Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-5.4 / 9b5c7a5a977a330ffaf83c4d383ba247c74c800f^! / .
commit9b5c7a5a977a330ffaf83c4d383ba247c74c800f[log] [tgz]
authorRafael J. Wysocki <rafael.j.wysocki@intel.com>Thu Jun 27 14:01:02 2013 +0200
committerRafael J. Wysocki <rafael.j.wysocki@intel.com>Fri Jun 28 12:55:59 2013 +0200
tree43dbd7adfaf40ad4cab7b0d20c2c9bb4c4c01615
parentfa1675b56537651270e79967b7f1ee4202c83bf6 [diff]
ACPI / PM: Fix possible NULL pointer deref in acpi_pm_device_sleep_state()

After commit fa1675b (ACPI / PM: Rework and clean up
acpi_dev_pm_get_state()) a NULL pointer dereference will take place
if NULL is passed to acpi_pm_device_sleep_state() as the second
argument.

Fix that by avoiding to use the pointer that may be NULL until
it's necessary to store a return value at the location pointed to
by it (if not NULL).

Reported-and-tested-by: Aaron Lu <aaron.lu@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

diff --git a/drivers/acpi/device_pm.c b/drivers/acpi/device_pm.c
index fd363b5..4c56dc8 100644
--- a/drivers/acpi/device_pm.c
+++ b/drivers/acpi/device_pm.c

@@ -521,7 +521,7 @@
 {
 	acpi_handle handle = DEVICE_ACPI_HANDLE(dev);
 	struct acpi_device *adev;
-	int ret, d_max;
+	int ret, d_min, d_max;
 
 	if (d_max_in < ACPI_STATE_D0 || d_max_in > ACPI_STATE_D3_COLD)
 		return -EINVAL;
@@ -540,19 +540,23 @@
 	}
 
 	ret = acpi_dev_pm_get_state(dev, adev, acpi_target_system_state(),
-				    d_min_p, &d_max);
+				    &d_min, &d_max);
 	if (ret)
 		return ret;
 
-	if (d_max_in < *d_min_p)
+	if (d_max_in < d_min)
 		return -EINVAL;
 
 	if (d_max > d_max_in) {
-		for (d_max = d_max_in; d_max > *d_min_p; d_max--) {
+		for (d_max = d_max_in; d_max > d_min; d_max--) {
 			if (adev->power.states[d_max].flags.valid)
 				break;
 		}
 	}
+
+	if (d_min_p)
+		*d_min_p = d_min;
+
 	return d_max;
 }
 EXPORT_SYMBOL(acpi_pm_device_sleep_state);