During hot-remove, acpi_bus_hot_remove_device() calls ACPI _LCK
method when device->flags.lockable is set. However, this device
pointer is stale since the target acpi_device object has been
already kfree'd by acpi_bus_trim().
The flags.lockable indicates whether or not this ACPI object
implements _LCK method. Fix the stable pointer access by replacing
it with acpi_get_handle() to check if _LCK is implemented.
Signed-off-by: Toshi Kani <[email protected]>
---
drivers/acpi/scan.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
index 1fcb867..ed87f43 100644
--- a/drivers/acpi/scan.c
+++ b/drivers/acpi/scan.c
@@ -97,6 +97,7 @@ void acpi_bus_hot_remove_device(void *context)
struct acpi_eject_event *ej_event = (struct acpi_eject_event *) context;
struct acpi_device *device;
acpi_handle handle = ej_event->handle;
+ acpi_handle temp;
struct acpi_object_list arg_list;
union acpi_object arg;
acpi_status status = AE_OK;
@@ -117,13 +118,16 @@ void acpi_bus_hot_remove_device(void *context)
goto err_out;
}
+ /* device has been freed */
+ device = NULL;
+
/* power off device */
status = acpi_evaluate_object(handle, "_PS3", NULL, NULL);
if (ACPI_FAILURE(status) && status != AE_NOT_FOUND)
printk(KERN_WARNING PREFIX
"Power-off device failed\n");
- if (device->flags.lockable) {
+ if (ACPI_SUCCESS(acpi_get_handle(handle, "_LCK", &temp))) {
arg_list.count = 1;
arg_list.pointer = &arg;
arg.type = ACPI_TYPE_INTEGER;
--
1.7.11.7
Removed lockable in struct acpi_device_flags since it is no
longer used by any code. acpi_bus_hot_remove_device() cannot
use this flag because acpi_bus_trim() frees up its acpi_device
object. Furthermore, the dock driver calls _LCK method without
using this lockable flag.
Signed-off-by: Toshi Kani <[email protected]>
---
drivers/acpi/scan.c | 5 -----
include/acpi/acpi_bus.h | 3 +--
2 files changed, 1 insertion(+), 7 deletions(-)
diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
index ed87f43..19d3d4a 100644
--- a/drivers/acpi/scan.c
+++ b/drivers/acpi/scan.c
@@ -1017,11 +1017,6 @@ static int acpi_bus_get_flags(struct acpi_device *device)
device->flags.ejectable = 1;
}
- /* Presence of _LCK indicates 'lockable' */
- status = acpi_get_handle(device->handle, "_LCK", &temp);
- if (ACPI_SUCCESS(status))
- device->flags.lockable = 1;
-
/* Power resources cannot be power manageable. */
if (device->device_type == ACPI_BUS_TYPE_POWER)
return 0;
diff --git a/include/acpi/acpi_bus.h b/include/acpi/acpi_bus.h
index 0daa0fb..e8b2877 100644
--- a/include/acpi/acpi_bus.h
+++ b/include/acpi/acpi_bus.h
@@ -144,12 +144,11 @@ struct acpi_device_flags {
u32 bus_address:1;
u32 removable:1;
u32 ejectable:1;
- u32 lockable:1;
u32 suprise_removal_ok:1;
u32 power_manageable:1;
u32 performance_manageable:1;
u32 eject_pending:1;
- u32 reserved:23;
+ u32 reserved:24;
};
/* File System */
--
1.7.11.7
2012/10/16 1:34, Toshi Kani wrote:
> During hot-remove, acpi_bus_hot_remove_device() calls ACPI _LCK
> method when device->flags.lockable is set. However, this device
> pointer is stale since the target acpi_device object has been
> already kfree'd by acpi_bus_trim().
>
> The flags.lockable indicates whether or not this ACPI object
> implements _LCK method. Fix the stable pointer access by replacing
> it with acpi_get_handle() to check if _LCK is implemented.
>
> Signed-off-by: Toshi Kani <[email protected]>
Looks good to me.
