ACPI panic
Stefan Farfeleder
stefanf at FreeBSD.org
Thu Nov 29 08:46:37 UTC 2012
On Mon, Nov 26, 2012 at 01:13:46PM +0200, Andriy Gapon wrote:
>
> Also, I've just realized that the check is racy...
> Could you please move the whole check block (between and excluding
> AcpiUtAcquireMutex and AcpiUtReleaseMutex) down right below the following lines:
>
> Status = AcpiUtAcquireMutex (ACPI_MTX_CACHES);
> if (ACPI_FAILURE (Status))
> {
> return (Status);
> }
Sorry for the delay. I'm now running the patch below. I still got the
cycle panic, this time with a 4-objects cycle. It looks like an object
gets released twice but I don't understand why the "freeing a free
object" check fails to trigger.
Stefan
Index: components/utilities/utcache.c
===================================================================
--- components/utilities/utcache.c (revision 243234)
+++ components/utilities/utcache.c (working copy)
@@ -244,6 +244,28 @@
return (Status);
}
+ char *Curr;
+ char *Next;
+ int Depth;
+ Depth = Cache->CurrentDepth;
+ Next = Cache->ListHead;
+ while (Next)
+ {
+ Curr = Next;
+ Next = *(ACPI_CAST_INDIRECT_PTR (char,
+ &(((char *) Curr)[Cache->LinkOffset])));
+ if (*(const unsigned char *) Curr != 0xCA) {
+ panic("detected use after free %p\n", Curr);
+ }
+ if (Object == Curr) {
+ panic("freeing a free object %p", Object);
+ }
+ Depth--;
+ if (Depth < 0) {
+ panic("cycle in a cache list");
+ }
+ }
+
/* Mark the object as cached */
ACPI_MEMSET (Object, 0xCA, Cache->ObjectSize);
@@ -312,6 +334,10 @@
Cache->CurrentDepth--;
+ if (*(const unsigned char *) Object != 0xCA) {
+ panic("detected use after free %p\n", Object);
+ }
+
ACPI_MEM_TRACKING (Cache->Hits++);
ACPI_DEBUG_PRINT ((ACPI_DB_EXEC,
"Object %p from %s cache\n", Object, Cache->ListName));
More information about the freebsd-acpi
mailing list