diff options
| author | Rafael J. Wysocki <rafael.j.wysocki@intel.com> | 2013-11-14 17:18:32 -0500 |
|---|---|---|
| committer | Rafael J. Wysocki <rafael.j.wysocki@intel.com> | 2013-11-14 17:18:32 -0500 |
| commit | a104b4d467d1c4a09727bac2816928aef3304d3a (patch) | |
| tree | ef1e2b2b10825be4c49c0ff2689a292835cd8dd4 /drivers/acpi | |
| parent | 3a83f992490f8235661b768e53bd5f14915420ac (diff) | |
ACPI / bind: Use (put|get)_device() on ACPI device objects too
When associating a "physical" device with an ACPI device object
acpi_bind_one() only uses get_device() to increment the reference
counter of the former, but there is no reason not to do that with
the latter too. Among other things, that may help to avoid
use-after-free when an ACPI device object is freed without calling
acpi_unbind_one() for all "physical" devices associated with it
(that only can happen in buggy code, but then it's better if the
kernel doesn't crash as a result of a bug).
For this reason, modify acpi_bind_one() to apply get_device() to
the ACPI device object too and update acpi_unbind_one() to drop
that reference using put_device() as appropriate.
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Lan Tianyu <tianyu.lan@intel.com>
Diffstat (limited to 'drivers/acpi')
| -rw-r--r-- | drivers/acpi/glue.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/drivers/acpi/glue.c b/drivers/acpi/glue.c index 782071fd3df3..a22a295edb69 100644 --- a/drivers/acpi/glue.c +++ b/drivers/acpi/glue.c | |||
| @@ -217,6 +217,7 @@ int acpi_bind_one(struct device *dev, acpi_handle handle) | |||
| 217 | if (!acpi_dev) | 217 | if (!acpi_dev) |
| 218 | return -EINVAL; | 218 | return -EINVAL; |
| 219 | 219 | ||
| 220 | get_device(&acpi_dev->dev); | ||
| 220 | get_device(dev); | 221 | get_device(dev); |
| 221 | physical_node = kzalloc(sizeof(*physical_node), GFP_KERNEL); | 222 | physical_node = kzalloc(sizeof(*physical_node), GFP_KERNEL); |
| 222 | if (!physical_node) { | 223 | if (!physical_node) { |
| @@ -243,6 +244,7 @@ int acpi_bind_one(struct device *dev, acpi_handle handle) | |||
| 243 | goto err; | 244 | goto err; |
| 244 | 245 | ||
| 245 | put_device(dev); | 246 | put_device(dev); |
| 247 | put_device(&acpi_dev->dev); | ||
| 246 | return 0; | 248 | return 0; |
| 247 | } | 249 | } |
| 248 | if (pn->node_id == node_id) { | 250 | if (pn->node_id == node_id) { |
| @@ -282,6 +284,7 @@ int acpi_bind_one(struct device *dev, acpi_handle handle) | |||
| 282 | err: | 284 | err: |
| 283 | ACPI_COMPANION_SET(dev, NULL); | 285 | ACPI_COMPANION_SET(dev, NULL); |
| 284 | put_device(dev); | 286 | put_device(dev); |
| 287 | put_device(&acpi_dev->dev); | ||
| 285 | return retval; | 288 | return retval; |
| 286 | } | 289 | } |
| 287 | EXPORT_SYMBOL_GPL(acpi_bind_one); | 290 | EXPORT_SYMBOL_GPL(acpi_bind_one); |
| @@ -307,8 +310,9 @@ int acpi_unbind_one(struct device *dev) | |||
| 307 | sysfs_remove_link(&acpi_dev->dev.kobj, physnode_name); | 310 | sysfs_remove_link(&acpi_dev->dev.kobj, physnode_name); |
| 308 | sysfs_remove_link(&dev->kobj, "firmware_node"); | 311 | sysfs_remove_link(&dev->kobj, "firmware_node"); |
| 309 | ACPI_COMPANION_SET(dev, NULL); | 312 | ACPI_COMPANION_SET(dev, NULL); |
| 310 | /* acpi_bind_one() increase refcnt by one. */ | 313 | /* Drop references taken by acpi_bind_one(). */ |
| 311 | put_device(dev); | 314 | put_device(dev); |
| 315 | put_device(&acpi_dev->dev); | ||
| 312 | kfree(entry); | 316 | kfree(entry); |
| 313 | break; | 317 | break; |
| 314 | } | 318 | } |