ACPI: utils: Fix error path in acpi_evaluate_reference()

rafaeljw · rafaeljw · commit 8f0b960a42ba · 2023-12-07T21:38:21.000+01:00
If a pointer to an uninitialized struct acpi_handle_list is passed to acpi_evaluate_reference() and it decides to bail out early, either because acpi_evaluate_object() fails, or because it produces invalid data, the handles pointer from the struct acpi_handle_list will be passed to kfree() and if it is not NULL, the kernel will crash on an attempt to free unallocated memory. Address this by moving the "end" label in acpi_evaluate_reference() to the end of the function, which is sufficient, because no cleanup is needed in that case. Fixes: 2e57d10 ("ACPI: utils: Dynamically determine acpi_handle_list size") Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Tested-by: Woody Suwalski <terraluna977@gmail.com>
diff --git a/drivers/acpi/utils.c b/drivers/acpi/utils.c
@@ -399,13 +399,13 @@ acpi_evaluate_reference(acpi_handle handle,
 		acpi_handle_debug(list->handles[i], "Found in reference list\n");
 	}
 
-end:
 	if (ACPI_FAILURE(status)) {
 		list->count = 0;
 		kfree(list->handles);
 		list->handles = NULL;
 	}
 
+end:
 	kfree(buffer.pointer);
 
 	return status;

Original file line number	Diff line number	Diff line change
`@@ -399,13 +399,13 @@ acpi_evaluate_reference(acpi_handle handle,`
`399`	`399`	`acpi_handle_debug(list->handles[i], "Found in reference list\n");`
`400`	`400`	`}`
`401`	`401`
`402`		`-end:`
`403`	`402`	`if (ACPI_FAILURE(status)) {`
`404`	`403`	`list->count = 0;`
`405`	`404`	`kfree(list->handles);`
`406`	`405`	`list->handles = NULL;`
`407`	`406`	`}`
`408`	`407`
	`408`	`+end:`
`409`	`409`	`kfree(buffer.pointer);`
`410`	`410`
`411`	`411`	`return status;`