From: "Rafael J. Wysocki" <rjw@sisk.pl> To: Len Brown <lenb@kernel.org> Cc: chepioq@gmail.com, Alex Chiang <achiang@hp.com>, Linux PCI <linux-pci@vger.kernel.org>, LKML <linux-kernel@vger.kernel.org>, Jesse Barnes <jbarnes@virtuousgeek.org>, ACPI Devel Maling List <linux-acpi@vger.kernel.org>, Danny Feng <dfeng@redhat.com>, pm list <linux-pm@lists.linux-foundation.org> Subject: [PATCH] ACPI / PCI: Fix NULL pointer dereference in acpi_get_pci_dev() Date: Tue, 6 Oct 2009 01:30:43 +0200 [thread overview] Message-ID: <200910060130.43246.rjw@sisk.pl> (raw) From: Rafael J. Wysocki <rjw@sisk.pl> acpi_get_pci_dev() assumes that every handle it finds in the ACPI CA name space, between given device handle and the PCI root bridge handle, corresponds to a PCI-to-PCI bridge with an existing secondary bus. For this reason, when it finds a struct pci_dev object corresponding to one of them, it doesn't check if its 'subordinate' field is a valid pointer. However, during resume from a sleep state, as well as at startup, we may get a dock notification, via dock_acpi_notifier registered by dock_init(), for a docking station device that is present in the ACPI tables, but not physically accessible at the moment. In that situation, the device appears to be below a PCI bridge whose 'subordinate' field is NULL. This, in turn, causes acpi_get_pci_dev() to trigger a NULL pointer dereference. To fix this issue make acpi_get_pci_dev() check if pdev->subordinate is not NULL for every device it finds in the path between the root bridge and the device it's supposed to get to and return NULL if the "target" device is not really accessible. Fixes http://bugzilla.kernel.org/show_bug.cgi?id=14129, which is a regression from 2.6.30. Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl> Reported-by: Danny Feng <dfeng@redhat.com> Tested-by: chepioq <chepioq@gmail.com> --- drivers/acpi/pci_root.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) Index: linux-2.6/drivers/acpi/pci_root.c =================================================================== --- linux-2.6.orig/drivers/acpi/pci_root.c +++ linux-2.6/drivers/acpi/pci_root.c @@ -389,6 +389,18 @@ struct pci_dev *acpi_get_pci_dev(acpi_ha pbus = pdev->subordinate; pci_dev_put(pdev); + + /* + * During resume from a sleep state we can get a dock + * notification for a device that is present in ACPI tables, + * but not physically accessible at the moment, so tell the + * caller it's not present in that case. + */ + if (!pbus) { + dev_info(&pdev->dev, "Secondary bus not present\n"); + pdev = NULL; + break; + } } out: list_for_each_entry_safe(node, tmp, &device_list, node)
WARNING: multiple messages have this Message-ID (diff)
From: "Rafael J. Wysocki" <rjw@sisk.pl> To: Len Brown <lenb@kernel.org> Cc: LKML <linux-kernel@vger.kernel.org>, ACPI Devel Maling List <linux-acpi@vger.kernel.org>, pm list <linux-pm@lists.linux-foundation.org>, Alex Chiang <achiang@hp.com>, Danny Feng <dfeng@redhat.com>, Jesse Barnes <jbarnes@virtuousgeek.org>, Linux PCI <linux-pci@vger.kernel.org>, chepioq@gmail.com Subject: [PATCH] ACPI / PCI: Fix NULL pointer dereference in acpi_get_pci_dev() Date: Tue, 6 Oct 2009 01:30:43 +0200 [thread overview] Message-ID: <200910060130.43246.rjw@sisk.pl> (raw) From: Rafael J. Wysocki <rjw@sisk.pl> acpi_get_pci_dev() assumes that every handle it finds in the ACPI CA name space, between given device handle and the PCI root bridge handle, corresponds to a PCI-to-PCI bridge with an existing secondary bus. For this reason, when it finds a struct pci_dev object corresponding to one of them, it doesn't check if its 'subordinate' field is a valid pointer. However, during resume from a sleep state, as well as at startup, we may get a dock notification, via dock_acpi_notifier registered by dock_init(), for a docking station device that is present in the ACPI tables, but not physically accessible at the moment. In that situation, the device appears to be below a PCI bridge whose 'subordinate' field is NULL. This, in turn, causes acpi_get_pci_dev() to trigger a NULL pointer dereference. To fix this issue make acpi_get_pci_dev() check if pdev->subordinate is not NULL for every device it finds in the path between the root bridge and the device it's supposed to get to and return NULL if the "target" device is not really accessible. Fixes http://bugzilla.kernel.org/show_bug.cgi?id=14129, which is a regression from 2.6.30. Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl> Reported-by: Danny Feng <dfeng@redhat.com> Tested-by: chepioq <chepioq@gmail.com> --- drivers/acpi/pci_root.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) Index: linux-2.6/drivers/acpi/pci_root.c =================================================================== --- linux-2.6.orig/drivers/acpi/pci_root.c +++ linux-2.6/drivers/acpi/pci_root.c @@ -389,6 +389,18 @@ struct pci_dev *acpi_get_pci_dev(acpi_ha pbus = pdev->subordinate; pci_dev_put(pdev); + + /* + * During resume from a sleep state we can get a dock + * notification for a device that is present in ACPI tables, + * but not physically accessible at the moment, so tell the + * caller it's not present in that case. + */ + if (!pbus) { + dev_info(&pdev->dev, "Secondary bus not present\n"); + pdev = NULL; + break; + } } out: list_for_each_entry_safe(node, tmp, &device_list, node)
next reply other threads:[~2009-10-05 23:30 UTC|newest] Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top 2009-10-05 23:30 Rafael J. Wysocki [this message] 2009-10-05 23:30 ` [PATCH] ACPI / PCI: Fix NULL pointer dereference in acpi_get_pci_dev() Rafael J. Wysocki 2009-10-05 23:37 ` Alex Chiang 2009-10-05 23:37 ` Alex Chiang 2009-10-06 0:01 ` Rafael J. Wysocki 2009-10-06 0:01 ` Rafael J. Wysocki 2009-10-06 2:41 ` Len Brown 2009-10-06 2:41 ` Len Brown 2009-10-12 23:01 ` [PATCH] ACPI / PCI: Fix NULL pointer dereference in acpi_get_pci_dev() (rev. 2) Rafael J. Wysocki 2009-10-12 23:01 ` Rafael J. Wysocki 2009-10-13 5:16 ` Len Brown 2009-10-13 5:16 ` Len Brown 2009-10-14 22:41 ` Alex Chiang 2009-10-14 22:41 ` Alex Chiang
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=200910060130.43246.rjw@sisk.pl \ --to=rjw@sisk.pl \ --cc=achiang@hp.com \ --cc=chepioq@gmail.com \ --cc=dfeng@redhat.com \ --cc=jbarnes@virtuousgeek.org \ --cc=lenb@kernel.org \ --cc=linux-acpi@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-pci@vger.kernel.org \ --cc=linux-pm@lists.linux-foundation.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.