Patch "ACPICA: Executer: Fix the REFCLASS_REFOF case in acpi_ex_opcode_1A_0T_1R()" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 23 Jan 2022 11:11:08 -0500

This is a note to let you know that I've just added the patch titled

    ACPICA: Executer: Fix the REFCLASS_REFOF case in acpi_ex_opcode_1A_0T_1R()

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     acpica-executer-fix-the-refclass_refof-case-in-acpi_.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit fffcd4cc15e035083f3a1a954c83dee9df0c9767
Author: Rafael J. Wysocki <rafael.j.wysocki@xxxxxxxxx>
Date:   Wed Dec 22 17:31:05 2021 +0100

    ACPICA: Executer: Fix the REFCLASS_REFOF case in acpi_ex_opcode_1A_0T_1R()
    
    [ Upstream commit 24ea5f90ec9548044a6209685c5010edd66ffe8f ]
    
    ACPICA commit d984f12041392fa4156b52e2f7e5c5e7bc38ad9e
    
    If Operand[0] is a reference of the ACPI_REFCLASS_REFOF class,
    acpi_ex_opcode_1A_0T_1R () calls acpi_ns_get_attached_object () to
    obtain return_desc which may require additional resolution with
    the help of acpi_ex_read_data_from_field (). If the latter fails,
    the reference counter of the original return_desc is decremented
    which is incorrect, because acpi_ns_get_attached_object () does not
    increment the reference counter of the object returned by it.
    
    This issue may lead to premature deletion of the attached object
    while it is still attached and a use-after-free and crash in the
    host OS.  For example, this may happen when on evaluation of ref_of()
    a local region field where there is no registered handler for the
    given Operation Region.
    
    Fix it by making acpi_ex_opcode_1A_0T_1R () return Status right away
    after a acpi_ex_read_data_from_field () failure.
    
    Link: https://github.com/acpica/acpica/commit/d984f120
    Link: https://github.com/acpica/acpica/pull/685
    Reported-by: Lenny Szubowicz <lszubowi@xxxxxxxxxx>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@xxxxxxxxx>
    Signed-off-by: Bob Moore <robert.moore@xxxxxxxxx>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/acpi/acpica/exoparg1.c b/drivers/acpi/acpica/exoparg1.c
index a46d685a3ffcf..9d67dfd93d5b6 100644
--- a/drivers/acpi/acpica/exoparg1.c
+++ b/drivers/acpi/acpica/exoparg1.c
@@ -1007,7 +1007,8 @@ acpi_status acpi_ex_opcode_1A_0T_1R(struct acpi_walk_state *walk_state)
 						    (walk_state, return_desc,
 						     &temp_desc);
 						if (ACPI_FAILURE(status)) {
-							goto cleanup;
+							return_ACPI_STATUS
+							    (status);
 						}
 
 						return_desc = temp_desc;






