[PATCH AUTOSEL 5.10 092/116] ACPICA: Executer: Fix the REFCLASS_REFOF case in acpi_ex_opcode_1A_0T_1R()

linux-acpi.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
	Lenny Szubowicz <lszubowi@redhat.com>,
	Bob Moore <robert.moore@intel.com>,
	Sasha Levin <sashal@kernel.org>,
	linux-acpi@vger.kernel.org, devel@acpica.org
Subject: [PATCH AUTOSEL 5.10 092/116] ACPICA: Executer: Fix the REFCLASS_REFOF case in acpi_ex_opcode_1A_0T_1R()
Date: Mon, 17 Jan 2022 21:39:43 -0500	[thread overview]
Message-ID: <20220118024007.1950576-92-sashal@kernel.org> (raw)
In-Reply-To: <20220118024007.1950576-1-sashal@kernel.org>

From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>

[ Upstream commit 24ea5f90ec9548044a6209685c5010edd66ffe8f ]

ACPICA commit d984f12041392fa4156b52e2f7e5c5e7bc38ad9e

If Operand[0] is a reference of the ACPI_REFCLASS_REFOF class,
acpi_ex_opcode_1A_0T_1R () calls acpi_ns_get_attached_object () to
obtain return_desc which may require additional resolution with
the help of acpi_ex_read_data_from_field (). If the latter fails,
the reference counter of the original return_desc is decremented
which is incorrect, because acpi_ns_get_attached_object () does not
increment the reference counter of the object returned by it.

This issue may lead to premature deletion of the attached object
while it is still attached and a use-after-free and crash in the
host OS.  For example, this may happen when on evaluation of ref_of()
a local region field where there is no registered handler for the
given Operation Region.

Fix it by making acpi_ex_opcode_1A_0T_1R () return Status right away
after a acpi_ex_read_data_from_field () failure.

Link: https://github.com/acpica/acpica/commit/d984f120
Link: https://github.com/acpica/acpica/pull/685
Reported-by: Lenny Szubowicz <lszubowi@redhat.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/acpi/acpica/exoparg1.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/acpi/acpica/exoparg1.c b/drivers/acpi/acpica/exoparg1.c
index a46d685a3ffcf..9d67dfd93d5b6 100644
--- a/drivers/acpi/acpica/exoparg1.c
+++ b/drivers/acpi/acpica/exoparg1.c
@@ -1007,7 +1007,8 @@ acpi_status acpi_ex_opcode_1A_0T_1R(struct acpi_walk_state *walk_state)
 						    (walk_state, return_desc,
 						     &temp_desc);
 						if (ACPI_FAILURE(status)) {
-							goto cleanup;
+							return_ACPI_STATUS
+							    (status);
 						}

 						return_desc = temp_desc;
-- 
2.34.1

next prev parent reply	other threads:[~2022-01-18  3:43 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20220118024007.1950576-1-sashal@kernel.org>
2022-01-18  2:38 ` [PATCH AUTOSEL 5.10 028/116] gpiolib: acpi: Do not set the IRQ type if the IRQ is already in use Sasha Levin
2022-01-18  2:38 ` [PATCH AUTOSEL 5.10 036/116] ACPI / x86: Drop PWM2 device on Lenovo Yoga Book from always present table Sasha Levin
2022-01-18  2:38 ` [PATCH AUTOSEL 5.10 037/116] ACPI: Change acpi_device_always_present() into acpi_device_override_status() Sasha Levin
2022-01-18  2:38 ` [PATCH AUTOSEL 5.10 038/116] ACPI / x86: Allow specifying acpi_device_override_status() quirks by path Sasha Levin
2022-01-18  2:38 ` [PATCH AUTOSEL 5.10 039/116] ACPI / x86: Add not-present quirk for the PCI0.SDHB.BRC1 device on the GPD win Sasha Levin
2022-01-18  2:39 ` [PATCH AUTOSEL 5.10 090/116] ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitions Sasha Levin
2022-01-18  2:39 ` [PATCH AUTOSEL 5.10 091/116] ACPICA: Utilities: Avoid deleting the same object twice in a row Sasha Levin
2022-01-18  2:39 ` Sasha Levin [this message]
2022-01-18  2:39 ` [PATCH AUTOSEL 5.10 093/116] ACPICA: Fix wrong interpretation of PCC address Sasha Levin
2022-01-18  2:39 ` [PATCH AUTOSEL 5.10 094/116] ACPICA: Hardware: Do not flush CPU cache when entering S4 and S5 Sasha Levin
2022-01-18  2:39 ` [PATCH AUTOSEL 5.10 098/116] ACPI: battery: Add the ThinkPad "Not Charging" quirk Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:a46d685a3ffc dfblob:9d67dfd93d5b )
 OR (
bs:"[PATCH AUTOSEL 5.10 092/116] ACPICA: Executer: Fix the REFCLASS_REFOF case in acpi_ex_opcode_1A_0T_1R()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220118024007.1950576-92-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=devel@acpica.org \
    --cc=linux-acpi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lszubowi@redhat.com \
    --cc=rafael.j.wysocki@intel.com \
    --cc=robert.moore@intel.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).