ACPI / bind: Use (put|get)_device() on ACPI device objects too
authorRafael J. Wysocki <rafael.j.wysocki@intel.com>
Thu, 14 Nov 2013 22:18:32 +0000 (23:18 +0100)
committerRafael J. Wysocki <rafael.j.wysocki@intel.com>
Thu, 14 Nov 2013 22:18:32 +0000 (23:18 +0100)
When associating a "physical" device with an ACPI device object
acpi_bind_one() only uses get_device() to increment the reference
counter of the former, but there is no reason not to do that with
the latter too.  Among other things, that may help to avoid
use-after-free when an ACPI device object is freed without calling
acpi_unbind_one() for all "physical" devices associated with it
(that only can happen in buggy code, but then it's better if the
kernel doesn't crash as a result of a bug).

For this reason, modify acpi_bind_one() to apply get_device() to
the ACPI device object too and update acpi_unbind_one() to drop
that reference using put_device() as appropriate.

Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Lan Tianyu <tianyu.lan@intel.com>
drivers/acpi/glue.c

index 782071f..a22a295 100644 (file)
@@ -217,6 +217,7 @@ int acpi_bind_one(struct device *dev, acpi_handle handle)
        if (!acpi_dev)
                return -EINVAL;
 
+       get_device(&acpi_dev->dev);
        get_device(dev);
        physical_node = kzalloc(sizeof(*physical_node), GFP_KERNEL);
        if (!physical_node) {
@@ -243,6 +244,7 @@ int acpi_bind_one(struct device *dev, acpi_handle handle)
                                goto err;
 
                        put_device(dev);
+                       put_device(&acpi_dev->dev);
                        return 0;
                }
                if (pn->node_id == node_id) {
@@ -282,6 +284,7 @@ int acpi_bind_one(struct device *dev, acpi_handle handle)
  err:
        ACPI_COMPANION_SET(dev, NULL);
        put_device(dev);
+       put_device(&acpi_dev->dev);
        return retval;
 }
 EXPORT_SYMBOL_GPL(acpi_bind_one);
@@ -307,8 +310,9 @@ int acpi_unbind_one(struct device *dev)
                        sysfs_remove_link(&acpi_dev->dev.kobj, physnode_name);
                        sysfs_remove_link(&dev->kobj, "firmware_node");
                        ACPI_COMPANION_SET(dev, NULL);
-                       /* acpi_bind_one() increase refcnt by one. */
+                       /* Drop references taken by acpi_bind_one(). */
                        put_device(dev);
+                       put_device(&acpi_dev->dev);
                        kfree(entry);
                        break;
                }