Date: Mon, 26 Nov 2012 10:11:10 +0100 From: Stefan Farfeleder <stefanf@FreeBSD.org> To: Andriy Gapon <avg@FreeBSD.org> Cc: freebsd-acpi@FreeBSD.org Subject: Re: ACPI panic Message-ID: <20121126091101.GA1469@mole.fafoe.narf.at> In-Reply-To: <50B244A1.1040800@FreeBSD.org> References: <20121120103522.GB2012@mole.fafoe.narf.at> <50AC0A68.8070906@FreeBSD.org> <20121121104840.GA1468@mole.fafoe.narf.at> <20121122081831.GA1483@mole.fafoe.narf.at> <50ADFD75.10709@FreeBSD.org> <50ADFFB2.1000108@FreeBSD.org> <50AE057D.8060808@FreeBSD.org> <20121125140008.GA1497@mole.fafoe.narf.at> <50B244A1.1040800@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Nov 25, 2012 at 06:17:37PM +0200, Andriy Gapon wrote:
> @@ -238,6 +240,10 @@ AcpiOsReleaseObject (
> if (Object == Curr) {
> panic("freeing a free object %p", Object);
> }
> + Depth--;
> + if (Depth < 0) {
> + panic("cycle in a cache list");
> + }
> }
> (void) AcpiUtReleaseMutex (ACPI_MTX_CACHES);
I can easily trigger this panic. At the time of the panic, the cache
list has ~30 entries and somewhere in the middle there's a 2-item cycle
A -> B -> A. I don't think release is called twice on A as your patch
checks that and the cycle is not at the beginning of the loop. So this
means "someone" changes the next pointer while the object is in the
cache.
Stefan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121126091101.GA1469>