Reviewed-by: Yasuaki Ishimatsu <[email protected]>
> ---
> drivers/acpi/scan.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
> index 1fcb867..ed87f43 100644
> --- a/drivers/acpi/scan.c
> +++ b/drivers/acpi/scan.c
> @@ -97,6 +97,7 @@ void acpi_bus_hot_remove_device(void *context)
> struct acpi_eject_event *ej_event = (struct acpi_eject_event *) context;
> struct acpi_device *device;
> acpi_handle handle = ej_event->handle;
> + acpi_handle temp;
> struct acpi_object_list arg_list;
> union acpi_object arg;
> acpi_status status = AE_OK;
> @@ -117,13 +118,16 @@ void acpi_bus_hot_remove_device(void *context)
> goto err_out;
> }
>
> + /* device has been freed */
> + device = NULL;
> +
> /* power off device */
> status = acpi_evaluate_object(handle, "_PS3", NULL, NULL);
> if (ACPI_FAILURE(status) && status != AE_NOT_FOUND)
> printk(KERN_WARNING PREFIX
> "Power-off device failed\n");
>
> - if (device->flags.lockable) {
> + if (ACPI_SUCCESS(acpi_get_handle(handle, "_LCK", &temp))) {
> arg_list.count = 1;
> arg_list.pointer = &arg;
> arg.type = ACPI_TYPE_INTEGER;
>
2012/10/16 1:34, Toshi Kani wrote:
> Removed lockable in struct acpi_device_flags since it is no
> longer used by any code. acpi_bus_hot_remove_device() cannot
> use this flag because acpi_bus_trim() frees up its acpi_device
> object. Furthermore, the dock driver calls _LCK method without
> using this lockable flag.
>
> Signed-off-by: Toshi Kani <[email protected]>
Looks good to me.
Reviewed-by: Yasuaki Ishimatsu <[email protected]>
> ---
> drivers/acpi/scan.c | 5 -----
> include/acpi/acpi_bus.h | 3 +--
> 2 files changed, 1 insertion(+), 7 deletions(-)
>
> diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
> index ed87f43..19d3d4a 100644
> --- a/drivers/acpi/scan.c
> +++ b/drivers/acpi/scan.c
> @@ -1017,11 +1017,6 @@ static int acpi_bus_get_flags(struct acpi_device *device)
> device->flags.ejectable = 1;
> }
>
> - /* Presence of _LCK indicates 'lockable' */
> - status = acpi_get_handle(device->handle, "_LCK", &temp);
> - if (ACPI_SUCCESS(status))
> - device->flags.lockable = 1;
> -
> /* Power resources cannot be power manageable. */
> if (device->device_type == ACPI_BUS_TYPE_POWER)
> return 0;
> diff --git a/include/acpi/acpi_bus.h b/include/acpi/acpi_bus.h
> index 0daa0fb..e8b2877 100644
> --- a/include/acpi/acpi_bus.h
> +++ b/include/acpi/acpi_bus.h
> @@ -144,12 +144,11 @@ struct acpi_device_flags {
> u32 bus_address:1;
> u32 removable:1;
> u32 ejectable:1;
> - u32 lockable:1;
> u32 suprise_removal_ok:1;
> u32 power_manageable:1;
> u32 performance_manageable:1;
> u32 eject_pending:1;
> - u32 reserved:23;
> + u32 reserved:24;
> };
>
> /* File System */
>
On Wed, 2012-10-17 at 10:25 +0900, Yasuaki Ishimatsu wrote:
> 2012/10/16 1:34, Toshi Kani wrote:
> > During hot-remove, acpi_bus_hot_remove_device() calls ACPI _LCK
> > method when device->flags.lockable is set. However, this device
> > pointer is stale since the target acpi_device object has been
> > already kfree'd by acpi_bus_trim().
> >
> > The flags.lockable indicates whether or not this ACPI object
> > implements _LCK method. Fix the stable pointer access by replacing
> > it with acpi_get_handle() to check if _LCK is implemented.
> >
> > Signed-off-by: Toshi Kani <[email protected]>
>
> Looks good to me.
> Reviewed-by: Yasuaki Ishimatsu <[email protected]>
Thanks Yasuaki for reviewing!
-Toshi
> > ---
> > drivers/acpi/scan.c | 6 +++++-
> > 1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
> > index 1fcb867..ed87f43 100644
> > --- a/drivers/acpi/scan.c
> > +++ b/drivers/acpi/scan.c
> > @@ -97,6 +97,7 @@ void acpi_bus_hot_remove_device(void *context)
> > struct acpi_eject_event *ej_event = (struct acpi_eject_event *) context;
> > struct acpi_device *device;
> > acpi_handle handle = ej_event->handle;
> > + acpi_handle temp;
> > struct acpi_object_list arg_list;
> > union acpi_object arg;
> > acpi_status status = AE_OK;
> > @@ -117,13 +118,16 @@ void acpi_bus_hot_remove_device(void *context)
> > goto err_out;
> > }
> >
> > + /* device has been freed */
> > + device = NULL;
> > +
> > /* power off device */
> > status = acpi_evaluate_object(handle, "_PS3", NULL, NULL);
> > if (ACPI_FAILURE(status) && status != AE_NOT_FOUND)
> > printk(KERN_WARNING PREFIX
> > "Power-off device failed\n");
> >
> > - if (device->flags.lockable) {
> > + if (ACPI_SUCCESS(acpi_get_handle(handle, "_LCK", &temp))) {
> > arg_list.count = 1;
> > arg_list.pointer = &arg;
> > arg.type = ACPI_TYPE_INTEGER;
> >
>
>
On Wed, 2012-10-17 at 10:26 +0900, Yasuaki Ishimatsu wrote:
> 2012/10/16 1:34, Toshi Kani wrote:
> > Removed lockable in struct acpi_device_flags since it is no
> > longer used by any code. acpi_bus_hot_remove_device() cannot
> > use this flag because acpi_bus_trim() frees up its acpi_device
> > object. Furthermore, the dock driver calls _LCK method without
> > using this lockable flag.
