From owner-p4-projects Sun Jan 5 22:31:34 2003 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 47C8D37B405; Sun, 5 Jan 2003 22:31:31 -0800 (PST) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB14237B401 for ; Sun, 5 Jan 2003 22:31:30 -0800 (PST) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B24243EE1 for ; Sun, 5 Jan 2003 22:31:29 -0800 (PST) (envelope-from peter@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id h066VTfh097662 for ; Sun, 5 Jan 2003 22:31:29 -0800 (PST) (envelope-from peter@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.6/8.12.6/Submit) id h066VS9S097637 for perforce@freebsd.org; Sun, 5 Jan 2003 22:31:28 -0800 (PST) Date: Sun, 5 Jan 2003 22:31:28 -0800 (PST) Message-Id: <200301060631.h066VS9S097637@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to peter@freebsd.org using -f From: Peter Wemm Subject: PERFORCE change 23251 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://perforce.freebsd.org/chv.cgi?CH=23251 Change 23251 by peter@peter_itanic2 on 2003/01/05 22:30:57 Try and fix some highly bogus code that gets broken on the RX2600 when there are multiple SSDT's. This shows up as a null pointer derefs or freeing the listhead structures. The reason this is hosed is that it assumes that if the list is empty, it must be the head. If it isn't empty, then it must be a malloc managed object. But, it frees the head first which isn't empty at the time, and isn't a malloc object. BOOM! Take advantage of the circular list and keep freeing ListHead->Next, which will eventually free the list head last, because ListHead->Next == ListHead when there is nothing else left. There's an anti-foot-shooting relic there too though. Count should always be zero at this point. pluto1 can now reboot, with mpt_shutdown #if 0'ed. Affected files ... .. //depot/projects/ia64/sys/contrib/dev/acpica/actables.h#5 edit .. //depot/projects/ia64/sys/contrib/dev/acpica/tbinstal.c#8 edit Differences ... ==== //depot/projects/ia64/sys/contrib/dev/acpica/actables.h#5 (text+ko) ==== @@ -254,7 +254,7 @@ AcpiTbDeleteSingleTable ( ACPI_TABLE_DESC *TableDesc); -ACPI_TABLE_DESC * +void AcpiTbUninstallTable ( ACPI_TABLE_DESC *TableDesc); ==== //depot/projects/ia64/sys/contrib/dev/acpica/tbinstal.c#8 (text+ko) ==== @@ -537,25 +537,23 @@ ACPI_TABLE_DESC *ListHead) { ACPI_TABLE_DESC *TableDesc; - UINT32 Count; - UINT32 i; ACPI_FUNCTION_TRACE_PTR ("TbFreeAcpiTablesOfType", ListHead); - /* Get the head of the list */ - - TableDesc = ListHead; - Count = ListHead->Count; - /* * Walk the entire list, deleting both the allocated tables * and the table descriptors */ - for (i = 0; i < Count; i++) + while ((ListHead->Next) != (ListHead->Prev)) + { + TableDesc = ListHead->Next; + AcpiTbUninstallTable (TableDesc); + } + if (ListHead->Count > 0) { - TableDesc = AcpiTbUninstallTable (TableDesc); + AcpiTbUninstallTable (ListHead); } return_VOID; @@ -625,11 +623,10 @@ * ******************************************************************************/ -ACPI_TABLE_DESC * +void AcpiTbUninstallTable ( ACPI_TABLE_DESC *TableDesc) { - ACPI_TABLE_DESC *NextDesc; ACPI_FUNCTION_TRACE_PTR ("AcpiTbUninstallTable", TableDesc); @@ -637,7 +634,7 @@ if (!TableDesc) { - return_PTR (NULL); + return_VOID; } /* Unlink the descriptor */ @@ -660,7 +657,6 @@ if ((TableDesc->Prev) == (TableDesc->Next)) { - NextDesc = NULL; /* Clear the list head */ @@ -672,11 +668,10 @@ { /* Free the table descriptor */ - NextDesc = TableDesc->Next; ACPI_MEM_FREE (TableDesc); } - return_PTR (NextDesc); + return_VOID; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message