ACPI: video: Fix NULL pointer dereference in acpi_video_bus_add()

acpi_video_bus_add_notify_handler() could free video->input and
set it to NULL on failure, but this failure would be missed in its
caller acpi_video_bus_add(). As a result, when an error happens in
acpi_dev_install_notify_handler(), acpi_video_bus_add() would call
acpi_video_bus_remove_notify_handler(), where a potential NULL pointer
video->input is dereferenced in input_unregister_device().

Fix this by adding a return value check and adjusting the following
error handling code.

Fixes: 6f7016819766 ("ACPI: video: Install Notify() handler directly")
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
[ rjw: Subject and changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c
index 948e31f..b411948 100644 (file)
--- a/drivers/acpi/acpi_video.c
+++ b/drivers/acpi/acpi_video.c
@@ -2057,7 +2057,9 @@ static int acpi_video_bus_add(struct acpi_device *device)
            !auto_detect)
                acpi_video_bus_register_backlight(video);
 
-       acpi_video_bus_add_notify_handler(video);
+       error = acpi_video_bus_add_notify_handler(video);
+       if (error)
+               goto err_del;
 
        error = acpi_dev_install_notify_handler(device, ACPI_DEVICE_NOTIFY,
                                                acpi_video_bus_notify);
@@ -2067,10 +2069,11 @@ static int acpi_video_bus_add(struct acpi_device *device)
        return 0;
 
 err_remove:
+       acpi_video_bus_remove_notify_handler(video);
+err_del:
        mutex_lock(&video_list_lock);
        list_del(&video->entry);
        mutex_unlock(&video_list_lock);
-       acpi_video_bus_remove_notify_handler(video);
        acpi_video_bus_unregister_backlight(video);
 err_put_video:
        acpi_video_bus_put_devices(video);