> >
> > Signed-off-by: Toshi Kani <[email protected]>
>
> Looks good to me.
> Reviewed-by: Yasuaki Ishimatsu <[email protected]>
Thanks Yasuaki for reviewing!
-Toshi
> > ---
> > drivers/acpi/scan.c | 5 -----
> > include/acpi/acpi_bus.h | 3 +--
> > 2 files changed, 1 insertion(+), 7 deletions(-)
> >
> > diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
> > index ed87f43..19d3d4a 100644
> > --- a/drivers/acpi/scan.c
> > +++ b/drivers/acpi/scan.c
> > @@ -1017,11 +1017,6 @@ static int acpi_bus_get_flags(struct acpi_device *device)
> > device->flags.ejectable = 1;
> > }
> >
> > - /* Presence of _LCK indicates 'lockable' */
> > - status = acpi_get_handle(device->handle, "_LCK", &temp);
> > - if (ACPI_SUCCESS(status))
> > - device->flags.lockable = 1;
> > -
> > /* Power resources cannot be power manageable. */
> > if (device->device_type == ACPI_BUS_TYPE_POWER)
> > return 0;
> > diff --git a/include/acpi/acpi_bus.h b/include/acpi/acpi_bus.h
> > index 0daa0fb..e8b2877 100644
> > --- a/include/acpi/acpi_bus.h
> > +++ b/include/acpi/acpi_bus.h
> > @@ -144,12 +144,11 @@ struct acpi_device_flags {
> > u32 bus_address:1;
> > u32 removable:1;
> > u32 ejectable:1;
> > - u32 lockable:1;
> > u32 suprise_removal_ok:1;
> > u32 power_manageable:1;
> > u32 performance_manageable:1;
> > u32 eject_pending:1;
> > - u32 reserved:23;
> > + u32 reserved:24;
> > };
> >
> > /* File System */
> >
>
>
On Wednesday 17 of October 2012 07:55:42 Toshi Kani wrote:
> On Wed, 2012-10-17 at 10:25 +0900, Yasuaki Ishimatsu wrote:
> > 2012/10/16 1:34, Toshi Kani wrote:
> > > During hot-remove, acpi_bus_hot_remove_device() calls ACPI _LCK
> > > method when device->flags.lockable is set. However, this device
> > > pointer is stale since the target acpi_device object has been
> > > already kfree'd by acpi_bus_trim().
> > >
> > > The flags.lockable indicates whether or not this ACPI object
> > > implements _LCK method. Fix the stable pointer access by replacing
> > > it with acpi_get_handle() to check if _LCK is implemented.
> > >
> > > Signed-off-by: Toshi Kani <[email protected]>
> >
> > Looks good to me.
> > Reviewed-by: Yasuaki Ishimatsu <[email protected]>
>
> Thanks Yasuaki for reviewing!
Applied to linux-pm.git/linux-next as v3.8 material.
Thanks,
Rafael
> > > ---
> > > drivers/acpi/scan.c | 6 +++++-
> > > 1 file changed, 5 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
> > > index 1fcb867..ed87f43 100644
> > > --- a/drivers/acpi/scan.c
> > > +++ b/drivers/acpi/scan.c
> > > @@ -97,6 +97,7 @@ void acpi_bus_hot_remove_device(void *context)
> > > struct acpi_eject_event *ej_event = (struct acpi_eject_event *) context;
> > > struct acpi_device *device;
> > > acpi_handle handle = ej_event->handle;
> > > + acpi_handle temp;
> > > struct acpi_object_list arg_list;
> > > union acpi_object arg;
> > > acpi_status status = AE_OK;
> > > @@ -117,13 +118,16 @@ void acpi_bus_hot_remove_device(void *context)
> > > goto err_out;
> > > }
> > >
> > > + /* device has been freed */
> > > + device = NULL;
> > > +
> > > /* power off device */
> > > status = acpi_evaluate_object(handle, "_PS3", NULL, NULL);
> > > if (ACPI_FAILURE(status) && status != AE_NOT_FOUND)
> > > printk(KERN_WARNING PREFIX
> > > "Power-off device failed\n");
> > >
> > > - if (device->flags.lockable) {
> > > + if (ACPI_SUCCESS(acpi_get_handle(handle, "_LCK", &temp))) {
> > > arg_list.count = 1;
> > > arg_list.pointer = &arg;
> > > arg.type = ACPI_TYPE_INTEGER;
> > >
> >
> >
>
>
>
--
I speak only for myself.
