[ 3.5.y.z extended stable ] Patch "ACPI / memhotplug: Fix a stale pointer in error path" has been added to staging queue

Luis Henriques luis.henriques at canonical.com
Wed Jul 24 09:11:52 UTC 2013 

This is a note to let you know that I have just added a patch titled

    ACPI / memhotplug: Fix a stale pointer in error path

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

>From c3234b2cd2083d30985dc2b73862a4dc6612403c Mon Sep 17 00:00:00 2001
From: Toshi Kani <toshi.kani at hp.com>
Date: Wed, 10 Jul 2013 10:47:13 -0600
Subject: [PATCH] ACPI / memhotplug: Fix a stale pointer in error path

commit d19f503e22316a84c39bc19445e0e4fdd49b3532 upstream.

device->driver_data needs to be cleared when releasing its data,
mem_device, in an error path of acpi_memory_device_add().

The function evaluates the _CRS of memory device objects, and fails
when it gets an unexpected resource or cannot allocate memory.  A
kernel crash or data corruption may occur when the kernel accesses
the stale pointer.

Signed-off-by: Toshi Kani <toshi.kani at hp.com>
Reviewed-by: Yasuaki Ishimatsu <isimatu.yasuaki at jp.fujitsu.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki at intel.com>
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 drivers/acpi/acpi_memhotplug.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/acpi/acpi_memhotplug.c b/drivers/acpi/acpi_memhotplug.c
index d985713..f81597f 100644
--- a/drivers/acpi/acpi_memhotplug.c
+++ b/drivers/acpi/acpi_memhotplug.c
@@ -421,6 +421,7 @@ static int acpi_memory_device_add(struct acpi_device *device)
 	/* Get the range from the _CRS */
 	result = acpi_memory_get_device_resources(mem_device);
 	if (result) {
+		device->driver_data = NULL;
 		kfree(mem_device);
 		return result;
 	}
--
1.8.1.2

More information about the kernel-team mailing list