Skip to content

Commit

Permalink
PCI: Fix pci_slot_release() NULL pointer dereference
Browse files Browse the repository at this point in the history
commit 4684709 upstream.

If kobject_init_and_add() fails, pci_slot_release() is called to delete
slot->list from parent->slots.  But slot->list hasn't been initialized
yet, so we dereference a NULL pointer:

  Unable to handle kernel NULL pointer dereference at virtual address
00000000
  ...
  CPU: 10 PID: 1 Comm: swapper/0 Not tainted 4.4.240 torvalds#197
  task: ffffeb398a45ef10 task.stack: ffffeb398a470000
  PC is at __list_del_entry_valid+0x5c/0xb0
  LR is at pci_slot_release+0x84/0xe4
  ...
  __list_del_entry_valid+0x5c/0xb0
  pci_slot_release+0x84/0xe4
  kobject_put+0x184/0x1c4
  pci_create_slot+0x17c/0x1b4
  __pci_hp_initialize+0x68/0xa4
  pciehp_probe+0x1a4/0x2fc
  pcie_port_probe_service+0x58/0x84
  driver_probe_device+0x320/0x470

Initialize slot->list before calling kobject_init_and_add() to avoid this.

Fixes: 8a94644 ("PCI: Fix pci_create_slot() reference count leak")
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jubin Zhong <[email protected]>
Signed-off-by: Bjorn Helgaas <[email protected]>
Cc: [email protected]	# v5.9+
Signed-off-by: Greg Kroah-Hartman <[email protected]>
  • Loading branch information
Jubin Zhong authored and gregkh committed Dec 28, 2020
1 parent a4bf65e commit 9001881
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions drivers/pci/slot.c
Original file line number Diff line number Diff line change
Expand Up @@ -307,16 +307,16 @@ struct pci_slot *pci_create_slot(struct pci_bus *parent, int slot_nr,
goto err;
}

INIT_LIST_HEAD(&slot->list);
list_add(&slot->list, &parent->slots);

err = kobject_init_and_add(&slot->kobj, &pci_slot_ktype, NULL,
"%s", slot_name);
if (err) {
kobject_put(&slot->kobj);
goto err;
}

INIT_LIST_HEAD(&slot->list);
list_add(&slot->list, &parent->slots);

down_read(&pci_bus_sem);
list_for_each_entry(dev, &parent->devices, bus_list)
if (PCI_SLOT(dev->devfn) == slot_nr)
Expand Down

0 comments on commit 9001881

Please sign in to comment.