Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp1856443rdb; Thu, 7 Dec 2023 10:28:34 -0800 (PST) X-Google-Smtp-Source: AGHT+IHPx/ZWvYcQ6QRTxqi8v3NJsvGj36HkjgacaPvIF12B5ueVBLnoHfFAq8lOjBKaU82oH3x2 X-Received: by 2002:a05:6a20:2584:b0:187:5fe9:3046 with SMTP id k4-20020a056a20258400b001875fe93046mr3780282pzd.0.1701973714468; Thu, 07 Dec 2023 10:28:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701973714; cv=none; d=google.com; s=arc-20160816; b=Ifb4SuTgaihHRO5rPoLMAMCFIyYGVYrJGKYs6AfPF5vxUFPLQmm1hK8WDuyiaPTZHh /K/GpQjUpF+iSApnf1ziKAATFpSEibEurBVQHURHrGWjYi8uPS+j9f6s9pTk9F3e+oAA L8NpLEpvgQNbnHgGiuRN1Ni30LutbhgCpl2UH+97jKOxxefPhDo4N9g66roUnmt94eNs aNO53GGDNG4IVJz91Ba8hhchMjgP411qGBL7zmj4JvP2sMChquG83Fhed8rwXOZz1oo7 0j3rndptxyPSyd5MzKR5CN3qFFXhGLOCP+rjRVWAKn3kSR0HkHR3i0QGeEoEFmykz4vs pA1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=nUO4WXWcIpbicAVHGq7Z8VVSv9Ud3wbvTG3IjSx+oOI=; fh=hS+P+YFOckzOML8YhTJFKt8Or1PnzMYrgmfNPQID56k=; b=qlcgZwFzaNssKPEYa+c5odr5poRd+lPoBBgb1fGLxNEAI5CVW7arxUdaW7XI3mJ3/q D00UekmfCfWDMunx0KlkdFcPnXP3v1d+XWsI7T1fshAN8S4GW3u/jdSvhhuhJcdCkfWj Q+a2luZb/ovaiTyzzkldLUcze0iJr7MqDPXxPoOs3oPGAKADQUlVsEwAYwgec1Og7M4E eUk9M03YftWnzSfgY6X+yr55GOni8oQ3oJKAQWXvvmM9uljxxK3gxkwTa9X1ullKDT3u YICon32KQ3KQJqEqCCX2bIyQEp3BoGT6tHYfMujhBJpiWHYmTSLTUTA673mtyCGFIhYP t/PQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id ka17-20020a056a00939100b006c0e02cdadcsi114553pfb.208.2023.12.07.10.28.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Dec 2023 10:28:34 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 108A3801C8AF; Thu, 7 Dec 2023 10:28:31 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230071AbjLGS2J (ORCPT + 99 others); Thu, 7 Dec 2023 13:28:09 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33892 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229806AbjLGS2J (ORCPT ); Thu, 7 Dec 2023 13:28:09 -0500 Received: from cloudserver094114.home.pl (cloudserver094114.home.pl [79.96.170.134]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7178710E7; Thu, 7 Dec 2023 10:28:13 -0800 (PST) Received: from localhost (127.0.0.1) (HELO v370.home.net.pl) by /usr/run/smtp (/usr/run/postfix/private/idea_relay_lmtp) via UNIX with SMTP (IdeaSmtpServer 5.4.0) id 9423d6e40649fc89; Thu, 7 Dec 2023 19:28:11 +0100 Received: from kreacher.localnet (unknown [195.136.19.94]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by cloudserver094114.home.pl (Postfix) with ESMTPSA id F08A86686C8; Thu, 7 Dec 2023 19:28:10 +0100 (CET) From: "Rafael J. Wysocki" To: Linux ACPI Cc: LKML , Hans de Goede , Andy Shevchenko , Mika Westerberg , Vicki Pfau Subject: [PATCH v1] ACPI: utils: Fix error path in acpi_evaluate_reference() Date: Thu, 07 Dec 2023 19:28:10 +0100 Message-ID: <12343148.O9o76ZdvQC@kreacher> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="UTF-8" X-CLIENT-IP: 195.136.19.94 X-CLIENT-HOSTNAME: 195.136.19.94 X-VADE-SPAMSTATE: clean X-VADE-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvkedrudekfedghedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecujffqoffgrffnpdggtffipffknecuuegrihhlohhuthemucduhedtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhvfevufffkfgggfgtsehtufertddttdejnecuhfhrohhmpedftfgrfhgrvghlucflrdcuhgihshhotghkihdfuceorhhjfiesrhhjfiihshhotghkihdrnhgvtheqnecuggftrfgrthhtvghrnhepffffffekgfehheffleetieevfeefvefhleetjedvvdeijeejledvieehueevueffnecukfhppeduleehrddufeeirdduledrleegnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepudelhedrudefiedrudelrdelgedphhgvlhhopehkrhgvrggthhgvrhdrlhhotggrlhhnvghtpdhmrghilhhfrhhomhepfdftrghfrggvlhculfdrucghhihsohgtkhhifdcuoehrjhifsehrjhifhihsohgtkhhirdhnvghtqedpnhgspghrtghpthhtohepiedprhgtphhtthhopehlihhnuhigqdgrtghpihesvhhgvghrrdhkvghrnhgvlhdrohhrghdprhgtphhtthhopehlihhnuhigqdhkvghrnhgvlhesvhhgvghrrdhkvghrnhgvlhdrohhrghdprhgtphhtthhopehhuggvghhovgguvgesrhgvughhrghtrdgtohhmpdhrtghpthhtoheprghnughrihihrdhshhgvvhgthhgvnhhkoheslhhinhhugidrihhnthgvlhdrtghomhdprhgt phhtthhopehmihhkrgdrfigvshhtvghrsggvrhhgsehlihhnuhigrdhinhhtvghlrdgtohhmpdhrtghpthhtohepvhhisegvnhgurhhifhhtrdgtohhm X-DCC--Metrics: v370.home.net.pl 1024; Body=6 Fuz1=6 Fuz2=6 X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Thu, 07 Dec 2023 10:28:31 -0800 (PST) From: Rafael J. Wysocki If a pointer to an uninitialized struct acpi_handle_list is passed to acpi_evaluate_reference() and it decides to bail out early, either because acpi_evaluate_object() fails, or because it produces invalid data, the handles pointer from the struct acpi_handle_list will be passed to kfree() and if it is not NULL, the kernel will crash. Address this by moving the "end" label in acpi_evaluate_reference() to the end of the function, which is sufficient, because no cleanup is needed in that case. Fixes: 2e57d10a6591 ("ACPI: utils: Dynamically determine acpi_handle_list size") Signed-off-by: Rafael J. Wysocki --- drivers/acpi/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: linux-pm/drivers/acpi/utils.c =================================================================== --- linux-pm.orig/drivers/acpi/utils.c +++ linux-pm/drivers/acpi/utils.c @@ -399,13 +399,13 @@ acpi_evaluate_reference(acpi_handle hand acpi_handle_debug(list->handles[i], "Found in reference list\n"); } -end: if (ACPI_FAILURE(status)) { list->count = 0; kfree(list->handles); list->handles = NULL; } +end: kfree(buffer.pointer); return status;