From patchwork Fri Mar  1 07:51:22 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ivan Hu <ivan.hu@canonical.com>
X-Patchwork-Id: 1906565
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4TmL0073t6z23hc
	for <incoming@patchwork.ozlabs.org>; Fri,  1 Mar 2024 18:52:00 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1rfxgO-0004Jm-6P; Fri, 01 Mar 2024 07:51:52 +0000
Received: from smtp-relay-canonical-0.internal ([10.131.114.83]
 helo=smtp-relay-canonical-0.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <ivan.hu@canonical.com>)
 id 1rfxgF-0004Hh-Tt
 for kernel-team@lists.ubuntu.com; Fri, 01 Mar 2024 07:51:44 +0000
Received: from canonical.com (unknown [106.104.136.95])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest
 SHA256) (No client certificate requested)
 by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id 7845E3F2B2
 for <kernel-team@lists.ubuntu.com>; Fri,  1 Mar 2024 07:51:42 +0000 (UTC)
From: Ivan Hu <ivan.hu@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][M][PATCH v5 2/2] ACPI: utils: Fix error path in
 acpi_evaluate_reference()
Date: Fri,  1 Mar 2024 15:51:22 +0800
Message-Id: <20240301075122.7242-3-ivan.hu@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240301075122.7242-1-ivan.hu@canonical.com>
References: <20240301075122.7242-1-ivan.hu@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>

BugLink: https://bugs.launchpad.net/bugs/2049733

If a pointer to an uninitialized struct acpi_handle_list is passed to
acpi_evaluate_reference() and it decides to bail out early, either
because acpi_evaluate_object() fails, or because it produces invalid
data, the handles pointer from the struct acpi_handle_list will be
passed to kfree() and if it is not NULL, the kernel will crash on an
attempt to free unallocated memory.

Address this by moving the "end" label in acpi_evaluate_reference() to
the end of the function, which is sufficient, because no cleanup is
needed in that case.

Fixes: 2e57d10a6591 ("ACPI: utils: Dynamically determine acpi_handle_list size")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Tested-by: Woody Suwalski <terraluna977@gmail.com>
(backported from commit 8f0b960a42badda7a2781e8a33564624200debc9)
[Ivan Hu: change spaces]
Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
---
 drivers/acpi/utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/acpi/utils.c b/drivers/acpi/utils.c
index c6f83c21bb2a..7c8af9c14981 100644
--- a/drivers/acpi/utils.c
+++ b/drivers/acpi/utils.c
@@ -400,13 +400,13 @@ acpi_evaluate_reference(acpi_handle handle,
 		acpi_handle_debug(list->handles[i], "Found in reference list\n");
 	}
 
-      end:
 	if (ACPI_FAILURE(status)) {
 		list->count = 0;
 		kfree(list->handles);
 		list->handles = NULL;
 	}
 
+end:
 	kfree(buffer.pointer);
 
 	return status;