[ 3.8.y.z extended stable ] Patch "ACPI / memhotplug: Fix a stale pointer in error path" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Thu Jul 25 19:28:56 UTC 2013 

This is a note to let you know that I have just added a patch titled

    ACPI / memhotplug: Fix a stale pointer in error path

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue

This patch is scheduled to be released in version 3.8.13.6.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From f4072148ec85ce5e4a7968a08efb454f96be6eae Mon Sep 17 00:00:00 2001
From: Toshi Kani <toshi.kani at hp.com>
Date: Wed, 10 Jul 2013 10:47:13 -0600
Subject: ACPI / memhotplug: Fix a stale pointer in error path

commit d19f503e22316a84c39bc19445e0e4fdd49b3532 upstream.

device->driver_data needs to be cleared when releasing its data,
mem_device, in an error path of acpi_memory_device_add().

The function evaluates the _CRS of memory device objects, and fails
when it gets an unexpected resource or cannot allocate memory.  A
kernel crash or data corruption may occur when the kernel accesses
the stale pointer.

Signed-off-by: Toshi Kani <toshi.kani at hp.com>
Reviewed-by: Yasuaki Ishimatsu <isimatu.yasuaki at jp.fujitsu.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki at intel.com>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 drivers/acpi/acpi_memhotplug.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/acpi/acpi_memhotplug.c b/drivers/acpi/acpi_memhotplug.c
index b679bf8..6d11ec6 100644
--- a/drivers/acpi/acpi_memhotplug.c
+++ b/drivers/acpi/acpi_memhotplug.c
@@ -406,6 +406,7 @@ static int acpi_memory_device_add(struct acpi_device *device)
 	/* Get the range from the _CRS */
 	result = acpi_memory_get_device_resources(mem_device);
 	if (result) {
+		device->driver_data = NULL;
 		kfree(mem_device);
 		return result;
 	}
--
1.8.1.2

More information about the kernel-team mailing list