diff options
| author | Rafael J. Wysocki <rafael.j.wysocki@intel.com> | 2023-12-07 19:28:10 +0100 |
|---|---|---|
| committer | Rafael J. Wysocki <rafael.j.wysocki@intel.com> | 2023-12-07 21:38:21 +0100 |
| commit | 8f0b960a42badda7a2781e8a33564624200debc9 (patch) | |
| tree | e058eed4f783654aad516b4f62b0262adbc76b85 | |
| parent | 33cc938e65a98f1d29d0a18403dbbee050dcad9a (diff) | |
| download | staging-8f0b960a42badda7a2781e8a33564624200debc9.tar.gz | |
ACPI: utils: Fix error path in acpi_evaluate_reference()
If a pointer to an uninitialized struct acpi_handle_list is passed to
acpi_evaluate_reference() and it decides to bail out early, either
because acpi_evaluate_object() fails, or because it produces invalid
data, the handles pointer from the struct acpi_handle_list will be
passed to kfree() and if it is not NULL, the kernel will crash on an
attempt to free unallocated memory.
Address this by moving the "end" label in acpi_evaluate_reference() to
the end of the function, which is sufficient, because no cleanup is
needed in that case.
Fixes: 2e57d10a6591 ("ACPI: utils: Dynamically determine acpi_handle_list size")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Tested-by: Woody Suwalski <terraluna977@gmail.com>
| -rw-r--r-- | drivers/acpi/utils.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/acpi/utils.c b/drivers/acpi/utils.c index 28c75242fca9c..62944e35fcee2 100644 --- a/drivers/acpi/utils.c +++ b/drivers/acpi/utils.c @@ -399,13 +399,13 @@ acpi_evaluate_reference(acpi_handle handle, acpi_handle_debug(list->handles[i], "Found in reference list\n"); } -end: if (ACPI_FAILURE(status)) { list->count = 0; kfree(list->handles); list->handles = NULL; } +end: kfree(buffer.pointer); return status; |