ACPICA: Fix to handle NULL package elements correctly

Fixed problem where NULL package elements were not returned to
the AcpiEvaluateObject interface correctly. Instead of returning a
NULL ACPI_OBJECT package element, the element was simply ignored,
potentially causing a buffer overflow and/or confusing the caller
who expected a fixed number of elements.

http://bugzilla.kernel.org/show_bug.cgi?id=10132

Signed-off-by: Lin Ming <ming.m.lin@intel.com>
Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Alexey Starikovskiy <astarikovskiy@suse.de>
Signed-off-by: Len Brown <len.brown@intel.com>

diff --git a/drivers/acpi/utilities/utobject.c b/drivers/acpi/utilities/utobject.c
index 1eccd3d..cdb8ff5 100644 (file)
--- a/drivers/acpi/utilities/utobject.c
+++ b/drivers/acpi/utilities/utobject.c
@@ -470,9 +470,8 @@ acpi_ut_get_simple_object_size(union acpi_operand_object *internal_object,
        case ACPI_TYPE_PROCESSOR:
        case ACPI_TYPE_POWER:
 
-               /*
-                * No extra data for these types
-                */
+               /* No extra data for these types */
+
                break;
 
        case ACPI_TYPE_LOCAL_REFERENCE:

diff --git a/include/acpi/actypes.h b/include/acpi/actypes.h
index 599657e..75ec153 100644 (file)
--- a/include/acpi/actypes.h
+++ b/include/acpi/actypes.h
@@ -639,46 +639,51 @@ typedef u8 acpi_adr_space_type;
 /*
  * External ACPI object definition
  */
+
+/*
+ * Note: Type == ACPI_TYPE_ANY (0) is used to indicate a NULL package element
+ * or an unresolved named reference.
+ */
 union acpi_object {
        acpi_object_type type;  /* See definition of acpi_ns_type for values */
        struct {
-               acpi_object_type type;
+               acpi_object_type type;  /* ACPI_TYPE_INTEGER */
                acpi_integer value;     /* The actual number */
        } integer;
 
        struct {
-               acpi_object_type type;
+               acpi_object_type type;  /* ACPI_TYPE_STRING */
                u32 length;     /* # of bytes in string, excluding trailing null */
                char *pointer;  /* points to the string value */
        } string;
 
        struct {
-               acpi_object_type type;
+               acpi_object_type type;  /* ACPI_TYPE_BUFFER */
                u32 length;     /* # of bytes in buffer */
                u8 *pointer;    /* points to the buffer */
        } buffer;
 
        struct {
-               acpi_object_type type;
-               u32 fill1;
-               acpi_handle handle;     /* object reference */
-       } reference;
-
-       struct {
-               acpi_object_type type;
+               acpi_object_type type;  /* ACPI_TYPE_PACKAGE */
                u32 count;      /* # of elements in package */
                union acpi_object *elements;    /* Pointer to an array of ACPI_OBJECTs */
        } package;
 
        struct {
-               acpi_object_type type;
+               acpi_object_type type;  /* ACPI_TYPE_LOCAL_REFERENCE */
+               acpi_object_type actual_type;   /* Type associated with the Handle */
+               acpi_handle handle;     /* object reference */
+       } reference;
+
+       struct {
+               acpi_object_type type;  /* ACPI_TYPE_PROCESSOR */
                u32 proc_id;
                acpi_io_address pblk_address;
                u32 pblk_length;
        } processor;
 
        struct {
-               acpi_object_type type;
+               acpi_object_type type;  /* ACPI_TYPE_POWER */
                u32 system_level;
                u32 resource_order;
        } power_resource;