Commit 28076483 authored by Rafael J. Wysocki's avatar Rafael J. Wysocki

ACPI / CPPC: Fix per-CPU pointer management in acpi_cppc_processor_probe()

Fix a possible use-after-free scenario in acpi_cppc_processor_probe()
that can happen if the function returns without cleaning up the
per-CPU pointer set by it previously.
Reported-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
parent 9e9d68da
...@@ -776,9 +776,6 @@ int acpi_cppc_processor_probe(struct acpi_processor *pr) ...@@ -776,9 +776,6 @@ int acpi_cppc_processor_probe(struct acpi_processor *pr)
init_waitqueue_head(&pcc_data.pcc_write_wait_q); init_waitqueue_head(&pcc_data.pcc_write_wait_q);
} }
/* Plug PSD data into this CPUs CPC descriptor. */
per_cpu(cpc_desc_ptr, pr->id) = cpc_ptr;
/* Everything looks okay */ /* Everything looks okay */
pr_debug("Parsed CPC struct for CPU: %d\n", pr->id); pr_debug("Parsed CPC struct for CPU: %d\n", pr->id);
...@@ -789,10 +786,15 @@ int acpi_cppc_processor_probe(struct acpi_processor *pr) ...@@ -789,10 +786,15 @@ int acpi_cppc_processor_probe(struct acpi_processor *pr)
goto out_free; goto out_free;
} }
/* Plug PSD data into this CPUs CPC descriptor. */
per_cpu(cpc_desc_ptr, pr->id) = cpc_ptr;
ret = kobject_init_and_add(&cpc_ptr->kobj, &cppc_ktype, &cpu_dev->kobj, ret = kobject_init_and_add(&cpc_ptr->kobj, &cppc_ktype, &cpu_dev->kobj,
"acpi_cppc"); "acpi_cppc");
if (ret) if (ret) {
per_cpu(cpc_desc_ptr, pr->id) = NULL;
goto out_free; goto out_free;
}
kfree(output.pointer); kfree(output.pointer);
return 0; return 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment