From: Weiming Shi <bestswngs@gmail.com>
To: "Rafael J . Wysocki" <rafael@kernel.org>,
Robert Moore <robert.moore@intel.com>
Cc: Len Brown <lenb@kernel.org>,
linux-acpi@vger.kernel.org, acpica-devel@lists.linux.dev,
Xiang Mei <xmei5@asu.edu>, Weiming Shi <bestswngs@gmail.com>
Subject: [PATCH] ACPICA: fix NULL pointer dereference in acpi_ns_custom_package()
Date: Sun, 22 Mar 2026 23:35:31 +0800 [thread overview]
Message-ID: <20260322153529.3325784-3-bestswngs@gmail.com> (raw)
acpi_ns_custom_package() unconditionally dereferences the first element
of the package to read the _BIX version number, without checking for
NULL:
if ((*elements)->common.type != ACPI_TYPE_INTEGER)
When firmware returns a _BIX package whose first element is an
unresolvable reference, ACPICA evaluates that entry to NULL.
acpi_ns_remove_null_elements() does not strip NULL entries for
ACPI_PTYPE_CUSTOM packages (fixed-position format would break if
elements were shifted), so acpi_ns_custom_package() sees the NULL
and panics.
general protection fault, probably for non-canonical address
0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range
[0x0000000000000008-0x000000000000000f]
RIP: acpi_ns_check_package
(drivers/acpi/acpica/nsprepkg.c:634
drivers/acpi/acpica/nsprepkg.c:110)
Call Trace:
<TASK>
acpi_ns_check_return_value (nspredef.c:136)
acpi_ns_evaluate (nseval.c:266)
acpi_evaluate_object (nsxfeval.c:360)
acpi_battery_get_info (battery.c:537)
acpi_battery_update (battery.c:1007)
acpi_battery_add (battery.c:1237)
acpi_device_probe (bus.c:1076)
really_probe (dd.c:659)
</TASK>
Add a NULL check for the first element (version field) before
dereferencing it. The battery probe then fails gracefully with
AE_AML_OPERAND_TYPE instead of crashing the kernel.
Required CONFIG: CONFIG_ACPI_BATTERY=y
Fixes: 7952d40240855932 ("ACPICA: ACPI 6.0: Update _BIX support for new package element")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
---
drivers/acpi/acpica/nsprepkg.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/acpi/acpica/nsprepkg.c b/drivers/acpi/acpica/nsprepkg.c
index ca137ce5674f..c32770570120 100644
--- a/drivers/acpi/acpica/nsprepkg.c
+++ b/drivers/acpi/acpica/nsprepkg.c
@@ -631,6 +631,13 @@ acpi_ns_custom_package(struct acpi_evaluate_info *info,
/* Get version number, must be Integer */
+ if (!(*elements)) {
+ ACPI_WARN_PREDEFINED((AE_INFO, info->full_pathname,
+ info->node_flags,
+ "Return Package has a NULL version element"));
+ return_ACPI_STATUS(AE_AML_OPERAND_TYPE);
+ }
+
if ((*elements)->common.type != ACPI_TYPE_INTEGER) {
ACPI_WARN_PREDEFINED((AE_INFO, info->full_pathname,
info->node_flags,
--
2.43.0
next reply other threads:[~2026-03-22 15:36 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-22 15:35 Weiming Shi [this message]
2026-03-23 12:51 ` [PATCH] ACPICA: fix NULL pointer dereference in acpi_ns_custom_package() Rafael J. Wysocki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260322153529.3325784-3-bestswngs@gmail.com \
--to=bestswngs@gmail.com \
--cc=acpica-devel@lists.linux.dev \
--cc=lenb@kernel.org \
--cc=linux-acpi@vger.kernel.org \
--cc=rafael@kernel.org \
--cc=robert.moore@intel.com \
--cc=xmei5@asu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox