Date: Thu, 29 Nov 2012 09:46:27 +0100 From: Stefan Farfeleder <stefanf@FreeBSD.org> To: Andriy Gapon <avg@FreeBSD.org> Cc: freebsd-acpi@FreeBSD.org Subject: Re: ACPI panic Message-ID: <20121129084627.GA1450@mole.fafoe.narf.at> In-Reply-To: <50B34EEA.4000209@FreeBSD.org> References: <50ADFFB2.1000108@FreeBSD.org> <50AE057D.8060808@FreeBSD.org> <20121125140008.GA1497@mole.fafoe.narf.at> <50B244A1.1040800@FreeBSD.org> <20121126091101.GA1469@mole.fafoe.narf.at> <50B33693.2060000@FreeBSD.org> <20121126093704.GB1469@mole.fafoe.narf.at> <50B34484.1090807@FreeBSD.org> <20121126104737.GC1469@mole.fafoe.narf.at> <50B34EEA.4000209@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 26, 2012 at 01:13:46PM +0200, Andriy Gapon wrote:
>
> Also, I've just realized that the check is racy...
> Could you please move the whole check block (between and excluding
> AcpiUtAcquireMutex and AcpiUtReleaseMutex) down right below the following lines:
>
> Status = AcpiUtAcquireMutex (ACPI_MTX_CACHES);
> if (ACPI_FAILURE (Status))
> {
> return (Status);
> }
Sorry for the delay. I'm now running the patch below. I still got the
cycle panic, this time with a 4-objects cycle. It looks like an object
gets released twice but I don't understand why the "freeing a free
object" check fails to trigger.
Stefan
Index: components/utilities/utcache.c
===================================================================
--- components/utilities/utcache.c (revision 243234)
+++ components/utilities/utcache.c (working copy)
@@ -244,6 +244,28 @@
return (Status);
}
+ char *Curr;
+ char *Next;
+ int Depth;
+ Depth = Cache->CurrentDepth;
+ Next = Cache->ListHead;
+ while (Next)
+ {
+ Curr = Next;
+ Next = *(ACPI_CAST_INDIRECT_PTR (char,
+ &(((char *) Curr)[Cache->LinkOffset])));
+ if (*(const unsigned char *) Curr != 0xCA) {
+ panic("detected use after free %p\n", Curr);
+ }
+ if (Object == Curr) {
+ panic("freeing a free object %p", Object);
+ }
+ Depth--;
+ if (Depth < 0) {
+ panic("cycle in a cache list");
+ }
+ }
+
/* Mark the object as cached */
ACPI_MEMSET (Object, 0xCA, Cache->ObjectSize);
@@ -312,6 +334,10 @@
Cache->CurrentDepth--;
+ if (*(const unsigned char *) Object != 0xCA) {
+ panic("detected use after free %p\n", Object);
+ }
+
ACPI_MEM_TRACKING (Cache->Hits++);
ACPI_DEBUG_PRINT ((ACPI_DB_EXEC,
"Object %p from %s cache\n", Object, Cache->ListName));
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121129084627.GA1450>