From nobody Wed Dec 31 00:39:19 2025
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 3926FC4332F
	for <linux-kernel@archiver.kernel.org>; Mon, 13 Nov 2023 13:15:28 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230103AbjKMNP2 (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Mon, 13 Nov 2023 08:15:28 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58840 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229791AbjKMNP0 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 13 Nov 2023 08:15:26 -0500
Received: from relay161.nicmail.ru (relay161.nicmail.ru [91.189.117.5])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 86755D6C;
        Mon, 13 Nov 2023 05:15:17 -0800 (PST)
Received: from [10.28.138.149] (port=17042 helo=[192.168.95.111])
        by relay.hosting.mail.nic.ru with esmtp (Exim 5.55)
        (envelope-from <kiryushin@ancud.ru>)
        id 1r2WmW-0000gj-5s; Mon, 13 Nov 2023 16:15:13 +0300
Received: from [87.245.155.195] (account kiryushin@ancud.ru HELO
 [192.168.95.111])
        by incarp1102.mail.hosting.nic.ru (Exim 5.55)
        with id 1r2WmW-00A2aA-2O;
        Mon, 13 Nov 2023 16:15:12 +0300
Message-ID: <b8c5f018-4883-4c14-84ab-0514edac2770@ancud.ru>
Date: Mon, 13 Nov 2023 16:15:11 +0300
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
From: Nikita Kiryushin <kiryushin@ancud.ru>
Subject: [PATCH] ACPICA: debugger: check status of acpi_evaluate_object in
 acpi_db_walk_for_fields
To: Robert Moore <robert.moore@intel.com>
Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
        Len Brown <lenb@kernel.org>,
        Erik Kaneda <erik.kaneda@intel.com>,
        linux-acpi@vger.kernel.org, acpica-devel@lists.linux.dev,
        linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
X-MS-Exchange-Organization-SCL: -1
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"; format="flowed"

Errors in acpi_evaluate_object can lead to incorrect state of buffer.
This can lead to access to data in previously ACPI_FREEd buffer and
secondary ACPI_FREE to the same buffer later.

Handle errors in acpi_evaluate_object the same way it is done earlier
with acpi_ns_handle_to_pathname.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 5fd033288a86 ("ACPICA: debugger: add command to dump all fields=20
of particular subtype")
Signed-off-by: Nikita Kiryushin <kiryushin@ancud.ru>
---
  drivers/acpi/acpica/dbnames.c | 8 ++++++--
  1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/acpi/acpica/dbnames.c b/drivers/acpi/acpica/dbnames.c
index b91155ea9c34..c9131259f717 100644
--- a/drivers/acpi/acpica/dbnames.c
+++ b/drivers/acpi/acpica/dbnames.c
@@ -550,8 +550,12 @@ acpi_db_walk_for_fields(acpi_handle obj_handle,
  	ACPI_FREE(buffer.pointer);
   	buffer.length =3D ACPI_ALLOCATE_LOCAL_BUFFER;
-	acpi_evaluate_object(obj_handle, NULL, NULL, &buffer);
-
+	status =3D acpi_evaluate_object(obj_handle, NULL, NULL, &buffer);
+	if (ACPI_FAILURE(status)) {
+		acpi_os_printf("Could Not evaluate object %p\n",
+			       obj_handle);
+		return (AE_OK);
+	}
  	/*
  	 * Since this is a field unit, surround the output in braces
  	 */
--=20
2.34.1