Commit 8f0b960a authored by Rafael J. Wysocki's avatar Rafael J. Wysocki

ACPI: utils: Fix error path in acpi_evaluate_reference()

If a pointer to an uninitialized struct acpi_handle_list is passed to
acpi_evaluate_reference() and it decides to bail out early, either
because acpi_evaluate_object() fails, or because it produces invalid
data, the handles pointer from the struct acpi_handle_list will be
passed to kfree() and if it is not NULL, the kernel will crash on an
attempt to free unallocated memory.

Address this by moving the "end" label in acpi_evaluate_reference() to
the end of the function, which is sufficient, because no cleanup is
needed in that case.

Fixes: 2e57d10a ("ACPI: utils: Dynamically determine acpi_handle_list size")
Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
Tested-by: default avatarWoody Suwalski <terraluna977@gmail.com>
parent 33cc938e
...@@ -399,13 +399,13 @@ acpi_evaluate_reference(acpi_handle handle, ...@@ -399,13 +399,13 @@ acpi_evaluate_reference(acpi_handle handle,
acpi_handle_debug(list->handles[i], "Found in reference list\n"); acpi_handle_debug(list->handles[i], "Found in reference list\n");
} }
end:
if (ACPI_FAILURE(status)) { if (ACPI_FAILURE(status)) {
list->count = 0; list->count = 0;
kfree(list->handles); kfree(list->handles);
list->handles = NULL; list->handles = NULL;
} }
end:
kfree(buffer.pointer); kfree(buffer.pointer);
return status; return status;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment