From patchwork Fri Jan 24 09:28:04 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Greg KH <gregkh@linuxfoundation.org>
X-Patchwork-Id: 232988
Return-Path: <SRS0=xW8Y=3N=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, 
 DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,
 MAILING_LIST_MULTI, 
 SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham
 autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id E8360C2D0DB
 for <stable@archiver.kernel.org>;
 Fri, 24 Jan 2020 11:17:36 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
 by mail.kernel.org (Postfix) with ESMTP id BC09C214DB
 for <stable@archiver.kernel.org>;
 Fri, 24 Jan 2020 11:17:36 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
 s=default; t=1579864656;
 bh=s/NLmvRDh3F5T79oMLtiHhYPV4HGJch2s+FoFKZcbc8=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From;
 b=ZAHgNAIR2llEormZzILYHnb7/oYii2JHUgfFLO076BL1sua4kYQdwhCMHmzY4JLBQ
 NC6IaywFYPsI4mW++3VmdWPPRGREapQxklG9PkLuz+yjhIZ9k7ODaj4Zk6hsLdsANP
 xHgT5i9dUNvvKxP9weNTkCej2IGF4ORWfreYJlK8=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S2390201AbgAXLRf (ORCPT <rfc822;stable@archiver.kernel.org>);
 Fri, 24 Jan 2020 06:17:35 -0500
Received: from mail.kernel.org ([198.145.29.99]:54550 "EHLO mail.kernel.org"
 rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
 id S2390204AbgAXLRd (ORCPT <rfc822;stable@vger.kernel.org>);
 Fri, 24 Jan 2020 06:17:33 -0500
Received: from localhost (ip-213-127-102-57.ip.prioritytelecom.net
 [213.127.102.57])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (No client certificate requested)
 by mail.kernel.org (Postfix) with ESMTPSA id 6B3C720708;
 Fri, 24 Jan 2020 11:17:32 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
 s=default; t=1579864653;
 bh=s/NLmvRDh3F5T79oMLtiHhYPV4HGJch2s+FoFKZcbc8=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
 b=PmYXJr+xCF/tDJFSaQzV850LEzTamImGB3Pf7o3geHlhLJodRM3YPEsq66lYHYCHL
 VkTNEWYGI5Ehu6JAUI36+9T7fgtdB4cHLQAwdIV1o1LyhS0ktItlaC4pSZnspihpho
 sZ2IQhSxUL4GIeCdu0xUyFZ53RcsXBiOL3aATIQU=
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 stable@vger.kernel.org, Colin Ian King <colin.king@canonical.com>,
 "Darren Hart (VMware)" <dvhart@infradead.org>,
 Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 314/639] platform/x86: alienware-wmi: fix kfree on
 potentially uninitialized pointer
Date: Fri, 24 Jan 2020 10:28:04 +0100
Message-Id: <20200124093126.286697396@linuxfoundation.org>
X-Mailer: git-send-email 2.25.0
In-Reply-To: <20200124093047.008739095@linuxfoundation.org>
References: <20200124093047.008739095@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Colin Ian King <colin.king@canonical.com>

[ Upstream commit 98e2630284ab741804bd0713e932e725466f2f84 ]

Currently the kfree of output.pointer can be potentially freeing
an uninitalized pointer in the case where out_data is NULL. Fix this
by reworking the case where out_data is not-null to perform the
ACPI status check and also the kfree of outpoint.pointer in one block
and hence ensuring the pointer is only freed when it has been used.

Also replace the if (ptr != NULL) idiom with just if (ptr).

Fixes: ff0e9f26288d ("platform/x86: alienware-wmi: Correct a memory leak")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Darren Hart (VMware) <dvhart@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/platform/x86/alienware-wmi.c | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/drivers/platform/x86/alienware-wmi.c b/drivers/platform/x86/alienware-wmi.c
index f10af5c383c55..c0d1555735cdd 100644
--- a/drivers/platform/x86/alienware-wmi.c
+++ b/drivers/platform/x86/alienware-wmi.c
@@ -522,23 +522,22 @@ static acpi_status alienware_wmax_command(struct wmax_basic_args *in_args,
 
 	input.length = (acpi_size) sizeof(*in_args);
 	input.pointer = in_args;
-	if (out_data != NULL) {
+	if (out_data) {
 		output.length = ACPI_ALLOCATE_BUFFER;
 		output.pointer = NULL;
 		status = wmi_evaluate_method(WMAX_CONTROL_GUID, 0,
 					     command, &input, &output);
-	} else
+		if (ACPI_SUCCESS(status)) {
+			obj = (union acpi_object *)output.pointer;
+			if (obj && obj->type == ACPI_TYPE_INTEGER)
+				*out_data = (u32)obj->integer.value;
+		}
+		kfree(output.pointer);
+	} else {
 		status = wmi_evaluate_method(WMAX_CONTROL_GUID, 0,
 					     command, &input, NULL);
-
-	if (ACPI_SUCCESS(status) && out_data != NULL) {
-		obj = (union acpi_object *)output.pointer;
-		if (obj && obj->type == ACPI_TYPE_INTEGER)
-			*out_data = (u32) obj->integer.value;
 	}
-	kfree(output.pointer);
 	return status;
-
 }
 
 /*