From: Sasha Levin <sashal@kernel.org>
To: patches@lists.linux.dev, stable@vger.kernel.org
Cc: Tuo Li <islituo@gmail.com>,
"Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
Sasha Levin <sashal@kernel.org>,
rafael@kernel.org, linux-acpi@vger.kernel.org
Subject: [PATCH AUTOSEL 6.19-5.15] ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()
Date: Wed, 11 Feb 2026 07:30:39 -0500 [thread overview]
Message-ID: <20260211123112.1330287-29-sashal@kernel.org> (raw)
In-Reply-To: <20260211123112.1330287-1-sashal@kernel.org>
From: Tuo Li <islituo@gmail.com>
[ Upstream commit f132e089fe89cadc2098991f0a3cb05c3f824ac6 ]
In acpi_processor_errata_piix4(), the pointer dev is first assigned an IDE
device and then reassigned an ISA device:
dev = pci_get_subsys(..., PCI_DEVICE_ID_INTEL_82371AB, ...);
dev = pci_get_subsys(..., PCI_DEVICE_ID_INTEL_82371AB_0, ...);
If the first lookup succeeds but the second fails, dev becomes NULL. This
leads to a potential null-pointer dereference when dev_dbg() is called:
if (errata.piix4.bmisx)
dev_dbg(&dev->dev, ...);
To prevent this, use two temporary pointers and retrieve each device
independently, avoiding overwriting dev with a possible NULL value.
Signed-off-by: Tuo Li <islituo@gmail.com>
[ rjw: Subject adjustment, added an empty code line ]
Link: https://patch.msgid.link/20260111163214.202262-1-islituo@gmail.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
LLM Generated explanations, may be completely bogus:
Now I have a complete picture. Let me write the final analysis.
---
## Detailed Analysis
### 1. Commit Message Analysis
The commit explicitly says "Fix NULL-pointer dereference" - a well-
documented, clearly understood bug. The commit message includes:
- The exact code path that triggers the bug
- The specific variable (`dev`) that becomes NULL
- The mechanism: overwriting a pointer with two sequential PCI lookups
- Accepted and adjusted by the ACPI subsystem maintainer Rafael J.
Wysocki
### 2. Code Change Analysis - The Bug
Looking at the pre-patch code in `acpi_processor_errata_piix4()`:
```49:147:drivers/acpi/acpi_processor.c
static int acpi_processor_errata_piix4(struct pci_dev *dev)
{
u8 value1 = 0;
u8 value2 = 0;
// ...
// Inside switch cases 0-3:
dev = pci_get_subsys(PCI_VENDOR_ID_INTEL,
PCI_DEVICE_ID_INTEL_82371AB,
// IDE controller
PCI_ANY_ID, PCI_ANY_ID, NULL);
if (dev) {
errata.piix4.bmisx = pci_resource_start(dev, 4);
pci_dev_put(dev); // drops ref, dev is now
dangling
}
dev = pci_get_subsys(PCI_VENDOR_ID_INTEL,
PCI_DEVICE_ID_INTEL_82371AB_0,
// ISA controller
PCI_ANY_ID, PCI_ANY_ID, NULL);
// dev may become NULL!
if (dev) {
// ...
pci_dev_put(dev);
}
break;
}
if (errata.piix4.bmisx)
dev_dbg(&dev->dev, "Bus master activity detection...");
// NULL DEREF HERE
if (errata.piix4.fdma)
dev_dbg(&dev->dev, "Type-F DMA livelock erratum...");
// NULL DEREF HERE
```
**The bug**: The function parameter `dev` (the PIIX4 ACPI Controller,
`PCI_DEVICE_ID_INTEL_82371AB_3`) is overwritten by the two
`pci_get_subsys()` calls inside the switch. If the first lookup (IDE,
`82371AB`) succeeds and sets `errata.piix4.bmisx`, but the second lookup
(ISA, `82371AB_0`) fails, `dev` becomes NULL. Then `dev_dbg(&dev->dev,
...)` dereferences NULL, causing a kernel oops.
### 3. Bug Origin
From `git blame`, the NULL dereference was **introduced by commit
52af99c3f55ff0** ("ACPI: processor: Get rid of ACPICA message printing",
2021-02-22, first in v5.13-rc1). Before that commit, the debug messages
used `ACPI_DEBUG_PRINT()` which did not reference `dev`:
```c
// BEFORE 52af99c3f55ff0 - safe, no dev reference:
if (errata.piix4.bmisx)
ACPI_DEBUG_PRINT((ACPI_DB_INFO, "Bus master activity
detection..."));
```
When converted to `dev_dbg(&dev->dev, ...)`, the code now dereferences a
pointer that could be NULL.
