From owner-freebsd-current@FreeBSD.ORG Sun May 11 10:38:15 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D4A637B401 for ; Sun, 11 May 2003 10:38:15 -0700 (PDT) Received: from rootlabs.com (root.org [67.118.192.226]) by mx1.FreeBSD.org (Postfix) with SMTP id DD01643FEC for ; Sun, 11 May 2003 10:38:14 -0700 (PDT) (envelope-from nate@rootlabs.com) Received: (qmail 72331 invoked by uid 1000); 11 May 2003 17:38:15 -0000 Date: Sun, 11 May 2003 10:38:15 -0700 (PDT) From: Nate Lawson To: current@freebsd.org Message-ID: <20030511103649.Q72329@root.org> MIME-Version: 1.0 Content-Type: MULTIPART/Mixed; BOUNDARY="--Next_Part(Wed_May__7_11:23:31_2003_460)--" Content-ID: <20030511103649.Y72329@root.org> Subject: acpi panics - potential fix X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 May 2003 17:38:15 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. ----Next_Part(Wed_May__7_11:23:31_2003_460)-- Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <20030511103649.C72329@root.org> If you are having acpi panics, please try the attached patch. -Nate ---------- Forwarded message ---------- Date: Wed, 07 May 2003 11:23:31 +0900 From: Takayoshi Kochi Reply-To: acpi-jp@jp.FreeBSD.org To: acpi-jp@jp.FreeBSD.org Subject: [acpi-jp 2182] Re: Outstanding ACPI issues for 5.1-RELEASE (please ignore my last posting, sorry) Hello Nate and all, While tracking NetBSD PR/17872, Takashi Yamamoto found a bug in nsalloc.c. In AcpiNsDeleteNode(), it was possible to make parent-child loop. Robert Moore admitted this is a bug and will be fixed in the next release. And I found another problem about reference counting of ACPI_NAMESPACE_NODE objects. Under a certain condition (for my laptop, repeated evaluation of _BST method of battery) reference count goes up to wrap UINT16 and may cause unexpected object free. I reported this to Robert also, but I haven't got official fix. It seems to me that reference counting of ACPI_NAMESPACE_NODE is unnecessary but I'm not sure. I attached my fix (which also includes Yamamoto-san's fix), but please take this as an experimetntal patch. The acpi_thermal panic problem might be related to this one. For more info about the NetBSD PR/17872, plase refer to the url: http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=17872 From: Nate Lawson Subject: [acpi-jp 2177] Outstanding ACPI issues for 5.1-RELEASE Date: Tue, 6 May 2003 14:28:21 -0700 > Here is a list of the current problems. We would like to fix as many as > possible before the release. If anyone has time to tackle these issues, > please let me know. The reporters listed below should open a PR and send > me the number as I do not want to replicate GNATS in email. > > -------------------------------------------------------------- > Problem: acpi_thermal causes a panic > Reporter: ru@freebsd.org > Information: > This looks like referencing a freed or uninitialized data member. > > The below was produces with the latest 0228 ACPI diff in-tree, and acpi > device compiled directly into a kernel. Loading it as a module gave me > some lines offset in the source file, and the faulting address was > 0xdeadc0de. --- Takayoshi Kochi ----Next_Part(Wed_May__7_11:23:31_2003_460)-- Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-ID: <20030511103649.F72329@root.org> Content-Description: Content-Disposition: INLINE; FILENAME="nsalloc.2.diff" --- nsalloc.c.orig 2003-03-05 02:33:38.000000000 +0900 +++ nsalloc.c 2003-04-25 20:11:13.000000000 +0900 @@ -210,7 +210,14 @@ } else { - ParentNode->Child = NextNode->Peer; + if (NextNode->Flags & ANOBJ_END_OF_PEER_LIST) + { + ParentNode->Child = NULL; + } + else + { + ParentNode->Child = NextNode->Peer; + } } @@ -517,6 +524,62 @@ /******************************************************************************* * + * FUNCTION: AcpiNsRemoveReference + * + * PARAMETERS: Node - Named node whose reference