lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 17 Oct 2012 10:25:32 +0900
From:	Yasuaki Ishimatsu <isimatu.yasuaki@...fujitsu.com>
To:	Toshi Kani <toshi.kani@...com>
CC:	<linux-acpi@...r.kernel.org>, <lenb@...nel.org>,
	<linux-kernel@...r.kernel.org>, <rjw@...k.pl>, <liuj97@...il.com>
Subject: Re: [PATCH 1/2] ACPI: Fix stale pointer access to flags.lockable

2012/10/16 1:34, Toshi Kani wrote:
> During hot-remove, acpi_bus_hot_remove_device() calls ACPI _LCK
> method when device->flags.lockable is set. However, this device
> pointer is stale since the target acpi_device object has been
> already kfree'd by acpi_bus_trim().
> 
> The flags.lockable indicates whether or not this ACPI object
> implements _LCK method. Fix the stable pointer access by replacing
> it with acpi_get_handle() to check if _LCK is implemented.
> 
> Signed-off-by: Toshi Kani <toshi.kani@...com>

Looks good to me.
Reviewed-by: Yasuaki Ishimatsu <isimatu.yasuaki@...fujitsu.com>

> ---
>   drivers/acpi/scan.c | 6 +++++-
>   1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
> index 1fcb867..ed87f43 100644
> --- a/drivers/acpi/scan.c
> +++ b/drivers/acpi/scan.c
> @@ -97,6 +97,7 @@ void acpi_bus_hot_remove_device(void *context)
>   	struct acpi_eject_event *ej_event = (struct acpi_eject_event *) context;
>   	struct acpi_device *device;
>   	acpi_handle handle = ej_event->handle;
> +	acpi_handle temp;
>   	struct acpi_object_list arg_list;
>   	union acpi_object arg;
>   	acpi_status status = AE_OK;
> @@ -117,13 +118,16 @@ void acpi_bus_hot_remove_device(void *context)
>   		goto err_out;
>   	}
>   
> +	/* device has been freed */
> +	device = NULL;
> +
>   	/* power off device */
>   	status = acpi_evaluate_object(handle, "_PS3", NULL, NULL);
>   	if (ACPI_FAILURE(status) && status != AE_NOT_FOUND)
>   		printk(KERN_WARNING PREFIX
>   				"Power-off device failed\n");
>   
> -	if (device->flags.lockable) {
> +	if (ACPI_SUCCESS(acpi_get_handle(handle, "_LCK", &temp))) {
>   		arg_list.count = 1;
>   		arg_list.pointer = &arg;
>   		arg.type = ACPI_TYPE_INTEGER;
> 


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