Rafael J. Wysocki, Intel Open Source Technology Center.
On Wednesday 17 of October 2012 07:56:49 Toshi Kani wrote:
> On Wed, 2012-10-17 at 10:26 +0900, Yasuaki Ishimatsu wrote:
> > 2012/10/16 1:34, Toshi Kani wrote:
> > > Removed lockable in struct acpi_device_flags since it is no
> > > longer used by any code. acpi_bus_hot_remove_device() cannot
> > > use this flag because acpi_bus_trim() frees up its acpi_device
> > > object. Furthermore, the dock driver calls _LCK method without
> > > using this lockable flag.
> > >
> > > Signed-off-by: Toshi Kani <[email protected]>
> >
> > Looks good to me.
> > Reviewed-by: Yasuaki Ishimatsu <[email protected]>
>
> Thanks Yasuaki for reviewing!
Applied to linux-pm.git/acpi-next as v3.8 material.
Thanks,
Rafael
> > > ---
> > > drivers/acpi/scan.c | 5 -----
> > > include/acpi/acpi_bus.h | 3 +--
> > > 2 files changed, 1 insertion(+), 7 deletions(-)
> > >
> > > diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
> > > index ed87f43..19d3d4a 100644
> > > --- a/drivers/acpi/scan.c
> > > +++ b/drivers/acpi/scan.c
> > > @@ -1017,11 +1017,6 @@ static int acpi_bus_get_flags(struct acpi_device *device)
> > > device->flags.ejectable = 1;
> > > }
> > >
> > > - /* Presence of _LCK indicates 'lockable' */
> > > - status = acpi_get_handle(device->handle, "_LCK", &temp);
> > > - if (ACPI_SUCCESS(status))
> > > - device->flags.lockable = 1;
> > > -
> > > /* Power resources cannot be power manageable. */
> > > if (device->device_type == ACPI_BUS_TYPE_POWER)
> > > return 0;
> > > diff --git a/include/acpi/acpi_bus.h b/include/acpi/acpi_bus.h
> > > index 0daa0fb..e8b2877 100644
> > > --- a/include/acpi/acpi_bus.h
> > > +++ b/include/acpi/acpi_bus.h
> > > @@ -144,12 +144,11 @@ struct acpi_device_flags {
> > > u32 bus_address:1;
> > > u32 removable:1;
> > > u32 ejectable:1;
> > > - u32 lockable:1;
> > > u32 suprise_removal_ok:1;
> > > u32 power_manageable:1;
> > > u32 performance_manageable:1;
> > > u32 eject_pending:1;
> > > - u32 reserved:23;
> > > + u32 reserved:24;
> > > };
> > >
> > > /* File System */
> > >
> >
> >
>
>
>
--
I speak only for myself.
Rafael J. Wysocki, Intel Open Source Technology Center.
On Thu, 2012-10-25 at 00:08 +0200, Rafael J. Wysocki wrote:
> On Wednesday 17 of October 2012 07:56:49 Toshi Kani wrote:
> > On Wed, 2012-10-17 at 10:26 +0900, Yasuaki Ishimatsu wrote:
> > > 2012/10/16 1:34, Toshi Kani wrote:
> > > > Removed lockable in struct acpi_device_flags since it is no
> > > > longer used by any code. acpi_bus_hot_remove_device() cannot
> > > > use this flag because acpi_bus_trim() frees up its acpi_device
> > > > object. Furthermore, the dock driver calls _LCK method without
> > > > using this lockable flag.
> > > >
> > > > Signed-off-by: Toshi Kani <[email protected]>
> > >
> > > Looks good to me.
> > > Reviewed-by: Yasuaki Ishimatsu <[email protected]>
> >
> > Thanks Yasuaki for reviewing!
>
> Applied to linux-pm.git/acpi-next as v3.8 material.
Cool! Thanks Rafael!
-Toshi
> Thanks,
> Rafael