ACPICA: Avoid use of invalid pointers in returned object field

author Bob Moore <robert.moore@intel.com>

Thu, 10 Apr 2008 15:06:37 +0000 (19:06 +0400)

committer Len Brown <len.brown@intel.com>

Tue, 22 Apr 2008 18:29:21 +0000 (14:29 -0400)
author Bob Moore <robert.moore@intel.com>
Thu, 10 Apr 2008 15:06:37 +0000 (19:06 +0400)
committer Len Brown <len.brown@intel.com>
Tue, 22 Apr 2008 18:29:21 +0000 (14:29 -0400)
diff --git a/drivers/acpi/executer/exoparg1.c b/drivers/acpi/executer/exoparg1.c

index 252f10a..ab5c037 100644 (file)
--- a/drivers/acpi/executer/exoparg1.c
+++ b/drivers/acpi/executer/exoparg1.c
@@ -121,6 +121,7 @@ acpi_status acpi_ex_opcode_0A_0T_1R(struct acpi_walk_state *walk_state)
  
         if ((ACPI_FAILURE(status)) || walk_state->result_obj) {
                 acpi_ut_remove_reference(return_desc);
+               walk_state->result_obj = NULL;
         } else {
                 /* Save the return value */
  
diff --git a/drivers/acpi/executer/exoparg2.c b/drivers/acpi/executer/exoparg2.c

index 17e652e..81c02b1 100644 (file)
--- a/drivers/acpi/executer/exoparg2.c
+++ b/drivers/acpi/executer/exoparg2.c
@@ -241,10 +241,6 @@ acpi_status acpi_ex_opcode_2A_2T_1R(struct acpi_walk_state *walk_state)
                 goto cleanup;
         }
  
-       /* Return the remainder */
-
-       walk_state->result_obj = return_desc1;
-
        cleanup:
         /*
          * Since the remainder is not returned indirectly, remove a reference to
@@ -259,6 +255,12 @@ acpi_status acpi_ex_opcode_2A_2T_1R(struct acpi_walk_state *walk_state)
                 acpi_ut_remove_reference(return_desc1);
         }
  
+       /* Save return object (the remainder) on success */
+
+       else {
+               walk_state->result_obj = return_desc1;
+       }
+
         return_ACPI_STATUS(status);
  }
  
@@ -490,6 +492,7 @@ acpi_status acpi_ex_opcode_2A_1T_1R(struct acpi_walk_state *walk_state)
  
         if (ACPI_FAILURE(status)) {
                 acpi_ut_remove_reference(return_desc);
+               walk_state->result_obj = NULL;
         }
  
         return_ACPI_STATUS(status);
@@ -583,8 +586,6 @@ acpi_status acpi_ex_opcode_2A_0T_1R(struct acpi_walk_state *walk_state)
                 return_desc->integer.value = ACPI_INTEGER_MAX;
         }
  
-       walk_state->result_obj = return_desc;
-
        cleanup:
  
         /* Delete return object on error */
@@ -593,5 +594,11 @@ acpi_status acpi_ex_opcode_2A_0T_1R(struct acpi_walk_state *walk_state)
                 acpi_ut_remove_reference(return_desc);
         }
  
+       /* Save return object on success */
+
+       else {
+               walk_state->result_obj = return_desc;
+       }
+
         return_ACPI_STATUS(status);
  }
diff --git a/drivers/acpi/executer/exoparg3.c b/drivers/acpi/executer/exoparg3.c

index 7fe67cf..a573f5d 100644 (file)
--- a/drivers/acpi/executer/exoparg3.c
+++ b/drivers/acpi/executer/exoparg3.c
@@ -260,6 +260,7 @@ acpi_status acpi_ex_opcode_3A_1T_1R(struct acpi_walk_state *walk_state)
  
         if (ACPI_FAILURE(status) || walk_state->result_obj) {
                 acpi_ut_remove_reference(return_desc);
+               walk_state->result_obj = NULL;
         }
  
         /* Set the return object and exit */
diff --git a/drivers/acpi/executer/exoparg6.c b/drivers/acpi/executer/exoparg6.c

index bd80a9c..163b2b3 100644 (file)
--- a/drivers/acpi/executer/exoparg6.c
+++ b/drivers/acpi/executer/exoparg6.c
@@ -322,8 +322,6 @@ acpi_status acpi_ex_opcode_6A_0T_1R(struct acpi_walk_state * walk_state)
                 goto cleanup;
         }
  
-       walk_state->result_obj = return_desc;
-
        cleanup:
  
         /* Delete return object on error */
@@ -332,5 +330,11 @@ acpi_status acpi_ex_opcode_6A_0T_1R(struct acpi_walk_state * walk_state)
                 acpi_ut_remove_reference(return_desc);
         }
  
+       /* Save return object on success */
+
+       else {
+               walk_state->result_obj = return_desc;
+       }
+
         return_ACPI_STATUS(status);
  }
author	Bob Moore <robert.moore@intel.com>
	Thu, 10 Apr 2008 15:06:37 +0000 (19:06 +0400)
committer	Len Brown <len.brown@intel.com>
	Tue, 22 Apr 2008 18:29:21 +0000 (14:29 -0400)
drivers/acpi/executer/exoparg1.c		patch \| blob \| history
drivers/acpi/executer/exoparg2.c		patch \| blob \| history
drivers/acpi/executer/exoparg3.c		patch \| blob \| history
drivers/acpi/executer/exoparg6.c		patch \| blob \| history