From owner-freebsd-acpi@FreeBSD.ORG Thu Nov 22 10:34:30 2012 Return-Path: Delivered-To: freebsd-acpi@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 32858CF6; Thu, 22 Nov 2012 10:34:30 +0000 (UTC) (envelope-from avg@FreeBSD.org) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.freebsd.org (Postfix) with ESMTP id 459458FC0C; Thu, 22 Nov 2012 10:34:28 +0000 (UTC) Received: from porto.starpoint.kiev.ua (porto-e.starpoint.kiev.ua [212.40.38.100]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id MAA21618; Thu, 22 Nov 2012 12:34:27 +0200 (EET) (envelope-from avg@FreeBSD.org) Received: from localhost ([127.0.0.1]) by porto.starpoint.kiev.ua with esmtp (Exim 4.34 (FreeBSD)) id 1TbU71-000GoL-BE; Thu, 22 Nov 2012 12:34:27 +0200 Message-ID: <50ADFFB2.1000108@FreeBSD.org> Date: Thu, 22 Nov 2012 12:34:26 +0200 From: Andriy Gapon User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:16.0) Gecko/20121030 Thunderbird/16.0.2 MIME-Version: 1.0 To: Stefan Farfeleder Subject: Re: ACPI panic References: <20121120103522.GB2012@mole.fafoe.narf.at> <50AC0A68.8070906@FreeBSD.org> <20121121104840.GA1468@mole.fafoe.narf.at> <20121122081831.GA1483@mole.fafoe.narf.at> <50ADFD75.10709@FreeBSD.org> In-Reply-To: <50ADFD75.10709@FreeBSD.org> X-Enigmail-Version: 1.4.5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-acpi@FreeBSD.org X-BeenThere: freebsd-acpi@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: ACPI and power management development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Nov 2012 10:34:30 -0000 on 22/11/2012 12:24 Andriy Gapon said the following: > on 22/11/2012 10:18 Stefan Farfeleder said the following: >> I'm afraid the AcpiOsAcquireObject panic is not directly related to >> reference counting. I had the very same panic today with your patch. > > OK, let's try to attack it from a different angle. > Please try this patch: [snip] Or better this one: diff --git a/sys/contrib/dev/acpica/components/utilities/utcache.c b/sys/contrib/dev/acpica/components/utilities/utcache.c index b8efa68..09b77b2 100644 --- a/sys/contrib/dev/acpica/components/utilities/utcache.c +++ b/sys/contrib/dev/acpica/components/utilities/utcache.c @@ -226,6 +226,22 @@ AcpiOsReleaseObject ( return (AE_BAD_PARAMETER); } + (void) AcpiUtAcquireMutex (ACPI_MTX_CACHES); + char *Curr; + char *Next; + Next = Cache->ListHead; + while (Next) + { + Curr = Next; + Next = *(ACPI_CAST_INDIRECT_PTR (char, + &(((char *) Curr)[Cache->LinkOffset]))); + if (Object == Curr) { + ACPI_ERROR ((AE_INFO, "freeing a free object %p\n", Object)); + Curr = *(volatile char **)NULL; /* induce crash */ + } + } + (void) AcpiUtReleaseMutex (ACPI_MTX_CACHES); + /* If cache is full, just free this object */ if (Cache->CurrentDepth >= Cache->MaxDepth) @@ -312,6 +328,11 @@ AcpiOsAcquireObject ( Cache->CurrentDepth--; + if (*(const char *) Object != 0xCA) { + ACPI_ERROR ((AE_INFO, "detected use after free %p\n", Object)); + Object = *(volatile char **)NULL; /* induce crash */ + } + ACPI_MEM_TRACKING (Cache->Hits++); ACPI_DEBUG_PRINT ((ACPI_DB_EXEC, "Object %p from %s cache\n", Object, Cache->ListName)); -- Andriy Gapon