aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/acpi/acpica
diff options
context:
space:
mode:
authorBob Moore <robert.moore@intel.com>2009-09-02 22:03:37 -0400
committerLen Brown <len.brown@intel.com>2009-09-08 22:28:33 -0400
commite3fe0913b8e732ae636cf23afca76cf2c30718e5 (patch)
tree378560796739a8ede800c1b2d0759dde4bc16cbb /drivers/acpi/acpica
parente678902ee899f6b0ab48166b410cdc9f1c27a350 (diff)
ACPICA: Fix memory leak for ill-formed Package objects
Fixes a possible memory leak in the interpreter for package objects if the package initializer list is longer than the defined size of the package. This apparently can only happen if the BIOS changes the package size on the fly (seen in a _PSS object), as both iASL and the other compiler do not allow this. The interpreter will truncate the package to the defined size (and issue an error message), but can leave the extra objects undeleted if they have been pre-created during the argument processing (such is the case if the package consists of a number of sub-packages as in the _PSS.) ACPICA BZ 805. http://www.acpica.org/bugzilla/show_bug.cgi?id=805 Signed-off-by: Bob Moore <robert.moore@intel.com> Signed-off-by: Lin Ming <ming.m.lin@intel.com> Signed-off-by: Len Brown <len.brown@intel.com>
Diffstat (limited to 'drivers/acpi/acpica')
-rw-r--r--drivers/acpi/acpica/dsobject.c23
1 files changed, 18 insertions, 5 deletions
diff --git a/drivers/acpi/acpica/dsobject.c b/drivers/acpi/acpica/dsobject.c
index 02e6caad4a76..507e1f0bbdfd 100644
--- a/drivers/acpi/acpica/dsobject.c
+++ b/drivers/acpi/acpica/dsobject.c
@@ -482,14 +482,27 @@ acpi_ds_build_internal_package_obj(struct acpi_walk_state *walk_state,
482 if (arg) { 482 if (arg) {
483 /* 483 /*
484 * num_elements was exhausted, but there are remaining elements in the 484 * num_elements was exhausted, but there are remaining elements in the
485 * package_list. 485 * package_list. Truncate the package to num_elements.
486 * 486 *
487 * Note: technically, this is an error, from ACPI spec: "It is an error 487 * Note: technically, this is an error, from ACPI spec: "It is an error
488 * for NumElements to be less than the number of elements in the 488 * for NumElements to be less than the number of elements in the
489 * PackageList". However, for now, we just print an error message and 489 * PackageList". However, we just print an error message and
490 * no exception is returned. 490 * no exception is returned. This provides Windows compatibility. Some
491 * BIOSs will alter the num_elements on the fly, creating this type
492 * of ill-formed package object.
491 */ 493 */
492 while (arg) { 494 while (arg) {
495 /*
496 * We must delete any package elements that were created earlier
497 * and are not going to be used because of the package truncation.
498 */
499 if (arg->common.node) {
500 acpi_ut_remove_reference(ACPI_CAST_PTR
501 (union
502 acpi_operand_object,
503 arg->common.node));
504 arg->common.node = NULL;
505 }
493 506
494 /* Find out how many elements there really are */ 507 /* Find out how many elements there really are */
495 508
@@ -498,7 +511,7 @@ acpi_ds_build_internal_package_obj(struct acpi_walk_state *walk_state,
498 } 511 }
499 512
500 ACPI_WARNING((AE_INFO, 513 ACPI_WARNING((AE_INFO,
501 "Package List length (%X) larger than NumElements count (%X), truncated\n", 514 "Package List length (0x%X) larger than NumElements count (0x%X), truncated\n",
502 i, element_count)); 515 i, element_count));
503 } else if (i < element_count) { 516 } else if (i < element_count) {
504 /* 517 /*
@@ -506,7 +519,7 @@ acpi_ds_build_internal_package_obj(struct acpi_walk_state *walk_state,
506 * Note: this is not an error, the package is padded out with NULLs. 519 * Note: this is not an error, the package is padded out with NULLs.
507 */ 520 */
508 ACPI_DEBUG_PRINT((ACPI_DB_INFO, 521 ACPI_DEBUG_PRINT((ACPI_DB_INFO,
509 "Package List length (%X) smaller than NumElements count (%X), padded with null elements\n", 522 "Package List length (0x%X) smaller than NumElements count (0x%X), padded with null elements\n",
510 i, element_count)); 523 i, element_count));
511 } 524 }
512 525