[PATCH part4 04/11] PCI: Fix an access-after-free issue in function pci_stop_and_remove_bus()
From: Yinghai Lu
Date: Sun Sep 02 2012 - 17:58:40 EST
From: Jiang Liu <jiang.liu@xxxxxxxxxx>
If pci_stop_and_remove_bus() is called to remove a pci root bus,
the host_bridge structure may have already been freed after returning
from pci_remove_bus(). To avoid that, hold an extra reference count
to the root bus before calling pci_remove_bus(), so we can safely
access the pci_host_bridge structure after returning from function
pci_remove_bus().
Signed-off-by: Jiang Liu <jiang.liu@xxxxxxxxxx>
Signed-off-by: Yinghai Lu <yinghai@xxxxxxxxxx>
---
drivers/pci/remove.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/drivers/pci/remove.c b/drivers/pci/remove.c
index 94407d4..40f8148 100644
--- a/drivers/pci/remove.c
+++ b/drivers/pci/remove.c
@@ -154,6 +154,7 @@ void pci_stop_and_remove_bus(struct pci_bus *bus)
if (pci_is_root_bus(bus)) {
host_bridge = to_pci_host_bridge(bus->bridge);
+ get_device(&host_bridge->dev);
pci_stop_host_bridge(host_bridge);
} else
pci_bridge = bus->self;
@@ -162,8 +163,10 @@ void pci_stop_and_remove_bus(struct pci_bus *bus)
pci_remove_bus(bus);
- if (host_bridge)
+ if (host_bridge) {
host_bridge->bus = NULL;
+ put_device(&host_bridge->dev);
+ }
if (pci_bridge)
pci_bridge->subordinate = NULL;
--
1.7.7
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/