Commit f132e089 authored by Tuo Li's avatar Tuo Li Committed by Rafael J. Wysocki
Browse files

ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4() 



In acpi_processor_errata_piix4(), the pointer dev is first assigned an IDE
device and then reassigned an ISA device:

  dev = pci_get_subsys(..., PCI_DEVICE_ID_INTEL_82371AB, ...);
  dev = pci_get_subsys(..., PCI_DEVICE_ID_INTEL_82371AB_0, ...);

If the first lookup succeeds but the second fails, dev becomes NULL. This
leads to a potential null-pointer dereference when dev_dbg() is called:

  if (errata.piix4.bmisx)
    dev_dbg(&dev->dev, ...);

To prevent this, use two temporary pointers and retrieve each device
independently, avoiding overwriting dev with a possible NULL value.

Signed-off-by: default avatarTuo Li <islituo@gmail.com>
[ rjw: Subject adjustment, added an empty code line ]
Link: https://patch.msgid.link/20260111163214.202262-1-islituo@gmail.com


Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
parent 24b09e84

drivers/acpi/acpi_processor.c

+15 −13
Original line number Diff line number Diff line
@@ -50,6 +50,7 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev) 
{

	u8 value1 = 0;

	u8 value2 = 0;

	struct pci_dev *ide_dev = NULL, *isa_dev = NULL;





	if (!dev)
@@ -107,12 +108,12 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev) 
		 * each IDE controller's DMA status to make sure we catch all

		 * DMA activity.

		 */

		dev = pci_get_subsys(PCI_VENDOR_ID_INTEL,

		ide_dev = pci_get_subsys(PCI_VENDOR_ID_INTEL,

				     PCI_DEVICE_ID_INTEL_82371AB,

				     PCI_ANY_ID, PCI_ANY_ID, NULL);

		if (dev) {

			errata.piix4.bmisx = pci_resource_start(dev, 4);

			pci_dev_put(dev);

		if (ide_dev) {

			errata.piix4.bmisx = pci_resource_start(ide_dev, 4);

			pci_dev_put(ide_dev);

		}



		/*
@@ -124,24 +125,25 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev) 
		 * disable C3 support if this is enabled, as some legacy

		 * devices won't operate well if fast DMA is disabled.

		 */

		dev = pci_get_subsys(PCI_VENDOR_ID_INTEL,

		isa_dev = pci_get_subsys(PCI_VENDOR_ID_INTEL,

				     PCI_DEVICE_ID_INTEL_82371AB_0,

				     PCI_ANY_ID, PCI_ANY_ID, NULL);

		if (dev) {

			pci_read_config_byte(dev, 0x76, &value1);

			pci_read_config_byte(dev, 0x77, &value2);

		if (isa_dev) {

			pci_read_config_byte(isa_dev, 0x76, &value1);

			pci_read_config_byte(isa_dev, 0x77, &value2);

			if ((value1 & 0x80) || (value2 & 0x80))

				errata.piix4.fdma = 1;

			pci_dev_put(dev);

			pci_dev_put(isa_dev);

		}



		break;

	}



	if (errata.piix4.bmisx)

		dev_dbg(&dev->dev, "Bus master activity detection (BM-IDE) erratum enabled\n");

	if (errata.piix4.fdma)

		dev_dbg(&dev->dev, "Type-F DMA livelock erratum (C3 disabled)\n");

	if (ide_dev)

		dev_dbg(&ide_dev->dev, "Bus master activity detection (BM-IDE) erratum enabled\n");



	if (isa_dev)

		dev_dbg(&isa_dev->dev, "Type-F DMA livelock erratum (C3 disabled)\n");



	return 0;

}