Previously acpi_ns_simple_repair() would crash if expected_btypes
contained any combination of ACPI_RTYPE_NONE with a different type,
e.g | ACPI_RTYPE_INTEGER because of slightly incorrect logic in the
!return_object branch, which wouldn't return AE_AML_NO_RETURN_VALUE
for such cases.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
Link: https://github.com/acpica/acpica/pull/811
Fixes: 61db45ca2163 ("ACPICA: Restore code that repairs NULL package elements in return values.")
Signed-off-by: Daniil Tatianin <[email protected]>
---
drivers/acpi/acpica/nsrepair.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/drivers/acpi/acpica/nsrepair.c b/drivers/acpi/acpica/nsrepair.c
index 367fcd201f96..ec512e06a48e 100644
--- a/drivers/acpi/acpica/nsrepair.c
+++ b/drivers/acpi/acpica/nsrepair.c
@@ -181,8 +181,9 @@ acpi_ns_simple_repair(struct acpi_evaluate_info *info,
* Try to fix if there was no return object. Warning if failed to fix.
*/
if (!return_object) {
- if (expected_btypes && (!(expected_btypes & ACPI_RTYPE_NONE))) {
- if (package_index != ACPI_NOT_PACKAGE_ELEMENT) {
+ if (expected_btypes) {
+ if (!(expected_btypes & ACPI_RTYPE_NONE) &&
+ package_index != ACPI_NOT_PACKAGE_ELEMENT) {
ACPI_WARN_PREDEFINED((AE_INFO,
info->full_pathname,
ACPI_WARN_ALWAYS,
@@ -196,14 +197,15 @@ acpi_ns_simple_repair(struct acpi_evaluate_info *info,
if (ACPI_SUCCESS(status)) {
return (AE_OK); /* Repair was successful */
}
- } else {
+ }
+
+ if (expected_btypes != ACPI_RTYPE_NONE) {
ACPI_WARN_PREDEFINED((AE_INFO,
info->full_pathname,
ACPI_WARN_ALWAYS,
"Missing expected return value"));
+ return (AE_AML_NO_RETURN_VALUE);
}
-
- return (AE_AML_NO_RETURN_VALUE);
}
}
--
2.25.1
On Sat, Jan 7, 2023 at 12:54 AM Daniil Tatianin
<[email protected]> wrote:
>
> Previously acpi_ns_simple_repair() would crash if expected_btypes
> contained any combination of ACPI_RTYPE_NONE with a different type,
> e.g | ACPI_RTYPE_INTEGER because of slightly incorrect logic in the
> !return_object branch, which wouldn't return AE_AML_NO_RETURN_VALUE
> for such cases.
>
> Found by Linux Verification Center (linuxtesting.org) with the SVACE
> static analysis tool.
>
> Link: https://github.com/acpica/acpica/pull/811
> Fixes: 61db45ca2163 ("ACPICA: Restore code that repairs NULL package elements in return values.")
> Signed-off-by: Daniil Tatianin <[email protected]>
> ---
> drivers/acpi/acpica/nsrepair.c | 12 +++++++-----
> 1 file changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/acpi/acpica/nsrepair.c b/drivers/acpi/acpica/nsrepair.c
> index 367fcd201f96..ec512e06a48e 100644
> --- a/drivers/acpi/acpica/nsrepair.c
> +++ b/drivers/acpi/acpica/nsrepair.c
> @@ -181,8 +181,9 @@ acpi_ns_simple_repair(struct acpi_evaluate_info *info,
> * Try to fix if there was no return object. Warning if failed to fix.
> */
> if (!return_object) {
> - if (expected_btypes && (!(expected_btypes & ACPI_RTYPE_NONE))) {
> - if (package_index != ACPI_NOT_PACKAGE_ELEMENT) {
> + if (expected_btypes) {
> + if (!(expected_btypes & ACPI_RTYPE_NONE) &&
> + package_index != ACPI_NOT_PACKAGE_ELEMENT) {
> ACPI_WARN_PREDEFINED((AE_INFO,
> info->full_pathname,
> ACPI_WARN_ALWAYS,
> @@ -196,14 +197,15 @@ acpi_ns_simple_repair(struct acpi_evaluate_info *info,
> if (ACPI_SUCCESS(status)) {
> return (AE_OK); /* Repair was successful */
> }
> - } else {
> + }
> +
> + if (expected_btypes != ACPI_RTYPE_NONE) {
> ACPI_WARN_PREDEFINED((AE_INFO,
> info->full_pathname,
> ACPI_WARN_ALWAYS,
> "Missing expected return value"));
> + return (AE_AML_NO_RETURN_VALUE);
> }
> -
> - return (AE_AML_NO_RETURN_VALUE);
> }
> }
>
> --
Applied as 6.3 material, thanks!