Re: ACPI BIOS bug and memory leak?

[Armin Wolf <W_Armin@xxxxxx>]

Am 27.03.24 um 11:48 schrieb Dmitry Antipov:

> Is it possible that this:
>
> [    7.727080] ACPI BIOS Error (bug): Could not resolve symbol
> [\_TZ.ETMD], AE_NOT_FOUND (20230628/psargs-335)
> [    7.728470] ACPI Error: Aborting method \_SB.IETM._OSC due to
> previous error (AE_NOT_FOUND) (20230628/psparse-529)
>
> is somehow related to:
>
> unreferenced object 0xffff944e85013d58 (size 56):
>   comm "thermald", pid 966, jiffies 4294674933
>   hex dump (first 32 bytes):
>     00 00 00 00 00 00 00 00 0d 01 2d 00 00 00 00 00 ..........-.....
>     94 8c 05 80 51 b8 ff ff 00 00 00 00 00 00 00 00 ....Q...........
>   backtrace (crc 41e9984d):
>     [<000000004b53f9d1>] kmem_cache_alloc+0x256/0x340
>     [<000000008d9ead3a>] acpi_ps_alloc_op+0xbf/0xd0
>     [<000000002f1e617e>] acpi_ps_get_next_arg+0xbb/0x6a0
>     [<00000000b697bac7>] acpi_ps_parse_loop+0x466/0x6b0
>     [<000000008dbc2acb>] acpi_ps_parse_aml+0x80/0x3c0
>     [<00000000b26066ae>] acpi_ps_execute_method+0x13f/0x270
>     [<00000000f80592ab>] acpi_ns_evaluate+0x12b/0x2c0
>     [<00000000bbc91886>] acpi_evaluate_object+0x14e/0x310
>     [<000000005729c43d>] acpi_run_osc+0x158/0x270
>     [<00000000e6666993>] int3400_thermal_run_osc+0x73/0xc0
> [int3400_thermal]
>     [<000000000a474314>] current_uuid_store+0xd5/0x110 [int3400_thermal]
>     [<00000000e27be786>] kernfs_fop_write_iter+0x13e/0x1f0
>     [<00000000992f9e08>] vfs_write+0x293/0x460
>     [<000000008b9e130c>] ksys_write+0x6d/0xf0
>     [<000000007d501d09>] do_syscall_64+0x85/0x170
>     [<0000000073c5a34b>] entry_SYSCALL_64_after_hwframe+0x6c/0x74
>
> (recently observed on 6.9.0-rc1)
>
> Dmitry
Hi,

i thing the memory leak happens in acpi_ps_get_next_arg(). After allocating an acpi_parse_object in line 820 of psargs.c,
calling of acpi_ps_get_next_namepath() fails due to to the missing symbol. The code now returns the error without freeing
the acpi_parse_object, causing a memory leak.

IMHO the solution would be to call acpi_ps_free_op() in case of an error before returning said error code. I attached an
experimental patch which might fix this, but it is still untested. If you want you can test if it solves the problem.

Thanks,
Armin Wolf

From 650c010ef7841bebbacc074f359909e84633b4f8 Mon Sep 17 00:00:00 2001
From: Armin Wolf <W_Armin@xxxxxx>
Date: Sun, 31 Mar 2024 04:39:54 +0200
Subject: [PATCH] ACPICA: Fix memory leak then namespace lookup fails

When acpi_ps_get_next_namepath() fails due to a namespace lookup
failure, the acpi_parse_object is not freed before returning the
error code, casuing a memory leak.

Fix this by freeing the acpi_parse_object when encountering an
error.

Signed-off-by: Armin Wolf <W_Armin@xxxxxx>
---
 drivers/acpi/acpica/psargs.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/acpi/acpica/psargs.c b/drivers/acpi/acpica/psargs.c
index 422c074ed289..7debfd5ce0d8 100644
--- a/drivers/acpi/acpica/psargs.c
+++ b/drivers/acpi/acpica/psargs.c
@@ -820,6 +820,10 @@ acpi_ps_get_next_arg(struct acpi_walk_state *walk_state,
 			    acpi_ps_get_next_namepath(walk_state, parser_state,
 						      arg,
 						      ACPI_NOT_METHOD_CALL);
+			if (ACPI_FAILURE(status)) {
+				acpi_ps_free_op(arg);
+				return_ACPI_STATUS(status);
+			}
 		} else {
 			/* Single complex argument, nothing returned */
 
@@ -854,6 +858,10 @@ acpi_ps_get_next_arg(struct acpi_walk_state *walk_state,
 			    acpi_ps_get_next_namepath(walk_state, parser_state,
 						      arg,
 						      ACPI_POSSIBLE_METHOD_CALL);
+			if (ACPI_FAILURE(status)) {
+				acpi_ps_free_op(arg);
+				return_ACPI_STATUS(status);
+			}
 
 			if (arg->common.aml_opcode == AML_INT_METHODCALL_OP) {
 
-- 
2.39.2