From owner-freebsd-acpi@FreeBSD.ORG  Mon Nov 26 09:11:26 2012
Return-Path: <owner-freebsd-acpi@FreeBSD.ORG>
Delivered-To: freebsd-acpi@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 55E761C3;
 Mon, 26 Nov 2012 09:11:26 +0000 (UTC)
 (envelope-from stefan@fafoe.narf.at)
Received: from fep13.mx.upcmail.net (fep13.mx.upcmail.net [62.179.121.33])
 by mx1.freebsd.org (Postfix) with ESMTP id 68A658FC0C;
 Mon, 26 Nov 2012 09:11:23 +0000 (UTC)
Received: from edge01.upcmail.net ([192.168.13.236]) by viefep13-int.chello.at
 (InterMail vM.8.01.05.05 201-2260-151-110-20120111) with ESMTP
 id <20121126091116.YAZH3518.viefep13-int.chello.at@edge01.upcmail.net>;
 Mon, 26 Nov 2012 10:11:16 +0100
Received: from mole.fafoe.narf.at ([80.109.55.137])
 by edge01.upcmail.net with edge
 id U9BB1k0022xdvHc019BEcd; Mon, 26 Nov 2012 10:11:16 +0100
X-SourceIP: 80.109.55.137
Received: by mole.fafoe.narf.at (Postfix, from userid 1001)
 id D5BAC6D449; Mon, 26 Nov 2012 10:11:10 +0100 (CET)
Date: Mon, 26 Nov 2012 10:11:10 +0100
From: Stefan Farfeleder <stefanf@FreeBSD.org>
To: Andriy Gapon <avg@FreeBSD.org>
Subject: Re: ACPI panic
Message-ID: <20121126091101.GA1469@mole.fafoe.narf.at>
References: <20121120103522.GB2012@mole.fafoe.narf.at>
 <50AC0A68.8070906@FreeBSD.org>
 <20121121104840.GA1468@mole.fafoe.narf.at>
 <20121122081831.GA1483@mole.fafoe.narf.at>
 <50ADFD75.10709@FreeBSD.org> <50ADFFB2.1000108@FreeBSD.org>
 <50AE057D.8060808@FreeBSD.org>
 <20121125140008.GA1497@mole.fafoe.narf.at>
 <50B244A1.1040800@FreeBSD.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <50B244A1.1040800@FreeBSD.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: freebsd-acpi@FreeBSD.org
X-BeenThere: freebsd-acpi@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: ACPI and power management development <freebsd-acpi.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-acpi>,
 <mailto:freebsd-acpi-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-acpi>
List-Post: <mailto:freebsd-acpi@freebsd.org>
List-Help: <mailto:freebsd-acpi-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-acpi>,
 <mailto:freebsd-acpi-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Nov 2012 09:11:26 -0000

On Sun, Nov 25, 2012 at 06:17:37PM +0200, Andriy Gapon wrote:
> @@ -238,6 +240,10 @@ AcpiOsReleaseObject (
>          if (Object == Curr) {
>              panic("freeing a free object %p", Object);
>          }
> +        Depth--;
> +        if (Depth < 0) {
> +            panic("cycle in a cache list");
> +        }
>      }
>      (void) AcpiUtReleaseMutex (ACPI_MTX_CACHES);

I can easily trigger this panic. At the time of the panic, the cache
list has ~30 entries and somewhere in the middle there's a 2-item cycle
A -> B -> A. I don't think release is called twice on A as your patch
checks that and the cycle is not at the beginning of the loop. So this
means "someone" changes the next pointer while the object is in the
cache.

Stefan