This is a note to let you know that I've just added the patch titled ACPI: property: Allow _DSD buffer data only for byte accessors to the 6.6-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: acpi-property-allow-_dsd-buffer-data-only-for-byte-a.patch and it can be found in the queue-6.6 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. commit e9f6aa28ae35d7413d265cd29c83f3e6533de27c Author: Andy Shevchenko <andriy.shevchenko@xxxxxxxxxxxxxxx> Date: Mon Oct 2 16:46:29 2023 +0300 ACPI: property: Allow _DSD buffer data only for byte accessors [ Upstream commit 046ece773cc77ef5d2a1431b188ac3d0840ed150 ] In accordance with ACPI specificication and _DSD data buffer representation the data there is an array of bytes. Hence, accessing it with something longer will create a sparse data which is against of how device property APIs work in general and also not defined in the ACPI specification (see [1]). Fix the code to emit an error if non-byte accessor is used to retrieve _DSD buffer data. Fixes: 369af6bf2c28 ("ACPI: property: Read buffer properties as integers") Link: https://uefi.org/specs/ACPI/6.5/19_ASL_Reference.html#buffer-declare-buffer-object # [1] Signed-off-by: Andy Shevchenko <andriy.shevchenko@xxxxxxxxxxxxxxx> [ rjw: Add missing braces ] Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@xxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> diff --git a/drivers/acpi/property.c b/drivers/acpi/property.c index 413e4fcadcaf7..99b4e33554355 100644 --- a/drivers/acpi/property.c +++ b/drivers/acpi/property.c @@ -1102,25 +1102,26 @@ static int acpi_data_prop_read(const struct acpi_device_data *data, switch (proptype) { case DEV_PROP_STRING: break; - case DEV_PROP_U8 ... DEV_PROP_U64: + default: if (obj->type == ACPI_TYPE_BUFFER) { if (nval > obj->buffer.length) return -EOVERFLOW; - break; + } else { + if (nval > obj->package.count) + return -EOVERFLOW; } - fallthrough; - default: - if (nval > obj->package.count) - return -EOVERFLOW; break; } if (nval == 0) return -EINVAL; - if (obj->type != ACPI_TYPE_BUFFER) - items = obj->package.elements; - else + if (obj->type == ACPI_TYPE_BUFFER) { + if (proptype != DEV_PROP_U8) + return -EPROTO; items = obj; + } else { + items = obj->package.elements; + } switch (proptype) { case DEV_PROP_U8: