[PATCH] acpica: Fix double-free in acpi_ns_repair_CID()

From: JoÃo Paulo Rechi Vita
Date: Fri Feb 03 2017 - 15:57:26 EST

Next message: Tejun Heo: "Re: [PATCHSET for-4.11] cgroup: implement cgroup v2 thread mode"
Previous message: Pavel Machek: "Re: v4.10-rc6 boot regression on Intel desktop, does not boot after cold boots, boots after reboot"
Next in thread: Moore, Robert: "RE: [PATCH] acpica: Fix double-free in acpi_ns_repair_CID()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

When acpi_ns_repair_CID() is called for a _CID which returns a package
of strings, it calls acpi_ns_repair_HID() for each of the package
elements. acpi_ns_repair_HID() calls acpi_ut_remove_reference() on the
original object, but acpi_ns_repair_CID() calls it again on return,
leading to a double free.

This problem was seen on a Acer TravelMate P449-G2-MG.

Thanks to Daniel Drake for helping investigating this problem.

Signed-off-by: JoÃo Paulo Rechi Vita <jprvita@xxxxxxxxxxxx>
---
drivers/acpi/acpica/nsrepair2.c | 2 --
1 file changed, 2 deletions(-)

diff --git a/drivers/acpi/acpica/nsrepair2.c b/drivers/acpi/acpica/nsrepair2.c
index d5336122486b..c429c8eca476 100644
--- a/drivers/acpi/acpica/nsrepair2.c
+++ b/drivers/acpi/acpica/nsrepair2.c
@@ -411,8 +411,6 @@ acpi_ns_repair_CID(struct acpi_evaluate_info *info,

(*element_ptr)->common.reference_count =
original_ref_count;
-
- acpi_ut_remove_reference(original_element);
}

element_ptr++;
--
2.11.0

Next message: Tejun Heo: "Re: [PATCHSET for-4.11] cgroup: implement cgroup v2 thread mode"
Previous message: Pavel Machek: "Re: v4.10-rc6 boot regression on Intel desktop, does not boot after cold boots, boots after reboot"
Next in thread: Moore, Robert: "RE: [PATCH] acpica: Fix double-free in acpi_ns_repair_CID()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]