Date: Mon, 26 Nov 2012 13:15:37 +0200 From: Andriy Gapon <avg@FreeBSD.org> To: Stefan Farfeleder <stefanf@FreeBSD.org> Cc: freebsd-acpi@FreeBSD.org Subject: Re: ACPI panic Message-ID: <50B34F59.2030006@FreeBSD.org> In-Reply-To: <20121126111045.GE1469@mole.fafoe.narf.at> References: <50ADFFB2.1000108@FreeBSD.org> <50AE057D.8060808@FreeBSD.org> <20121125140008.GA1497@mole.fafoe.narf.at> <50B244A1.1040800@FreeBSD.org> <20121126091101.GA1469@mole.fafoe.narf.at> <50B33693.2060000@FreeBSD.org> <20121126093704.GB1469@mole.fafoe.narf.at> <50B34484.1090807@FreeBSD.org> <20121126104737.GC1469@mole.fafoe.narf.at> <50B34D2A.7060604@FreeBSD.org> <20121126111045.GE1469@mole.fafoe.narf.at>
next in thread | previous in thread | raw e-mail | index | archive | help
on 26/11/2012 13:10 Stefan Farfeleder said the following: > On Mon, Nov 26, 2012 at 01:06:18PM +0200, Andriy Gapon wrote: >> on 26/11/2012 12:47 Stefan Farfeleder said the following: >>> BTW, I noticed the ACPI_SET_DESCRIPTOR_TYPE code is pointless, because the >>> DescriptorType is at offset 8 from the object start and gets immediately >>> overwritten by the next pointer. However I don't think it's a problem. >> >> Thank you. >> To make things more obvious could you please also examine the objects like this: >> x/9a <addr> >> ? > > (kgdb) x/9a 0xfffffe0006117600 > 0xfffffe0006117600: 0xcacacacacacacaca 0xfffffe0006117680 > 0xfffffe0006117610: 0xcacacacacacacaca 0xcacacacacacacaca > 0xfffffe0006117620: 0xcacacacacacacaca 0xcacacacacacacaca > 0xfffffe0006117630: 0xcacacacacacacaca 0xcacacacacacacaca > 0xfffffe0006117640: 0xcacacacacacacaca > (kgdb) x/9a 0xfffffe0006117680 > 0xfffffe0006117680: 0xcacacacacacacaca 0xfffffe0002a60080 > 0xfffffe0006117690: 0xcacacacacacacaca 0xcacacacacacacaca > 0xfffffe00061176a0: 0xcacacacacacacaca 0xcacacacacacacaca > 0xfffffe00061176b0: 0xcacacacacacacaca 0xcacacacacacacaca > 0xfffffe00061176c0: 0xcacacacacacacaca > (kgdb) x/9a 0xfffffe0002a60080 > 0xfffffe0002a60080: 0xcacacacacacacaca 0xfffffe0006117680 > 0xfffffe0002a60090: 0xcacacacacacacaca 0xcacacacacacacaca > 0xfffffe0002a600a0: 0xcacacacacacacaca 0xcacacacacacacaca > 0xfffffe0002a600b0: 0xcacacacacacacaca 0xcacacacacacacaca > 0xfffffe0002a600c0: 0xcacacacacacacaca So this looks like use after free is unlikely. It's probably a double-free that was missed in the race which I've just realized. -- Andriy Gapon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50B34F59.2030006>