### 4. Trigger Conditions
The NULL dereference triggers when:
1. System has a PIIX4 ACPI controller (revision 0-3)
2. The PIIX4 IDE function (`82371AB`) exists on PCI bus
3. The PIIX4 ISA function (`82371AB_0`) does NOT exist on PCI bus
4. With `CONFIG_DYNAMIC_DEBUG` and dynamic debug enabled for this
callsite, OR with `DEBUG` defined at compile time
With `CONFIG_DYNAMIC_DEBUG` (default in most distro kernels), the
dereference is behind a runtime branch that defaults to off. However,
anyone debugging ACPI on a PIIX4 system (e.g., `echo 'file
acpi_processor.c +p' > /sys/kernel/debug/dynamic_debug/control`) would
trigger a kernel crash.
### 5. The Fix
The fix is clean and minimal: introduce two separate local pointers
(`ide_dev` and `isa_dev`) instead of overwriting the function parameter
`dev`. Each PCI device is looked up independently, and the final debug
messages check the appropriate device pointer.
The diff is +2/-1 new lines (one variable declaration), and changes
existing lines only to rename `dev` → `ide_dev`/`isa_dev`. The logic
also changes the condition from `if (errata.piix4.bmisx)` to `if
(ide_dev)`, which is semantically equivalent (bmisx is only set when
ide_dev was found).
### 6. Scope and Risk Assessment
- **Files changed**: 1 (`drivers/acpi/acpi_processor.c`)
- **Lines changed**: ~30, mostly variable name renames
- **Risk**: Very low - purely local changes within one function, no
changes to function signatures or external interfaces
- **Call chain**: Only called via `acpi_processor_errata()` →
`acpi_processor_get_info()` → `acpi_processor_add()`
### 7. Stable Tree Applicability
The bug was introduced in v5.13-rc1 via commit 52af99c3f55ff0. All
current stable/LTS trees (5.15.y, 6.1.y, 6.6.y, 6.12.y) contain this
buggy code. The fix should apply cleanly to all of them since the
surrounding code has been stable since 2013.
### 8. Summary
This is a textbook NULL-pointer dereference fix:
- **Obviously correct**: The fix separates two PCI device lookups into
independent variables
- **Fixes a real bug**: NULL dereference that can crash the kernel
- **Small and contained**: Changes are local to one function, ~30 lines
of mostly renames
- **No new features**: No API changes, no behavioral changes
- **Accepted by maintainer**: Rafael J. Wysocki reviewed and merged it
- **Applies to stable trees**: The bug exists in 5.15+, patch should
apply cleanly
**YES**
drivers/acpi/acpi_processor.c | 28 +++++++++++++++-------------
1 file changed, 15 insertions(+), 13 deletions(-)
diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c
index 7ec1dc04fd11b..85096ce7b658b 100644
--- a/drivers/acpi/acpi_processor.c
+++ b/drivers/acpi/acpi_processor.c
@@ -50,6 +50,7 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev)
{
u8 value1 = 0;
u8 value2 = 0;
+ struct pci_dev *ide_dev = NULL, *isa_dev = NULL;
if (!dev)
@@ -107,12 +108,12 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev)
* each IDE controller's DMA status to make sure we catch all
* DMA activity.
*/
- dev = pci_get_subsys(PCI_VENDOR_ID_INTEL,
+ ide_dev = pci_get_subsys(PCI_VENDOR_ID_INTEL,
PCI_DEVICE_ID_INTEL_82371AB,
PCI_ANY_ID, PCI_ANY_ID, NULL);
- if (dev) {
- errata.piix4.bmisx = pci_resource_start(dev, 4);
- pci_dev_put(dev);
+ if (ide_dev) {
+ errata.piix4.bmisx = pci_resource_start(ide_dev, 4);
+ pci_dev_put(ide_dev);
}
/*
@@ -124,24 +125,25 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev)
* disable C3 support if this is enabled, as some legacy
* devices won't operate well if fast DMA is disabled.
