Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp578429imu; Tue, 27 Nov 2018 17:42:01 -0800 (PST) X-Google-Smtp-Source: AFSGD/Wu881f2u0s+Go6dwyk5MKK0V/X9/Qo1D5RQXJF2GrBaB4WnR//XB9T0tcaS0qz8T6V3kW1 X-Received: by 2002:a17:902:9a9:: with SMTP id 38mr34342813pln.204.1543369321395; Tue, 27 Nov 2018 17:42:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543369321; cv=none; d=google.com; s=arc-20160816; b=CU5Nnp+P4GJxwbLHWyT93e6WjXn8v7SDvP1bWcZp+TjxdYJk3nP/3XCcsxZGPS7wv3 ceIkpJbmZ1clD8HoORm52bePrPNTQyOL37XDaIhbryNMO5FUhWSExcgXX8neOskr2uVN nzAcVj1I2nE33zJqh9lDt3cZVwaWjCMeQAqKKTuO62hhP2XQrBy8GYBkALnhZrsxkaNZ OT2RY2JMa+txy29bvwNJMrrdZAUD0SD6gOLkcbS3xqxbkfeAZLuuupaQUcAXbnAGqgry kKlQLFgxpXW9zXCccd/4IAl7gnSitrZ0/YlV7PQB+sP7QUPL3zCMLa4tTkbOruv6sP/y ZmHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=DactAzozDPp6a++KdiRSgOAGTH218BZMwovld9T9Ad4=; b=AjorZBX5pxOWpkoBi2cTRHwOzyZTPD+e2lIIWQmH3s350/DAsVAQsWQbaw2pe/7PNm Eagd3iO/OunhJoEEPc9W17GM2fgs+yi1UmFn2mYK65pbaE+spOvlqXi/d0qoYtLDpbxe hIaoYmOKbvTX3vveb1XHME0AXrN3flnlemnaPhsggqw+XCTVZhEUysViOF+viuURm79D ip1iljgEOfbN6NJgEPcxT352Of308K4x0bH4aoV9wm/p9SnHkD9sdh80flsYytOtPpDr nIWn5VKIlRqo/dxmv3A5tFRgYct9UOraYQ2fySh+059YSdJG47DFcHFaMfnm2IhQBcYU 0sVQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=fDZ7AxD2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h6si5585073plk.231.2018.11.27.17.41.46; Tue, 27 Nov 2018 17:42:01 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=fDZ7AxD2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727226AbeK1Mkp (ORCPT + 99 others); Wed, 28 Nov 2018 07:40:45 -0500 Received: from m12-18.163.com ([220.181.12.18]:51797 "EHLO m12-18.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726539AbeK1Mko (ORCPT ); Wed, 28 Nov 2018 07:40:44 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id; bh=DactAzozDPp6a++Kdi RSgOAGTH218BZMwovld9T9Ad4=; b=fDZ7AxD2R5MXlEnplj+grL9U3bEr6f4A7S sMMSrQa/HREgXAb0EXM9lUgAQg4pvB3/aBwXLkzin9iU4u7w0ZX++KglkpbgdEP4 atRH8PrfgYXYKlra3KbfDo2oBhuThSlfMH/ZrS9YiLOKW3CVkoNrmxwd16UVvpX8 rKfzM5wLU= Received: from bp.localdomain (unknown [106.120.213.96]) by smtp14 (Coremail) with SMTP id EsCowAAXbqUe8v1b3fF0CA--.28752S3; Wed, 28 Nov 2018 09:40:49 +0800 (CST) From: Pan Bian To: Bartlomiej Zolnierkiewicz , Jens Axboe Cc: linux-ide@vger.kernel.org, linux-kernel@vger.kernel.org, Pan Bian Subject: [PATCH] ata: read ->revision before dropping pci_device reference Date: Wed, 28 Nov 2018 09:40:43 +0800 Message-Id: <1543369243-64252-1-git-send-email-bianpan2016@163.com> X-Mailer: git-send-email 2.7.4 X-CM-TRANSID: EsCowAAXbqUe8v1b3fF0CA--.28752S3 X-Coremail-Antispam: 1Uf129KBjvJXoW7ur43try7KF1rCrW7XFy8uFg_yoW8CFW5pF ZxCasIvrWrWF1aqwsrAr4UZF1ayayv934FgrW3G34Yva1rXFykXF1rXa4jv34rKrWDCFy7 Xw4Utr18WF47Z3JanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07jTc_-UUUUU= X-Originating-IP: [106.120.213.96] X-CM-SenderInfo: held01tdqsiiqw6rljoofrz/xtbBzwINclaD0cJA3wABsq Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org pci_device->revision is read after dropping pci_device reference via pci_dev_put, which may result in use-after-free bugs. To fix this, the patch reads ->revision before dropping reference. Signed-off-by: Pan Bian --- drivers/ata/pata_sis.c | 4 +++- drivers/ata/pata_sl82c105.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/ata/pata_sis.c b/drivers/ata/pata_sis.c index 626f989..01635bc 100644 --- a/drivers/ata/pata_sis.c +++ b/drivers/ata/pata_sis.c @@ -833,6 +833,7 @@ static int sis_init_one (struct pci_dev *pdev, const struct pci_device_id *ent) u16 trueid; u8 prefctl; u8 idecfg; + u8 sbrev; /* Try the second unmasking technique */ pci_read_config_byte(pdev, 0x4a, &idecfg); @@ -846,9 +847,10 @@ static int sis_init_one (struct pci_dev *pdev, const struct pci_device_id *ent) if (lpc_bridge == NULL) break; pci_read_config_byte(pdev, 0x49, &prefctl); + sbrev = lpc_bridge->revision; pci_dev_put(lpc_bridge); - if (lpc_bridge->revision == 0x10 && (prefctl & 0x80)) { + if (sbrev == 0x10 && (prefctl & 0x80)) { chipset = &sis133_early; break; } diff --git a/drivers/ata/pata_sl82c105.c b/drivers/ata/pata_sl82c105.c index 4935f61f..476438e 100644 --- a/drivers/ata/pata_sl82c105.c +++ b/drivers/ata/pata_sl82c105.c @@ -264,6 +264,7 @@ static struct ata_port_operations sl82c105_port_ops = { static int sl82c105_bridge_revision(struct pci_dev *pdev) { struct pci_dev *bridge; + u8 rev; /* * The bridge should be part of the same device, but function 0. @@ -285,8 +286,9 @@ static int sl82c105_bridge_revision(struct pci_dev *pdev) /* * We need to find function 0's revision, not function 1 */ + rev = bridge->revision; pci_dev_put(bridge); - return bridge->revision; + return rev; } static void sl82c105_fixup(struct pci_dev *pdev) -- 2.7.4