count is to be + * decremented + * + * RETURN: None. + * + * DESCRIPTION: Remove a Node reference. Decrements the reference count + * of all parent Nodes up to the root. Any node along + * the way that reaches zero references is freed. + * + ******************************************************************************/ + +static void +AcpiNsRemoveReference ( + ACPI_NAMESPACE_NODE *Node) +{ + ACPI_NAMESPACE_NODE *ParentNode; + ACPI_NAMESPACE_NODE *ThisNode; + + + ACPI_FUNCTION_ENTRY (); + + + /* + * Decrement the reference count(s) of this node and all + * nodes up to the root, Delete anything with zero remaining references. + */ + ThisNode = Node; + while (ThisNode) + { + /* Prepare to move up to parent */ + + ParentNode = AcpiNsGetParentNode (ThisNode); + + /* Decrement the reference count on this node */ + + ThisNode->ReferenceCount--; + + /* Delete the node if no more references */ + + if (!ThisNode->ReferenceCount) + { + /* Delete all children and delete the node */ + + AcpiNsDeleteChildren (ThisNode); + AcpiNsDeleteNode (ThisNode); + } + + ThisNode = ParentNode; + } +} + + +/******************************************************************************* + * * FUNCTION: AcpiNsDeleteNamespaceSubtree * * PARAMETERS: ParentNode - Root of the subtree to be deleted @@ -532,8 +595,9 @@ AcpiNsDeleteNamespaceSubtree ( ACPI_NAMESPACE_NODE *ParentNode) { - ACPI_NAMESPACE_NODE *ChildNode = NULL; - UINT32 Level = 1; + ACPI_NAMESPACE_NODE *ChildNode; + ACPI_NAMESPACE_NODE *DeletionNode; + UINT32 Level; ACPI_FUNCTION_TRACE ("NsDeleteNamespaceSubtree"); @@ -544,6 +608,10 @@ return_VOID; } + ChildNode = NULL; + DeletionNode = NULL; + Level = 1; + /* * Traverse the tree of objects until we bubble back up * to where we started. @@ -554,6 +622,12 @@ ChildNode = AcpiNsGetNextNode (ACPI_TYPE_ANY, ParentNode, ChildNode); + if (DeletionNode) + { + AcpiNsRemoveReference (DeletionNode); + DeletionNode = NULL; + } + if (ChildNode) { /* Found a child node - detach any attached object */ @@ -572,6 +646,10 @@ ParentNode = ChildNode; ChildNode = 0; } + else + { + DeletionNode = ChildNode; + } } else { @@ -585,7 +663,10 @@ * Now delete all of the children of this parent * all at the same time. */ - AcpiNsDeleteChildren (ParentNode); + if (Level != 0) + { + DeletionNode = ParentNode; + } /* New "last child" is this parent node */ @@ -603,62 +684,6 @@ /******************************************************************************* * - * FUNCTION: AcpiNsRemoveReference - * - * PARAMETERS: Node - Named node whose reference count is to be - * decremented - * - * RETURN: None. - * - * DESCRIPTION: Remove a Node reference. Decrements the reference count - * of all parent Nodes up to the root. Any node along - * the way that reaches zero references is freed. - * - ******************************************************************************/ - -static void -AcpiNsRemoveReference ( - ACPI_NAMESPACE_NODE *Node) -{ - ACPI_NAMESPACE_NODE *ParentNode; - ACPI_NAMESPACE_NODE *ThisNode; - - - ACPI_FUNCTION_ENTRY (); - - - /* - * Decrement the reference count(s) of this node and all - * nodes up to the root, Delete anything with zero remaining references. - */ - ThisNode = Node; - while (ThisNode) - { - /* Prepare to move up to parent */ - - ParentNode = AcpiNsGetParentNode (ThisNode); - - /* Decrement the reference count on this node */ - - ThisNode->ReferenceCount--; - - /* Delete the node if no more references */ - - if (!ThisNode->ReferenceCount) - { - /* Delete all children and delete the node */ - - AcpiNsDeleteChildren (ThisNode); - AcpiNsDeleteNode (ThisNode); - } - - ThisNode = ParentNode; - } -} - - -/******************************************************************************* - * * FUNCTION: AcpiNsDeleteNamespaceByOwner * * PARAMETERS: OwnerId - All nodes with this owner will be deleted ----Next_Part(Wed_May__7_11:23:31_2003_460)----