfs_remove_link(&acpi_dev->dev.kobj, physnode_name);
 			sysfs_remove_link(&dev->kobj, "firmware_node");
 			ACPI_COMPANION_SET(dev, NULL);
-			/* acpi_bind_one() increase refcnt by one. */
+			/* Drop references taken by acpi_bind_one(). */
 			put_device(dev);
+			put_device(&acpi_dev->dev);
 			kfree(entry);
 			break;
 		}


  parent reply	other threads:[~2013-11-13 23:14 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-11-10  0:58 [PATCH] ACPI / driver core: Store a device pointer in struct acpi_dev_node Rafael J. Wysocki
2013-11-10 15:16 ` Greg Kroah-Hartman
2013-11-11  1:21 ` Lan Tianyu
2013-11-11 13:45   ` Rafael J. Wysocki
2013-11-11 15:03     ` Greg Kroah-Hartman
2013-11-11 21:56       ` Rafael J. Wysocki
2013-11-12  9:24     ` Mika Westerberg
2013-11-12 14:20       ` Rafael J. Wysocki
2013-11-13  6:57     ` Aaron Lu
2013-11-13 23:25 ` [PATCH 0/2] ACPI: Additional changes on top of "ACPI / driver core: Store a device pointer in struct acpi_dev_node" Rafael J. Wysocki
2013-11-13 23:26   ` [PATCH 1/2] ACPI: Eliminate the DEVICE_ACPI_HANDLE() macro Rafael J. Wysocki
2013-11-14  2:44     ` Greg Kroah-Hartman
2013-11-13 23:26   ` Rafael J. Wysocki [this message]
2013-11-14  2:43     ` [PATCH 2/2] ACPI / bind: Use (put|get)_device() on ACPI device objects too Greg Kroah-Hartman
2013-11-14  7:20     ` Lan Tianyu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9712243.It8gvaRCs0@vostro.rjw.lan \
    --to=rjw@rjwysocki.net \
    --cc=aaron.lu@intel.com \
    --cc=bhelgaas@google.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=jarkko.nikula@linux.intel.com \
    --cc=linux-acpi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-pci@vger.kernel.org \
    --cc=mika.westerberg@linux.intel.com \
    --cc=tianyu.lan@intel.com \
    --cc=tony.luck@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).