From: linux-acpi-owner(a)vger.kernel.org [mailto:linux-acpi- owner(a)vger.kernel.org] On Behalf Of Vegard Nossum Subject: [PATCH] ACPICA: cleanup method properly on error If the call to acpi_ds_init_aml_walk() fails, then we have to undo the walk state push done by acpi_ds_create_walk_state(). Otherwise, the new walk state (which has just been freed) will remain on the thread's walk_state_list and be dereferenced in acpi_ps_parse_aml() when we try to get the new state.

You can observe this when reading e.g. /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:01/status

Cc: stable(a)vger.kernel.org Signed-off-by: Vegard Nossum <vegard.nossum(a)oracle.com&gt; --- drivers/acpi/acpica/dsmethod.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/acpi/acpica/dsmethod.c b/drivers/acpi/acpica/dsmethod.c index 47c7b52..44b50a6 100644 --- a/drivers/acpi/acpica/dsmethod.c +++ b/drivers/acpi/acpica/dsmethod.c @@ -596,6 +596,8 @@ cleanup: /* On error, we must terminate the method properly */ acpi_ds_terminate_control_method(obj_desc, next_walk_state); + if (thread) + acpi_ds_pop_walk_state(thread); acpi_ds_delete_walk_state(next_walk_state);