* [pm:bleeding-edge 62/70] drivers/acpi/acpica/dbnames.c:576 acpi_db_walk_for_fields() error: double free of 'buffer.pointer'
@ 2019-11-01 10:28 Dan Carpenter
0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2019-11-01 10:28 UTC (permalink / raw)
To: kbuild, Erik Schmauss
Cc: kbuild-all, linux-acpi, devel, linux-pm, Rafael J. Wysocki
tree: https://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm.git bleeding-edge
head: aaa43552df9b1f8c788d18df5f5989f8a13433f5
commit: 5fd033288a86676045d9e16243dfc5f988013371 [62/70] ACPICA: debugger: add command to dump all fields of particular subtype
If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
smatch warnings:
drivers/acpi/acpica/dbnames.c:576 acpi_db_walk_for_fields() error: double free of 'buffer.pointer'
# https://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm.git/commit/?id=5fd033288a86676045d9e16243dfc5f988013371
git remote add pm https://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm.git
git remote update pm
git checkout 5fd033288a86676045d9e16243dfc5f988013371
vim +576 drivers/acpi/acpica/dbnames.c
5fd033288a8667 Erik Schmauss 2019-10-25 518 static acpi_status
5fd033288a8667 Erik Schmauss 2019-10-25 519 acpi_db_walk_for_fields(acpi_handle obj_handle,
5fd033288a8667 Erik Schmauss 2019-10-25 520 u32 nesting_level, void *context, void **return_value)
5fd033288a8667 Erik Schmauss 2019-10-25 521 {
5fd033288a8667 Erik Schmauss 2019-10-25 522 union acpi_object *ret_value;
5fd033288a8667 Erik Schmauss 2019-10-25 523 struct acpi_region_walk_info *info =
5fd033288a8667 Erik Schmauss 2019-10-25 524 (struct acpi_region_walk_info *)context;
5fd033288a8667 Erik Schmauss 2019-10-25 525 struct acpi_buffer buffer;
5fd033288a8667 Erik Schmauss 2019-10-25 526 acpi_status status;
5fd033288a8667 Erik Schmauss 2019-10-25 527 struct acpi_namespace_node *node = acpi_ns_validate_handle(obj_handle);
5fd033288a8667 Erik Schmauss 2019-10-25 528
5fd033288a8667 Erik Schmauss 2019-10-25 529 if (!node) {
5fd033288a8667 Erik Schmauss 2019-10-25 530 return (AE_OK);
5fd033288a8667 Erik Schmauss 2019-10-25 531 }
5fd033288a8667 Erik Schmauss 2019-10-25 532 if (node->object->field.region_obj->region.space_id !=
5fd033288a8667 Erik Schmauss 2019-10-25 533 info->address_space_id) {
5fd033288a8667 Erik Schmauss 2019-10-25 534 return (AE_OK);
5fd033288a8667 Erik Schmauss 2019-10-25 535 }
5fd033288a8667 Erik Schmauss 2019-10-25 536
5fd033288a8667 Erik Schmauss 2019-10-25 537 info->count++;
5fd033288a8667 Erik Schmauss 2019-10-25 538
5fd033288a8667 Erik Schmauss 2019-10-25 539 /* Get and display the full pathname to this object */
5fd033288a8667 Erik Schmauss 2019-10-25 540
5fd033288a8667 Erik Schmauss 2019-10-25 541 buffer.length = ACPI_ALLOCATE_LOCAL_BUFFER;
5fd033288a8667 Erik Schmauss 2019-10-25 542 status = acpi_ns_handle_to_pathname(obj_handle, &buffer, TRUE);
5fd033288a8667 Erik Schmauss 2019-10-25 543 if (ACPI_FAILURE(status)) {
5fd033288a8667 Erik Schmauss 2019-10-25 544 acpi_os_printf("Could Not get pathname for object %p\n",
5fd033288a8667 Erik Schmauss 2019-10-25 545 obj_handle);
5fd033288a8667 Erik Schmauss 2019-10-25 546 return (AE_OK);
5fd033288a8667 Erik Schmauss 2019-10-25 547 }
5fd033288a8667 Erik Schmauss 2019-10-25 548
5fd033288a8667 Erik Schmauss 2019-10-25 549 acpi_os_printf("%s ", (char *)buffer.pointer);
5fd033288a8667 Erik Schmauss 2019-10-25 550 ACPI_FREE(buffer.pointer);
Freed here.
5fd033288a8667 Erik Schmauss 2019-10-25 551
5fd033288a8667 Erik Schmauss 2019-10-25 552 buffer.length = ACPI_ALLOCATE_LOCAL_BUFFER;
5fd033288a8667 Erik Schmauss 2019-10-25 553 acpi_evaluate_object(obj_handle, NULL, NULL, &buffer);
No error handling here so "buffer.pointer" isn't necessarily modified.
5fd033288a8667 Erik Schmauss 2019-10-25 554
5fd033288a8667 Erik Schmauss 2019-10-25 555 ret_value = (union acpi_object *)buffer.pointer;
5fd033288a8667 Erik Schmauss 2019-10-25 556 switch (ret_value->type) {
5fd033288a8667 Erik Schmauss 2019-10-25 557 case ACPI_TYPE_INTEGER:
5fd033288a8667 Erik Schmauss 2019-10-25 558
5fd033288a8667 Erik Schmauss 2019-10-25 559 acpi_os_printf("%8.8X%8.8X",
5fd033288a8667 Erik Schmauss 2019-10-25 560 ACPI_FORMAT_UINT64(ret_value->integer.value));
5fd033288a8667 Erik Schmauss 2019-10-25 561 break;
5fd033288a8667 Erik Schmauss 2019-10-25 562
5fd033288a8667 Erik Schmauss 2019-10-25 563 case ACPI_TYPE_BUFFER:
5fd033288a8667 Erik Schmauss 2019-10-25 564
5fd033288a8667 Erik Schmauss 2019-10-25 565 acpi_ut_dump_buffer(ret_value->buffer.pointer,
5fd033288a8667 Erik Schmauss 2019-10-25 566 ret_value->buffer.length,
5fd033288a8667 Erik Schmauss 2019-10-25 567 DB_DISPLAY_DATA_ONLY | DB_BYTE_DISPLAY, 0);
5fd033288a8667 Erik Schmauss 2019-10-25 568 break;
5fd033288a8667 Erik Schmauss 2019-10-25 569
5fd033288a8667 Erik Schmauss 2019-10-25 570 default:
5fd033288a8667 Erik Schmauss 2019-10-25 571
5fd033288a8667 Erik Schmauss 2019-10-25 572 break;
5fd033288a8667 Erik Schmauss 2019-10-25 573 }
5fd033288a8667 Erik Schmauss 2019-10-25 574 acpi_os_printf("\n");
5fd033288a8667 Erik Schmauss 2019-10-25 575
5fd033288a8667 Erik Schmauss 2019-10-25 @576 ACPI_FREE(buffer.pointer);
Double free.
5fd033288a8667 Erik Schmauss 2019-10-25 577
5fd033288a8667 Erik Schmauss 2019-10-25 578 return (AE_OK);
5fd033288a8667 Erik Schmauss 2019-10-25 579 }
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-11-01 10:28 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-01 10:28 [pm:bleeding-edge 62/70] drivers/acpi/acpica/dbnames.c:576 acpi_db_walk_for_fields() error: double free of 'buffer.pointer' Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).