If the call to acpi_ds_init_aml_walk() fails, then we have to undo the walk state push done by acpi_ds_create_walk_state(). Otherwise, the new walk state (which has just been freed) will remain on the thread's walk_state_list and be dereferenced in acpi_ps_parse_aml() when we try to get the new state. You can observe this when reading e.g. /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:01/status Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Vegard Nossum <vegard.nossum@xxxxxxxxxx> --- drivers/acpi/acpica/dsmethod.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/acpi/acpica/dsmethod.c b/drivers/acpi/acpica/dsmethod.c index 47c7b52..44b50a6 100644 --- a/drivers/acpi/acpica/dsmethod.c +++ b/drivers/acpi/acpica/dsmethod.c @@ -596,6 +596,8 @@ cleanup: /* On error, we must terminate the method properly */ acpi_ds_terminate_control_method(obj_desc, next_walk_state); + if (thread) + acpi_ds_pop_walk_state(thread); acpi_ds_delete_walk_state(next_walk_state); return_ACPI_STATUS(status); -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html