From 10fa1b2cdc899ab471000968af56215bf3c90d8e Mon Sep 17 00:00:00 2001
From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
Date: Fri, 22 Apr 2022 17:13:48 +0200
Subject: [PATCH] ACPI: bus: Avoid non-ACPI device objects in walks over
 children

When walking the children of an ACPI device, take extra care to avoid
using to_acpi_device() on the ones that are not ACPI devices, because
that may lead to out-of-bounds access and memory corruption.

While at it, make the function passed to acpi_dev_for_each_child()
take a struct acpi_device pointer argument (instead of a struct device
one), so it is more straightforward to use.

Fixes: b7dd6298db81 ("ACPI: PM: Introduce acpi_dev_power_up_children_with_adr()")
Reported-by: kernel test robot <oliver.sang@intel.com>
BugLink: https://lore.kernel.org/lkml/20220420064725.GB16310@xsang-OptiPlex-9020/
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
---
 drivers/acpi/bus.c       | 24 ++++++++++++++++++++++--
 drivers/acpi/device_pm.c |  5 +----
 include/acpi/acpi_bus.h  |  2 +-
 3 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c
index e807bff..fe0000e 100644
--- a/drivers/acpi/bus.c
+++ b/drivers/acpi/bus.c
@@ -1070,10 +1070,30 @@ int acpi_bus_for_each_dev(int (*fn)(struct device *, void *), void *data)
 }
 EXPORT_SYMBOL_GPL(acpi_bus_for_each_dev);
 
+struct acpi_dev_walk_context {
+	int (*fn)(struct acpi_device *, void *);
+	void *data;
+};
+
+static int acpi_dev_for_one_check(struct device *dev, void *context)
+{
+	struct acpi_dev_walk_context *adwc = context;
+
+	if (dev->bus != &acpi_bus_type)
+		return 0;
+
+	return adwc->fn(to_acpi_device(dev), adwc->data);
+}
+
 int acpi_dev_for_each_child(struct acpi_device *adev,
-			    int (*fn)(struct device *, void *), void *data)
+			    int (*fn)(struct acpi_device *, void *), void *data)
 {
-	return device_for_each_child(&adev->dev, data, fn);
+	struct acpi_dev_walk_context adwc = {
+		.fn = fn,
+		.data = data,
+	};
+
+	return device_for_each_child(&adev->dev, &adwc, acpi_dev_for_one_check);
 }
 
 /* --------------------------------------------------------------------------
diff --git a/drivers/acpi/device_pm.c b/drivers/acpi/device_pm.c
index 83598b1..37c3d0a 100644
--- a/drivers/acpi/device_pm.c
+++ b/drivers/acpi/device_pm.c
@@ -425,11 +425,8 @@ bool acpi_bus_power_manageable(acpi_handle handle)
 }
 EXPORT_SYMBOL(acpi_bus_power_manageable);
 
-static int acpi_power_up_if_adr_present(struct device *dev, void *not_used)
+static int acpi_power_up_if_adr_present(struct acpi_device *adev, void *not_used)
 {
-	struct acpi_device *adev;
-
-	adev = to_acpi_device(dev);
 	if (!(adev->flags.power_manageable && adev->pnp.type.bus_address))
 		return 0;
 
diff --git a/include/acpi/acpi_bus.h b/include/acpi/acpi_bus.h
index b44aaff..772590e 100644
--- a/include/acpi/acpi_bus.h
+++ b/include/acpi/acpi_bus.h
@@ -482,7 +482,7 @@ extern struct bus_type acpi_bus_type;
 
 int acpi_bus_for_each_dev(int (*fn)(struct device *, void *), void *data);
 int acpi_dev_for_each_child(struct acpi_device *adev,
-			    int (*fn)(struct device *, void *), void *data);
+			    int (*fn)(struct acpi_device *, void *), void *data);
 
 /*
  * Events
-- 
2.7.4