aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorColin Ian King <colin.king@canonical.com>2016-01-01 19:27:01 -0500
committerBjorn Helgaas <bhelgaas@google.com>2016-01-08 13:12:33 -0500
commit1b47fd4551061ad6db5adf063d424aded798a7c9 (patch)
tree268a5f789769b258ecae3d85ab8f2b8f23b273f8 /drivers
parent64609eaab242d36e3e3b7cb81d31a028719feb74 (diff)
PCI: acpiphp_ibm: Fix null dereferences on null ibm_slot
ibm_slot_from_id() can return null if the des header signature is not "aPCI" or if the kmalloc() for the return ACPI descriptor fails, causing potential null pointer dereferences on the return null descriptor. Handle the null case with appropriate check and error return. Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/pci/hotplug/acpiphp_ibm.c17
1 files changed, 14 insertions, 3 deletions
diff --git a/drivers/pci/hotplug/acpiphp_ibm.c b/drivers/pci/hotplug/acpiphp_ibm.c
index 6ca23998ee8f..9d16c9dbd76e 100644
--- a/drivers/pci/hotplug/acpiphp_ibm.c
+++ b/drivers/pci/hotplug/acpiphp_ibm.c
@@ -154,7 +154,8 @@ static union apci_descriptor *ibm_slot_from_id(int id)
154ibm_slot_done: 154ibm_slot_done:
155 if (ret) { 155 if (ret) {
156 ret = kmalloc(sizeof(union apci_descriptor), GFP_KERNEL); 156 ret = kmalloc(sizeof(union apci_descriptor), GFP_KERNEL);
157 memcpy(ret, des, sizeof(union apci_descriptor)); 157 if (ret)
158 memcpy(ret, des, sizeof(union apci_descriptor));
158 } 159 }
159 kfree(table); 160 kfree(table);
160 return ret; 161 return ret;
@@ -175,8 +176,13 @@ static int ibm_set_attention_status(struct hotplug_slot *slot, u8 status)
175 acpi_status stat; 176 acpi_status stat;
176 unsigned long long rc; 177 unsigned long long rc;
177 union apci_descriptor *ibm_slot; 178 union apci_descriptor *ibm_slot;
179 int id = hpslot_to_sun(slot);
178 180
179 ibm_slot = ibm_slot_from_id(hpslot_to_sun(slot)); 181 ibm_slot = ibm_slot_from_id(id);
182 if (!ibm_slot) {
183 pr_err("APLS null ACPI descriptor for slot %d\n", id);
184 return -ENODEV;
185 }
180 186
181 pr_debug("%s: set slot %d (%d) attention status to %d\n", __func__, 187 pr_debug("%s: set slot %d (%d) attention status to %d\n", __func__,
182 ibm_slot->slot.slot_num, ibm_slot->slot.slot_id, 188 ibm_slot->slot.slot_num, ibm_slot->slot.slot_id,
@@ -215,8 +221,13 @@ static int ibm_set_attention_status(struct hotplug_slot *slot, u8 status)
215static int ibm_get_attention_status(struct hotplug_slot *slot, u8 *status) 221static int ibm_get_attention_status(struct hotplug_slot *slot, u8 *status)
216{ 222{
217 union apci_descriptor *ibm_slot; 223 union apci_descriptor *ibm_slot;
224 int id = hpslot_to_sun(slot);
218 225
219 ibm_slot = ibm_slot_from_id(hpslot_to_sun(slot)); 226 ibm_slot = ibm_slot_from_id(id);
227 if (!ibm_slot) {
228 pr_err("APLS null ACPI descriptor for slot %d\n", id);
229 return -ENODEV;
230 }
220 231
221 if (ibm_slot->slot.attn & 0xa0 || ibm_slot->slot.status[1] & 0x08) 232 if (ibm_slot->slot.attn & 0xa0 || ibm_slot->slot.status[1] & 0x08)
222 *status = 1; 233 *status = 1;
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-27 10:55:11 -0400