From owner-freebsd-acpi@FreeBSD.ORG Mon Nov 26 11:15:40 2012 Return-Path: Delivered-To: freebsd-acpi@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C7FCA256; Mon, 26 Nov 2012 11:15:40 +0000 (UTC) (envelope-from avg@FreeBSD.org) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.freebsd.org (Postfix) with ESMTP id DEC0E8FC15; Mon, 26 Nov 2012 11:15:39 +0000 (UTC) Received: from porto.starpoint.kiev.ua (porto-e.starpoint.kiev.ua [212.40.38.100]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id NAA29661; Mon, 26 Nov 2012 13:15:38 +0200 (EET) (envelope-from avg@FreeBSD.org) Received: from localhost ([127.0.0.1]) by porto.starpoint.kiev.ua with esmtp (Exim 4.34 (FreeBSD)) id 1Tcwf4-000Lls-7h; Mon, 26 Nov 2012 13:15:38 +0200 Message-ID: <50B34F59.2030006@FreeBSD.org> Date: Mon, 26 Nov 2012 13:15:37 +0200 From: Andriy Gapon User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: Stefan Farfeleder Subject: Re: ACPI panic References: <50ADFFB2.1000108@FreeBSD.org> <50AE057D.8060808@FreeBSD.org> <20121125140008.GA1497@mole.fafoe.narf.at> <50B244A1.1040800@FreeBSD.org> <20121126091101.GA1469@mole.fafoe.narf.at> <50B33693.2060000@FreeBSD.org> <20121126093704.GB1469@mole.fafoe.narf.at> <50B34484.1090807@FreeBSD.org> <20121126104737.GC1469@mole.fafoe.narf.at> <50B34D2A.7060604@FreeBSD.org> <20121126111045.GE1469@mole.fafoe.narf.at> In-Reply-To: <20121126111045.GE1469@mole.fafoe.narf.at> X-Enigmail-Version: 1.4.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-acpi@FreeBSD.org X-BeenThere: freebsd-acpi@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: ACPI and power management development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Nov 2012 11:15:40 -0000 on 26/11/2012 13:10 Stefan Farfeleder said the following: > On Mon, Nov 26, 2012 at 01:06:18PM +0200, Andriy Gapon wrote: >> on 26/11/2012 12:47 Stefan Farfeleder said the following: >>> BTW, I noticed the ACPI_SET_DESCRIPTOR_TYPE code is pointless, because the >>> DescriptorType is at offset 8 from the object start and gets immediately >>> overwritten by the next pointer. However I don't think it's a problem. >> >> Thank you. >> To make things more obvious could you please also examine the objects like this: >> x/9a >> ? > > (kgdb) x/9a 0xfffffe0006117600 > 0xfffffe0006117600: 0xcacacacacacacaca 0xfffffe0006117680 > 0xfffffe0006117610: 0xcacacacacacacaca 0xcacacacacacacaca > 0xfffffe0006117620: 0xcacacacacacacaca 0xcacacacacacacaca > 0xfffffe0006117630: 0xcacacacacacacaca 0xcacacacacacacaca > 0xfffffe0006117640: 0xcacacacacacacaca > (kgdb) x/9a 0xfffffe0006117680 > 0xfffffe0006117680: 0xcacacacacacacaca 0xfffffe0002a60080 > 0xfffffe0006117690: 0xcacacacacacacaca 0xcacacacacacacaca > 0xfffffe00061176a0: 0xcacacacacacacaca 0xcacacacacacacaca > 0xfffffe00061176b0: 0xcacacacacacacaca 0xcacacacacacacaca > 0xfffffe00061176c0: 0xcacacacacacacaca > (kgdb) x/9a 0xfffffe0002a60080 > 0xfffffe0002a60080: 0xcacacacacacacaca 0xfffffe0006117680 > 0xfffffe0002a60090: 0xcacacacacacacaca 0xcacacacacacacaca > 0xfffffe0002a600a0: 0xcacacacacacacaca 0xcacacacacacacaca > 0xfffffe0002a600b0: 0xcacacacacacacaca 0xcacacacacacacaca > 0xfffffe0002a600c0: 0xcacacacacacacaca So this looks like use after free is unlikely. It's probably a double-free that was missed in the race which I've just realized. -- Andriy Gapon