[PATCH] acpi: fix acpi_get_table() leak / acpi-sysfs denial of service

From: Dan Williams
Date: Tue Apr 25 2017 - 15:45:29 EST


Reading an ACPI table through the /sys/firmware/acpi/tables interface
more than 65,536 times leads to the following log message:

ACPI Error: Table ffff88033595eaa8, Validation count is zero after increment
(20170119/tbutils-423)

...and the table being unavailable until the next reboot. Add the
missing acpi_put_table() so the table ->validation_count is decremented
after each read.

Cc: <stable@xxxxxxxxxxxxxxx>
Cc: Zhang Rui <rui.zhang@xxxxxxxxx>
Cc: Rafael Wysocki <rafael.j.wysocki@xxxxxxxxx>
Cc: Kristin Jacque <kristin.jacque@xxxxxxxxx>
Cc: Tiffany Kasanicky <tiffany.j.kasanicky@xxxxxxxxx>
Cc: Ryon Jensen <ryon.jensen@xxxxxxxxx>
Reported-by: Anush Seetharaman <anush.seetharaman@xxxxxxxxx>
Fixes: 1c8fce27e275 ("ACPI: introduce drivers/acpi/sysfs.c")
Signed-off-by: Dan Williams <dan.j.williams@xxxxxxxxx>
---
drivers/acpi/sysfs.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/acpi/sysfs.c b/drivers/acpi/sysfs.c
index cf05ae973381..531ddabf0390 100644
--- a/drivers/acpi/sysfs.c
+++ b/drivers/acpi/sysfs.c
@@ -333,14 +333,17 @@ static ssize_t acpi_table_show(struct file *filp, struct kobject *kobj,
container_of(bin_attr, struct acpi_table_attr, attr);
struct acpi_table_header *table_header = NULL;
acpi_status status;
+ ssize_t rc;

status = acpi_get_table(table_attr->name, table_attr->instance,
&table_header);
if (ACPI_FAILURE(status))
return -ENODEV;

- return memory_read_from_buffer(buf, count, &offset,
- table_header, table_header->length);
+ rc = memory_read_from_buffer(buf, count, &offset, table_header,
+ table_header->length);
+ acpi_put_table(table);
+ return rc;
}

static int acpi_table_attr_init(struct kobject *tables_obj,