From patchwork Wed Nov 28 01:40:43 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pan Bian X-Patchwork-Id: 1004145 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=linux-ide-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=163.com Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=163.com header.i=@163.com header.b="fDZ7AxD2"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 434Nf52xBSz9s55 for ; Wed, 28 Nov 2018 12:41:01 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727219AbeK1Mkp (ORCPT ); Wed, 28 Nov 2018 07:40:45 -0500 Received: from m12-18.163.com ([220.181.12.18]:51797 "EHLO m12-18.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726539AbeK1Mko (ORCPT ); Wed, 28 Nov 2018 07:40:44 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id; bh=DactAzozDPp6a++Kdi RSgOAGTH218BZMwovld9T9Ad4=; b=fDZ7AxD2R5MXlEnplj+grL9U3bEr6f4A7S sMMSrQa/HREgXAb0EXM9lUgAQg4pvB3/aBwXLkzin9iU4u7w0ZX++KglkpbgdEP4 atRH8PrfgYXYKlra3KbfDo2oBhuThSlfMH/ZrS9YiLOKW3CVkoNrmxwd16UVvpX8 rKfzM5wLU= Received: from bp.localdomain (unknown [106.120.213.96]) by smtp14 (Coremail) with SMTP id EsCowAAXbqUe8v1b3fF0CA--.28752S3; Wed, 28 Nov 2018 09:40:49 +0800 (CST) From: Pan Bian To: Bartlomiej Zolnierkiewicz , Jens Axboe Cc: linux-ide@vger.kernel.org, linux-kernel@vger.kernel.org, Pan Bian Subject: [PATCH] ata: read ->revision before dropping pci_device reference Date: Wed, 28 Nov 2018 09:40:43 +0800 Message-Id: <1543369243-64252-1-git-send-email-bianpan2016@163.com> X-Mailer: git-send-email 2.7.4 X-CM-TRANSID: EsCowAAXbqUe8v1b3fF0CA--.28752S3 X-Coremail-Antispam: 1Uf129KBjvJXoW7ur43try7KF1rCrW7XFy8uFg_yoW8CFW5pF ZxCasIvrWrWF1aqwsrAr4UZF1ayayv934FgrW3G34Yva1rXFykXF1rXa4jv34rKrWDCFy7 Xw4Utr18WF47Z3JanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07jTc_-UUUUU= X-Originating-IP: [106.120.213.96] X-CM-SenderInfo: held01tdqsiiqw6rljoofrz/xtbBzwINclaD0cJA3wABsq Sender: linux-ide-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ide@vger.kernel.org pci_device->revision is read after dropping pci_device reference via pci_dev_put, which may result in use-after-free bugs. To fix this, the patch reads ->revision before dropping reference. Signed-off-by: Pan Bian Reviewed-by: Christoph Hellwig --- drivers/ata/pata_sis.c | 4 +++- drivers/ata/pata_sl82c105.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/ata/pata_sis.c b/drivers/ata/pata_sis.c index 626f989..01635bc 100644 --- a/drivers/ata/pata_sis.c +++ b/drivers/ata/pata_sis.c @@ -833,6 +833,7 @@ static int sis_init_one (struct pci_dev *pdev, const struct pci_device_id *ent) u16 trueid; u8 prefctl; u8 idecfg; + u8 sbrev; /* Try the second unmasking technique */ pci_read_config_byte(pdev, 0x4a, &idecfg); @@ -846,9 +847,10 @@ static int sis_init_one (struct pci_dev *pdev, const struct pci_device_id *ent) if (lpc_bridge == NULL) break; pci_read_config_byte(pdev, 0x49, &prefctl); + sbrev = lpc_bridge->revision; pci_dev_put(lpc_bridge); - if (lpc_bridge->revision == 0x10 && (prefctl & 0x80)) { + if (sbrev == 0x10 && (prefctl & 0x80)) { chipset = &sis133_early; break; } diff --git a/drivers/ata/pata_sl82c105.c b/drivers/ata/pata_sl82c105.c index 4935f61f..476438e 100644 --- a/drivers/ata/pata_sl82c105.c +++ b/drivers/ata/pata_sl82c105.c @@ -264,6 +264,7 @@ static struct ata_port_operations sl82c105_port_ops = { static int sl82c105_bridge_revision(struct pci_dev *pdev) { struct pci_dev *bridge; + u8 rev; /* * The bridge should be part of the same device, but function 0. @@ -285,8 +286,9 @@ static int sl82c105_bridge_revision(struct pci_dev *pdev) /* * We need to find function 0's revision, not function 1 */ + rev = bridge->revision; pci_dev_put(bridge); - return bridge->revision; + return rev; } static void sl82c105_fixup(struct pci_dev *pdev)