tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
PCI: acpiphp_ibm: Fix null dereferences on null ibm_slot
ibm_slot_from_id() can return null if the des header signature is not
"aPCI" or if the kmalloc() for the return ACPI descriptor fails, causing
potential null pointer dereferences on the return null descriptor.
Handle the null case with appropriate check and error return.
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
authored by
Colin Ian King
and committed by
Bjorn Helgaas
1b47fd45
64609eaa
+14
-3
+14
-3
drivers/pci/hotplug/acpiphp_ibm.c
+14
-3
drivers/pci/hotplug/acpiphp_ibm.c
···
154
154
ibm_slot_done:
155
155
if (ret) {
156
156
ret = kmalloc(sizeof(union apci_descriptor), GFP_KERNEL);
157
-
memcpy(ret, des, sizeof(union apci_descriptor));
157
+
if (ret)
158
+
memcpy(ret, des, sizeof(union apci_descriptor));
158
159
}
159
160
kfree(table);
160
161
return ret;
···
176
175
acpi_status stat;
177
176
unsigned long long rc;
178
177
union apci_descriptor *ibm_slot;
178
+
int id = hpslot_to_sun(slot);
179
179
180
-
ibm_slot = ibm_slot_from_id(hpslot_to_sun(slot));
180
+
ibm_slot = ibm_slot_from_id(id);
181
+
if (!ibm_slot) {
182
+
pr_err("APLS null ACPI descriptor for slot %d\n", id);
183
+
return -ENODEV;
184
+
}
181
185
182
186
pr_debug("%s: set slot %d (%d) attention status to %d\n", __func__,
183
187
ibm_slot->slot.slot_num, ibm_slot->slot.slot_id,
···
221
215
static int ibm_get_attention_status(struct hotplug_slot *slot, u8 *status)
222
216
{
223
217
union apci_descriptor *ibm_slot;
218
+
int id = hpslot_to_sun(slot);
224
219
225
-
ibm_slot = ibm_slot_from_id(hpslot_to_sun(slot));
220
+
ibm_slot = ibm_slot_from_id(id);
221
+
if (!ibm_slot) {
222
+
pr_err("APLS null ACPI descriptor for slot %d\n", id);
223
+
return -ENODEV;
224
+
}
226
225
227
226
if (ibm_slot->slot.attn & 0xa0 || ibm_slot->slot.status[1] & 0x08)
228
227
*status = 1;