[PATCH -v3 25/47] Fix an access-after-free issue in function pci_stop_and_remove_bus()
From: Yinghai Lu
Date: Mon Mar 19 2012 - 02:00:34 EST
From: Jiang Liu <jiang.liu@xxxxxxxxxx>
If pci_stop_and_remove_bus() is called to remove a pci root bus,
the host_bridge structure may have already been freed after returning
from pci_remove_bus(). To avoid that, hold an extra reference count
to the root bus before calling pci_remove_bus(), so we can safely
access the pci_host_bridge structure after returning from function
pci_remove_bus().
Signed-off-by: Jiang Liu <jiang.liu@xxxxxxxxxx>
Signed-off-by: Yinghai Lu <yinghai@xxxxxxxxxx>
---
drivers/pci/remove.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/drivers/pci/remove.c b/drivers/pci/remove.c
index 75b0092..18efb31 100644
--- a/drivers/pci/remove.c
+++ b/drivers/pci/remove.c
@@ -186,6 +186,7 @@ void pci_stop_and_remove_bus(struct pci_bus *bus)
if (pci_is_root_bus(bus)) {
host_bridge = to_pci_host_bridge(bus->bridge);
+ get_device(&host_bridge->dev);
pci_stop_host_bridge(host_bridge);
} else
pci_bridge = bus->self;
@@ -194,8 +195,10 @@ void pci_stop_and_remove_bus(struct pci_bus *bus)
pci_remove_bus(bus);
- if (host_bridge)
+ if (host_bridge) {
host_bridge->bus = NULL;
+ put_device(&host_bridge->dev);
+ }
if (pci_bridge)
pci_bridge->subordinate = NULL;
--
1.7.7
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/