From 4cf33275289088e3b0a913a44b5cd549e348094d Mon Sep 17 00:00:00 2001
From: Mark Johnston <markj@FreeBSD.org>
Date: Wed, 26 May 2021 10:34:39 -0400
Subject: [PATCH] acpi: Add missing error handling to
 acpi_pci_link_route_irqs()

Otherwise the resouce buffer may have been freed when
AcpiSetCurrentResources() is called, leading to a use-after-free.

PR:		255862
Submitted by:	Lv Yunlong <lylgood@foxmail.com> (original version)
MFC after:	1 week
---
 sys/dev/acpica/acpi_pci_link.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/sys/dev/acpica/acpi_pci_link.c b/sys/dev/acpica/acpi_pci_link.c
index ecc4f26d3fb4..3dab2807bd92 100644
--- a/sys/dev/acpica/acpi_pci_link.c
+++ b/sys/dev/acpica/acpi_pci_link.c
@@ -843,8 +843,10 @@ acpi_pci_link_srs_from_links(struct acpi_pci_link_softc *sc,
 			device_printf(sc->pl_dev,
 			    "Unable to build resources: %s\n",
 			    AcpiFormatException(status));
-			if (srsbuf->Pointer != NULL)
+			if (srsbuf->Pointer != NULL) {
 				AcpiOsFree(srsbuf->Pointer);
+				srsbuf->Pointer = NULL;
+			}
 			return (status);
 		}
 	}
@@ -867,6 +869,8 @@ acpi_pci_link_route_irqs(device_t dev)
 		status = acpi_pci_link_srs_from_links(sc, &srsbuf);
 	else
 		status = acpi_pci_link_srs_from_crs(sc, &srsbuf);
+	if (ACPI_FAILURE(status))
+		return (status);
 
 	/* Write out new resources via _SRS. */
 	status = AcpiSetCurrentResources(acpi_get_handle(dev), &srsbuf);