From a104b4d467d1c4a09727bac2816928aef3304d3a Mon Sep 17 00:00:00 2001 From: "Rafael J. Wysocki" Date: Thu, 14 Nov 2013 23:18:32 +0100 Subject: [PATCH] ACPI / bind: Use (put|get)_device() on ACPI device objects too When associating a "physical" device with an ACPI device object acpi_bind_one() only uses get_device() to increment the reference counter of the former, but there is no reason not to do that with the latter too. Among other things, that may help to avoid use-after-free when an ACPI device object is freed without calling acpi_unbind_one() for all "physical" devices associated with it (that only can happen in buggy code, but then it's better if the kernel doesn't crash as a result of a bug). For this reason, modify acpi_bind_one() to apply get_device() to the ACPI device object too and update acpi_unbind_one() to drop that reference using put_device() as appropriate. Signed-off-by: Rafael J. Wysocki Acked-by: Greg Kroah-Hartman Reviewed-by: Lan Tianyu --- drivers/acpi/glue.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/glue.c b/drivers/acpi/glue.c index 782071f..a22a295 100644 --- a/drivers/acpi/glue.c +++ b/drivers/acpi/glue.c @@ -217,6 +217,7 @@ int acpi_bind_one(struct device *dev, acpi_handle handle) if (!acpi_dev) return -EINVAL; + get_device(&acpi_dev->dev); get_device(dev); physical_node = kzalloc(sizeof(*physical_node), GFP_KERNEL); if (!physical_node) { @@ -243,6 +244,7 @@ int acpi_bind_one(struct device *dev, acpi_handle handle) goto err; put_device(dev); + put_device(&acpi_dev->dev); return 0; } if (pn->node_id == node_id) { @@ -282,6 +284,7 @@ int acpi_bind_one(struct device *dev, acpi_handle handle) err: ACPI_COMPANION_SET(dev, NULL); put_device(dev); + put_device(&acpi_dev->dev); return retval; } EXPORT_SYMBOL_GPL(acpi_bind_one); @@ -307,8 +310,9 @@ int acpi_unbind_one(struct device *dev) sysfs_remove_link(&acpi_dev->dev.kobj, physnode_name); sysfs_remove_link(&dev->kobj, "firmware_node"); ACPI_COMPANION_SET(dev, NULL); - /* acpi_bind_one() increase refcnt by one. */ + /* Drop references taken by acpi_bind_one(). */ put_device(dev); + put_device(&acpi_dev->dev); kfree(entry); break; } -- 2.7.4