ACPI / CPPC: Fix per-CPU pointer management in acpi_cppc_processor_probe()

Fix a possible use-after-free scenario in acpi_cppc_processor_probe()
that can happen if the function returns without cleaning up the
per-CPU pointer set by it previously.

Reported-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

1 files changed, 6 insertions, 4 deletions

diff --git a/drivers/acpi/cppc_acpi.c b/drivers/acpi/cppc_acpi.c
index ae2ad6e94132..3ca0729f7e0e 100644
--- a/drivers/acpi/cppc_acpi.c
+++ b/drivers/acpi/cppc_acpi.c
@@ -776,9 +776,6 @@ int acpi_cppc_processor_probe(struct acpi_processor *pr)
                 init_waitqueue_head(&pcc_data.pcc_write_wait_q);
         }
 
-        /* Plug PSD data into this CPUs CPC descriptor. */
-        per_cpu(cpc_desc_ptr, pr->id) = cpc_ptr;
-
         /* Everything looks okay */
         pr_debug("Parsed CPC struct for CPU: %d\n", pr->id);
 
@@ -789,10 +786,15 @@ int acpi_cppc_processor_probe(struct acpi_processor *pr)
                 goto out_free;
         }
 
+        /* Plug PSD data into this CPUs CPC descriptor. */
+        per_cpu(cpc_desc_ptr, pr->id) = cpc_ptr;
+
         ret = kobject_init_and_add(&cpc_ptr->kobj, &cppc_ktype, &cpu_dev->kobj,
                         "acpi_cppc");
-        if (ret)
+        if (ret) {
+                per_cpu(cpc_desc_ptr, pr->id) = NULL;
                 goto out_free;
+        }
 
         kfree(output.pointer);
         return 0;