RE: [PATCH] acpica: Fix double-free in acpi_ns_repair_CID()

Fri, 03 Feb 2017 20:20:06 -0800 

Here's the sequence of events as I see it:

Repair_HID is a standalone function that removes one reference on the incoming 
object. For simple _HID objects, this in fact deletes the object.

For _CID, all elements of the package are examined. If a repair was made on a 
_HID within the _CID function, one reference on the original object was removed 
by Repair_HID. However, since the object is part of a package, it has an extra 
reference to reflect this fact. Thus, in the case in question, the elements of 
the package all have at least two references. Repair_HID removes one reference, 
thus the extra RemoveReference is needed in Repair_CID to bring the reference 
count down to zero actually delete the object (in the typical case where the 
object had two references).

Bob


> -----Original Message-----
> From: João Paulo Rechi Vita [mailto:jprv...@gmail.com]
> Sent: Friday, February 03, 2017 12:57 PM
> To: Moore, Robert; Zheng, Lv; Wysocki, Rafael J; Len Brown; Lin Ming
> Cc: linux-a...@vger.kernel.org; de...@acpica.org; linux-
> ker...@vger.kernel.org; Daniel Drake; li...@endlessm.com; João Paulo Rechi
> Vita
> Subject: [PATCH] acpica: Fix double-free in acpi_ns_repair_CID()
> 
> When acpi_ns_repair_CID() is called for a _CID which returns a package of
> strings, it calls acpi_ns_repair_HID() for each of the package elements.
> acpi_ns_repair_HID() calls acpi_ut_remove_reference() on the original
> object, but acpi_ns_repair_CID() calls it again on return, leading to a
> double free.
> 
> This problem was seen on a Acer TravelMate P449-G2-MG.
> 
> Thanks to Daniel Drake for helping investigating this problem.
> 
> Signed-off-by: João Paulo Rechi Vita <jprv...@endlessm.com>
> ---
>  drivers/acpi/acpica/nsrepair2.c | 2 --
>  1 file changed, 2 deletions(-)
> 
> diff --git a/drivers/acpi/acpica/nsrepair2.c
> b/drivers/acpi/acpica/nsrepair2.c index d5336122486b..c429c8eca476 100644
> --- a/drivers/acpi/acpica/nsrepair2.c
> +++ b/drivers/acpi/acpica/nsrepair2.c
> @@ -411,8 +411,6 @@ acpi_ns_repair_CID(struct acpi_evaluate_info *info,
> 
>                       (*element_ptr)->common.reference_count =
>                           original_ref_count;
> -
> -                     acpi_ut_remove_reference(original_element);
>               }
> 
>               element_ptr++;
> --
> 2.11.0

Reply via email to