*/
- dev = pci_get_subsys(PCI_VENDOR_ID_INTEL,
+ isa_dev = pci_get_subsys(PCI_VENDOR_ID_INTEL,
PCI_DEVICE_ID_INTEL_82371AB_0,
PCI_ANY_ID, PCI_ANY_ID, NULL);
- if (dev) {
- pci_read_config_byte(dev, 0x76, &value1);
- pci_read_config_byte(dev, 0x77, &value2);
+ if (isa_dev) {
+ pci_read_config_byte(isa_dev, 0x76, &value1);
+ pci_read_config_byte(isa_dev, 0x77, &value2);
if ((value1 & 0x80) || (value2 & 0x80))
errata.piix4.fdma = 1;
- pci_dev_put(dev);
+ pci_dev_put(isa_dev);
}
break;
}
- if (errata.piix4.bmisx)
- dev_dbg(&dev->dev, "Bus master activity detection (BM-IDE) erratum enabled\n");
- if (errata.piix4.fdma)
- dev_dbg(&dev->dev, "Type-F DMA livelock erratum (C3 disabled)\n");
+ if (ide_dev)
+ dev_dbg(&ide_dev->dev, "Bus master activity detection (BM-IDE) erratum enabled\n");
+
+ if (isa_dev)
+ dev_dbg(&isa_dev->dev, "Type-F DMA livelock erratum (C3 disabled)\n");
return 0;
}
--
2.51.0
next prev parent reply other threads:[~2026-02-11 12:32 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-11 12:30 [PATCH AUTOSEL 6.19-5.10] s390/perf: Disable register readout on sampling events Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-5.10] arm64: Add support for TSV110 Spectre-BHB mitigation Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-5.10] xenbus: Use .freeze/.thaw to handle xenbus devices Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-5.10] s390/purgatory: Add -Wno-default-const-init-unsafe to KBUILD_CFLAGS Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-6.18] s390/boot: " Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-6.1] perf/arm-cmn: Support CMN-600AE Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-6.18] ntfs: ->d_compare() must not block Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-6.12] ACPI: x86: s2idle: Invoke Microsoft _DSM Function 9 (Turn On Display) Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-6.12] block: decouple secure erase size limit from discard size limit Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-5.10] sparc: don't reference obsolete termio struct for TC* constants Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-5.10] EFI/CPER: don't go past the ARM processor CPER record buffer Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19] ACPI: scan: Use async schedule function in acpi_scan_clear_dep_fn() Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-6.6] cpufreq: dt-platdev: Block the driver from probing on more QC platforms Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-5.10] EFI/CPER: don't dump the entire memory region Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-6.12] ACPI: battery: fix incorrect charging status when current is zero Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-6.18] rust: cpufreq: always inline functions using build_assert with arguments Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-6.18] blk-mq-sched: unify elevators checking for async requests Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-5.10] x86/xen/pvh: Enable PAE mode for 32-bit guest only when CONFIG_X86_PAE is set Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-6.12] APEI/GHES: ARM processor Error: don't go past allocated memory Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-6.18] md raid: fix hang when stopping arrays with metadata through dm-raid Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-5.10] tools/power cpupower: Reset errno before strtoull() Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-5.10] sparc: Synchronize user stack on fork and clone Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-5.10] blk-mq-debugfs: add missing debugfs_mutex in blk_mq_debugfs_register_hctxs() Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-5.10] rnbd-srv: Zero the rsp buffer before using it Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-6.12] alpha: fix user-space corruption during memory compaction Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-5.10] ACPICA: Abort AML bytecode execution when executing AML_FATAL_OP Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19] arm64: mte: Set TCMA1 whenever MTE is present in the kernel Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-6.18] tools/cpupower: Fix inverted APERF capability check Sasha Levin
2026-02-11 12:30 ` Sasha Levin [this message]
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-6.12] ACPI: resource: Add JWIPC JVC9100 to irq1_level_low_skip_override[] Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-6.6] perf/cxlpmu: Replace IRQF_ONESHOT with IRQF_NO_THREAD Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-6.6] md-cluster: fix NULL pointer dereference in process_metadata_update Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-5.10] APEI/GHES: ensure that won't go past CPER allocated record Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-6.12] powercap: intel_rapl: Add PL4 support for Ice Lake Sasha Levin
2026-02-11 12:30 ` [PATCH AUTOSEL 6.19-6.18] io_uring/timeout: annotate data race in io_flush_timeouts() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260211123112.1330287-29-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=islituo@gmail.com \
--cc=linux-acpi@vger.kernel.org \
--cc=patches@lists.linux.dev \
--cc=rafael.j.wysocki@intel.com \
--cc=rafael@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox