From 9b5c7a5a977a330ffaf83c4d383ba247c74c800f Mon Sep 17 00:00:00 2001 From: "Rafael J. Wysocki" Date: Thu, 27 Jun 2013 14:01:02 +0200 Subject: [PATCH] ACPI / PM: Fix possible NULL pointer deref in acpi_pm_device_sleep_state() After commit fa1675b (ACPI / PM: Rework and clean up acpi_dev_pm_get_state()) a NULL pointer dereference will take place if NULL is passed to acpi_pm_device_sleep_state() as the second argument. Fix that by avoiding to use the pointer that may be NULL until it's necessary to store a return value at the location pointed to by it (if not NULL). Reported-and-tested-by: Aaron Lu Signed-off-by: Rafael J. Wysocki --- drivers/acpi/device_pm.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/acpi/device_pm.c b/drivers/acpi/device_pm.c index fd363b57a596..4c56dc830ebc 100644 --- a/drivers/acpi/device_pm.c +++ b/drivers/acpi/device_pm.c @@ -521,7 +521,7 @@ int acpi_pm_device_sleep_state(struct device *dev, int *d_min_p, int d_max_in) { acpi_handle handle = DEVICE_ACPI_HANDLE(dev); struct acpi_device *adev; - int ret, d_max; + int ret, d_min, d_max; if (d_max_in < ACPI_STATE_D0 || d_max_in > ACPI_STATE_D3_COLD) return -EINVAL; @@ -540,19 +540,23 @@ int acpi_pm_device_sleep_state(struct device *dev, int *d_min_p, int d_max_in) } ret = acpi_dev_pm_get_state(dev, adev, acpi_target_system_state(), - d_min_p, &d_max); + &d_min, &d_max); if (ret) return ret; - if (d_max_in < *d_min_p) + if (d_max_in < d_min) return -EINVAL; if (d_max > d_max_in) { - for (d_max = d_max_in; d_max > *d_min_p; d_max--) { + for (d_max = d_max_in; d_max > d_min; d_max--) { if (adev->power.states[d_max].flags.valid) break; } } + + if (d_min_p) + *d_min_p = d_min; + return d_max; } EXPORT_SYMBOL(acpi_pm_device_sleep_state); -- GitLab