From owner-freebsd-acpi@FreeBSD.ORG  Thu Nov 22 10:59:13 2012
Return-Path: <owner-freebsd-acpi@FreeBSD.ORG>
Delivered-To: freebsd-acpi@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 1C9C14A8;
 Thu, 22 Nov 2012 10:59:13 +0000 (UTC) (envelope-from avg@FreeBSD.org)
Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140])
 by mx1.freebsd.org (Postfix) with ESMTP id 299618FC08;
 Thu, 22 Nov 2012 10:59:11 +0000 (UTC)
Received: from porto.starpoint.kiev.ua (porto-e.starpoint.kiev.ua
 [212.40.38.100])
 by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id MAA21903;
 Thu, 22 Nov 2012 12:59:10 +0200 (EET) (envelope-from avg@FreeBSD.org)
Received: from localhost ([127.0.0.1])
 by porto.starpoint.kiev.ua with esmtp (Exim 4.34 (FreeBSD))
 id 1TbUUw-000GqX-Hs; Thu, 22 Nov 2012 12:59:10 +0200
Message-ID: <50AE057D.8060808@FreeBSD.org>
Date: Thu, 22 Nov 2012 12:59:09 +0200
From: Andriy Gapon <avg@FreeBSD.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:16.0) Gecko/20121030 Thunderbird/16.0.2
MIME-Version: 1.0
To: Stefan Farfeleder <stefanf@FreeBSD.org>
Subject: Re: ACPI panic
References: <20121120103522.GB2012@mole.fafoe.narf.at>
 <50AC0A68.8070906@FreeBSD.org> <20121121104840.GA1468@mole.fafoe.narf.at>
 <20121122081831.GA1483@mole.fafoe.narf.at> <50ADFD75.10709@FreeBSD.org>
 <50ADFFB2.1000108@FreeBSD.org>
In-Reply-To: <50ADFFB2.1000108@FreeBSD.org>
X-Enigmail-Version: 1.4.5
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: freebsd-acpi@FreeBSD.org
X-BeenThere: freebsd-acpi@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: ACPI and power management development <freebsd-acpi.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-acpi>,
 <mailto:freebsd-acpi-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-acpi>
List-Post: <mailto:freebsd-acpi@freebsd.org>
List-Help: <mailto:freebsd-acpi-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-acpi>,
 <mailto:freebsd-acpi-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Nov 2012 10:59:13 -0000


A patch that should actually compile, finally.
BTW, it's probably better to replace the NULL dereference trick with a simple
panic call in the first patch too.

diff --git a/sys/contrib/dev/acpica/components/utilities/utcache.c
b/sys/contrib/dev/acpica/components/utilities/utcache.c
index b8efa68..edd9e4f 100644
--- a/sys/contrib/dev/acpica/components/utilities/utcache.c
+++ b/sys/contrib/dev/acpica/components/utilities/utcache.c
@@ -226,6 +226,21 @@ AcpiOsReleaseObject (
         return (AE_BAD_PARAMETER);
     }

+    (void) AcpiUtAcquireMutex (ACPI_MTX_CACHES);
+    char                    *Curr;
+    char                    *Next;
+    Next = Cache->ListHead;
+    while (Next)
+    {
+        Curr = Next;
+        Next = *(ACPI_CAST_INDIRECT_PTR (char,
+                    &(((char *) Curr)[Cache->LinkOffset])));
+        if (Object == Curr) {
+            panic("freeing a free object %p", Object);
+        }
+    }
+    (void) AcpiUtReleaseMutex (ACPI_MTX_CACHES);
+
     /* If cache is full, just free this object */

     if (Cache->CurrentDepth >= Cache->MaxDepth)
@@ -312,6 +327,10 @@ AcpiOsAcquireObject (

         Cache->CurrentDepth--;

+        if (*(const unsigned char *) Object != 0xCA) {
+            panic("detected use after free %p\n", Object);
+        }
+
         ACPI_MEM_TRACKING (Cache->Hits++);
         ACPI_DEBUG_PRINT ((ACPI_DB_EXEC,
             "Object %p from %s cache\n", Object, Cache->ListName));

-- 
Andriy Gapon