Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 22 Nov 2012 12:34:26 +0200
From:      Andriy Gapon <avg@FreeBSD.org>
To:        Stefan Farfeleder <stefanf@FreeBSD.org>
Cc:        freebsd-acpi@FreeBSD.org
Subject:   Re: ACPI panic
Message-ID:  <50ADFFB2.1000108@FreeBSD.org>
In-Reply-To: <50ADFD75.10709@FreeBSD.org>
References:  <20121120103522.GB2012@mole.fafoe.narf.at> <50AC0A68.8070906@FreeBSD.org> <20121121104840.GA1468@mole.fafoe.narf.at> <20121122081831.GA1483@mole.fafoe.narf.at> <50ADFD75.10709@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
on 22/11/2012 12:24 Andriy Gapon said the following:
> on 22/11/2012 10:18 Stefan Farfeleder said the following:
>> I'm afraid the AcpiOsAcquireObject panic is not directly related to
>> reference counting. I had the very same panic today with your patch.
> 
> OK, let's try to attack it from a different angle.
> Please try this patch:
[snip]

Or better this one:

diff --git a/sys/contrib/dev/acpica/components/utilities/utcache.c
b/sys/contrib/dev/acpica/components/utilities/utcache.c
index b8efa68..09b77b2 100644
--- a/sys/contrib/dev/acpica/components/utilities/utcache.c
+++ b/sys/contrib/dev/acpica/components/utilities/utcache.c
@@ -226,6 +226,22 @@ AcpiOsReleaseObject (
         return (AE_BAD_PARAMETER);
     }

+    (void) AcpiUtAcquireMutex (ACPI_MTX_CACHES);
+    char                    *Curr;
+    char                    *Next;
+    Next = Cache->ListHead;
+    while (Next)
+    {
+        Curr = Next;
+        Next = *(ACPI_CAST_INDIRECT_PTR (char,
+                    &(((char *) Curr)[Cache->LinkOffset])));
+        if (Object == Curr) {
+            ACPI_ERROR ((AE_INFO, "freeing a free object %p\n", Object));
+            Curr = *(volatile char **)NULL; /* induce crash */
+        }
+    }
+    (void) AcpiUtReleaseMutex (ACPI_MTX_CACHES);
+
     /* If cache is full, just free this object */

     if (Cache->CurrentDepth >= Cache->MaxDepth)
@@ -312,6 +328,11 @@ AcpiOsAcquireObject (

         Cache->CurrentDepth--;

+        if (*(const char *) Object != 0xCA) {
+            ACPI_ERROR ((AE_INFO, "detected use after free %p\n", Object));
+            Object = *(volatile char **)NULL; /* induce crash */
+        }
+
         ACPI_MEM_TRACKING (Cache->Hits++);
         ACPI_DEBUG_PRINT ((ACPI_DB_EXEC,
             "Object %p from %s cache\n", Object, Cache->ListName));

-- 
Andriy Gapon

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50ADFFB2.1000108>