Date: Sun, 5 Jan 2003 22:31:28 -0800 (PST) From: Peter Wemm <peter@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 23251 for review Message-ID: <200301060631.h066VS9S097637@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=23251 Change 23251 by peter@peter_itanic2 on 2003/01/05 22:30:57 Try and fix some highly bogus code that gets broken on the RX2600 when there are multiple SSDT's. This shows up as a null pointer derefs or freeing the listhead structures. The reason this is hosed is that it assumes that if the list is empty, it must be the head. If it isn't empty, then it must be a malloc managed object. But, it frees the head first which isn't empty at the time, and isn't a malloc object. BOOM! Take advantage of the circular list and keep freeing ListHead->Next, which will eventually free the list head last, because ListHead->Next == ListHead when there is nothing else left. There's an anti-foot-shooting relic there too though. Count should always be zero at this point. pluto1 can now reboot, with mpt_shutdown #if 0'ed. Affected files ... .. //depot/projects/ia64/sys/contrib/dev/acpica/actables.h#5 edit .. //depot/projects/ia64/sys/contrib/dev/acpica/tbinstal.c#8 edit Differences ... ==== //depot/projects/ia64/sys/contrib/dev/acpica/actables.h#5 (text+ko) ==== @@ -254,7 +254,7 @@ AcpiTbDeleteSingleTable ( ACPI_TABLE_DESC *TableDesc); -ACPI_TABLE_DESC * +void AcpiTbUninstallTable ( ACPI_TABLE_DESC *TableDesc); ==== //depot/projects/ia64/sys/contrib/dev/acpica/tbinstal.c#8 (text+ko) ==== @@ -537,25 +537,23 @@ ACPI_TABLE_DESC *ListHead) { ACPI_TABLE_DESC *TableDesc; - UINT32 Count; - UINT32 i; ACPI_FUNCTION_TRACE_PTR ("TbFreeAcpiTablesOfType", ListHead); - /* Get the head of the list */ - - TableDesc = ListHead; - Count = ListHead->Count; - /* * Walk the entire list, deleting both the allocated tables * and the table descriptors */ - for (i = 0; i < Count; i++) + while ((ListHead->Next) != (ListHead->Prev)) + { + TableDesc = ListHead->Next; + AcpiTbUninstallTable (TableDesc); + } + if (ListHead->Count > 0) { - TableDesc = AcpiTbUninstallTable (TableDesc); + AcpiTbUninstallTable (ListHead); } return_VOID; @@ -625,11 +623,10 @@ * ******************************************************************************/ -ACPI_TABLE_DESC * +void AcpiTbUninstallTable ( ACPI_TABLE_DESC *TableDesc) { - ACPI_TABLE_DESC *NextDesc; ACPI_FUNCTION_TRACE_PTR ("AcpiTbUninstallTable", TableDesc); @@ -637,7 +634,7 @@ if (!TableDesc) { - return_PTR (NULL); + return_VOID; } /* Unlink the descriptor */ @@ -660,7 +657,6 @@ if ((TableDesc->Prev) == (TableDesc->Next)) { - NextDesc = NULL; /* Clear the list head */ @@ -672,11 +668,10 @@ { /* Free the table descriptor */ - NextDesc = TableDesc->Next; ACPI_MEM_FREE (TableDesc); } - return_PTR (NextDesc); + return_VOID; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301060631.h066VS9S097637>