[issue568] ACPI(?) double-free on shutdown (More K9AGM fun)
Matthew Dillon
dillon at apollo.backplane.com
Thu Mar 8 09:22:53 PST 2007
Oops, here is a new patch. I forgot the 'k' in the 'kprintf' in the
last one.
-Matt
Index: dev/acpica5/Osd/OsdCache.c
===================================================================
RCS file: /cvs/src/sys/dev/acpica5/Osd/OsdCache.c,v
retrieving revision 1.2
diff -u -r1.2 OsdCache.c
--- dev/acpica5/Osd/OsdCache.c 19 Jan 2007 23:58:53 -0000 1.2
+++ dev/acpica5/Osd/OsdCache.c 8 Mar 2007 16:49:31 -0000
@@ -39,6 +39,20 @@
struct objcache_malloc_args args;
};
+/*
+ * Add some magic numbers to catch double-frees earlier rather
+ * then later.
+ */
+struct acpiobjhead {
+ int state;
+ int unused;
+};
+
+#define TRACK_ALLOCATED 0x7AF45533
+#define TRACK_FREED 0x7B056644
+
+#define OBJHEADSIZE sizeof(struct acpiobjhead)
+
#include "acpi.h"
#ifndef ACPI_USE_LOCAL_CACHE
@@ -50,7 +64,7 @@
ACPI_CACHE_T *cache;
cache = kmalloc(sizeof(*cache), M_TEMP, M_WAITOK);
- cache->args.objsize = ObjectSize;
+ cache->args.objsize = OBJHEADSIZE + ObjectSize;
cache->args.mtype = M_CACHE;
cache->cache = objcache_create(CacheName, 0, 0, NULL, NULL,
NULL, objcache_malloc_alloc, objcache_malloc_free, &cache->args);
@@ -79,17 +93,30 @@
void *
AcpiOsAcquireObject(ACPI_CACHE_T *Cache)
{
+ struct acpiobjhead *head;
void *Object;
- Object = objcache_get(Cache->cache, M_WAITOK);
- bzero(Object, Cache->args.objsize);
- return Object;
+ head = objcache_get(Cache->cache, M_WAITOK);
+ bzero(head, Cache->args.objsize);
+ head->state = TRACK_ALLOCATED;
+ return (head + 1);
}
ACPI_STATUS
AcpiOsReleaseObject(ACPI_CACHE_T *Cache, void *Object)
{
- objcache_put(Cache->cache, Object);
+ struct acpiobjhead *head = (void *)((char *)Object - OBJHEADSIZE);
+
+ if (head->state != TRACK_ALLOCATED) {
+ if (head->state == TRACK_FREED)
+ kprintf("AcpiOsReleaseObject: Double Free %p (%08x)\n", Object, head->state);
+ else
+ kprintf("AcpiOsReleaseObject: Bad object %p (%08x)\n", Object, head->state);
+ return AE_OK;
+ }
+ head->state = TRACK_FREED;
+
+ objcache_put(Cache->cache, head);
return AE_OK;
}
More information about the Bugs
mailing list