[thirdparty/kernel/stable-queue.git] / queue-6.1 / acpica-debugger-check-status-of-acpi_evaluate_object.patch

From baf889f8b6349ef8268478fa63ebea1a2d41410a Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Fri, 22 Mar 2024 21:07:53 +0300
Subject: ACPICA: debugger: check status of acpi_evaluate_object() in
 acpi_db_walk_for_fields()

From: Nikita Kiryushin <kiryushin@ancud.ru>

[ Upstream commit 40e2710860e57411ab57a1529c5a2748abbe8a19 ]

ACPICA commit 9061cd9aa131205657c811a52a9f8325a040c6c9

Errors in acpi_evaluate_object() can lead to incorrect state of buffer.

This can lead to access to data in previously ACPI_FREEd buffer and
secondary ACPI_FREE to the same buffer later.

Handle errors in acpi_evaluate_object the same way it is done earlier
with acpi_ns_handle_to_pathname.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Link: https://github.com/acpica/acpica/commit/9061cd9a
Fixes: 5fd033288a86 ("ACPICA: debugger: add command to dump all fields of particular subtype")
Signed-off-by: Nikita Kiryushin <kiryushin@ancud.ru>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/acpi/acpica/dbnames.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/acpi/acpica/dbnames.c b/drivers/acpi/acpica/dbnames.c
index b91155ea9c343..c9131259f717b 100644
--- a/drivers/acpi/acpica/dbnames.c
+++ b/drivers/acpi/acpica/dbnames.c
@@ -550,8 +550,12 @@ acpi_db_walk_for_fields(acpi_handle obj_handle,
 	ACPI_FREE(buffer.pointer);
 
 	buffer.length = ACPI_ALLOCATE_LOCAL_BUFFER;
-	acpi_evaluate_object(obj_handle, NULL, NULL, &buffer);
-
+	status = acpi_evaluate_object(obj_handle, NULL, NULL, &buffer);
+	if (ACPI_FAILURE(status)) {
+		acpi_os_printf("Could Not evaluate object %p\n",
+			       obj_handle);
+		return (AE_OK);
+	}
 	/*
 	 * Since this is a field unit, surround the output in braces
 	 */
-- 
2.43.0
Commit	Line	Data
fe504f71 SL	1	From baf889f8b6349ef8268478fa63ebea1a2d41410a Mon Sep 17 00:00:00 2001
	2	From: Sasha Levin <sashal@kernel.org>
	3	Date: Fri, 22 Mar 2024 21:07:53 +0300
	4	Subject: ACPICA: debugger: check status of acpi_evaluate_object() in
	5	acpi_db_walk_for_fields()
	6
	7	From: Nikita Kiryushin <kiryushin@ancud.ru>
	8
	9	[ Upstream commit 40e2710860e57411ab57a1529c5a2748abbe8a19 ]
	10
	11	ACPICA commit 9061cd9aa131205657c811a52a9f8325a040c6c9
	12
	13	Errors in acpi_evaluate_object() can lead to incorrect state of buffer.
	14
	15	This can lead to access to data in previously ACPI_FREEd buffer and
	16	secondary ACPI_FREE to the same buffer later.
	17
	18	Handle errors in acpi_evaluate_object the same way it is done earlier
	19	with acpi_ns_handle_to_pathname.
	20
	21	Found by Linux Verification Center (linuxtesting.org) with SVACE.
	22
	23	Link: https://github.com/acpica/acpica/commit/9061cd9a
	24	Fixes: 5fd033288a86 ("ACPICA: debugger: add command to dump all fields of particular subtype")
	25	Signed-off-by: Nikita Kiryushin <kiryushin@ancud.ru>
	26	Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
	27	Signed-off-by: Sasha Levin <sashal@kernel.org>
	28	---
	29	drivers/acpi/acpica/dbnames.c \| 8 ++++++--
	30	1 file changed, 6 insertions(+), 2 deletions(-)
	31
	32	diff --git a/drivers/acpi/acpica/dbnames.c b/drivers/acpi/acpica/dbnames.c
	33	index b91155ea9c343..c9131259f717b 100644
	34	--- a/drivers/acpi/acpica/dbnames.c
	35	+++ b/drivers/acpi/acpica/dbnames.c
	36	@@ -550,8 +550,12 @@ acpi_db_walk_for_fields(acpi_handle obj_handle,
	37	ACPI_FREE(buffer.pointer);
	38
	39	buffer.length = ACPI_ALLOCATE_LOCAL_BUFFER;
	40	- acpi_evaluate_object(obj_handle, NULL, NULL, &buffer);
	41	-
	42	+ status = acpi_evaluate_object(obj_handle, NULL, NULL, &buffer);
	43	+ if (ACPI_FAILURE(status)) {
	44	+ acpi_os_printf("Could Not evaluate object %p\n",
	45	+ obj_handle);
	46	+ return (AE_OK);
	47	+ }
	48	/*
	49	* Since this is a field unit, surround the output in braces
	50	*/
	51	--
	52	2.43.0
	53