summaryrefslogtreecommitdiffstats
path: root/drivers/pci/slot.c
diff options
context:
space:
mode:
authorJubin Zhong <zhongjubin@huawei.com>2020-12-02 03:33:42 +0100
committerBjorn Helgaas <bhelgaas@google.com>2020-12-05 00:38:27 +0100
commit4684709bf81a2d98152ed6b610e3d5c403f9bced (patch)
tree6331f788ee519abcc2614ca4e34700d2c64175c4 /drivers/pci/slot.c
parentPCI: ibmphp: Remove unneeded break (diff)
downloadlinux-4684709bf81a2d98152ed6b610e3d5c403f9bced.tar.xz
linux-4684709bf81a2d98152ed6b610e3d5c403f9bced.zip
PCI: Fix pci_slot_release() NULL pointer dereference
If kobject_init_and_add() fails, pci_slot_release() is called to delete slot->list from parent->slots. But slot->list hasn't been initialized yet, so we dereference a NULL pointer: Unable to handle kernel NULL pointer dereference at virtual address 00000000 ... CPU: 10 PID: 1 Comm: swapper/0 Not tainted 4.4.240 #197 task: ffffeb398a45ef10 task.stack: ffffeb398a470000 PC is at __list_del_entry_valid+0x5c/0xb0 LR is at pci_slot_release+0x84/0xe4 ... __list_del_entry_valid+0x5c/0xb0 pci_slot_release+0x84/0xe4 kobject_put+0x184/0x1c4 pci_create_slot+0x17c/0x1b4 __pci_hp_initialize+0x68/0xa4 pciehp_probe+0x1a4/0x2fc pcie_port_probe_service+0x58/0x84 driver_probe_device+0x320/0x470 Initialize slot->list before calling kobject_init_and_add() to avoid this. Fixes: 8a94644b440e ("PCI: Fix pci_create_slot() reference count leak") Link: https://lore.kernel.org/r/1606876422-117457-1-git-send-email-zhongjubin@huawei.com Signed-off-by: Jubin Zhong <zhongjubin@huawei.com> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Cc: stable@vger.kernel.org # v5.9+
Diffstat (limited to 'drivers/pci/slot.c')
-rw-r--r--drivers/pci/slot.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/pci/slot.c b/drivers/pci/slot.c
index 3861505741e6..ed2077e7470a 100644
--- a/drivers/pci/slot.c
+++ b/drivers/pci/slot.c
@@ -272,6 +272,9 @@ placeholder:
goto err;
}
+ INIT_LIST_HEAD(&slot->list);
+ list_add(&slot->list, &parent->slots);
+
err = kobject_init_and_add(&slot->kobj, &pci_slot_ktype, NULL,
"%s", slot_name);
if (err) {
@@ -279,9 +282,6 @@ placeholder:
goto err;
}
- INIT_LIST_HEAD(&slot->list);
- list_add(&slot->list, &parent->slots);
-
down_read(&pci_bus_sem);
list_for_each_entry(dev, &parent->devices, bus_list)
if (PCI_SLOT(dev->devfn) == slot_nr)