From owner-acpi-jp@jp.FreeBSD.org Fri May  2 06:42:05 2003
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) id h41Lg5503277;
	Fri, 2 May 2003 06:42:05 +0900 (JST)
	(envelope-from owner-acpi-jp@jp.FreeBSD.org)
Received: from ns1.xcllnt.net (209-128-86-226.BAYAREA.NET [209.128.86.226])
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) with ESMTP/inet id h41Lg4Y03270
	for <acpi-jp@jp.FreeBSD.org>; Fri, 2 May 2003 06:42:04 +0900 (JST)
	(envelope-from marcel@xcllnt.net)
Received: from athlon.pn.xcllnt.net (athlon.pn.xcllnt.net [192.168.4.3])
	by ns1.xcllnt.net (8.12.9/8.12.9) with ESMTP id h41Lfswk065405
	for <acpi-jp@jp.FreeBSD.org>; Thu, 1 May 2003 14:41:54 -0700 (PDT)
	(envelope-from marcel@piii.pn.xcllnt.net)
Received: from athlon.pn.xcllnt.net (localhost [127.0.0.1])
	by athlon.pn.xcllnt.net (8.12.9/8.12.9) with ESMTP id h41Lfrg1044883
	for <acpi-jp@jp.FreeBSD.org>; Thu, 1 May 2003 14:41:53 -0700 (PDT)
	(envelope-from marcel@athlon.pn.xcllnt.net)
Received: (from marcel@localhost)
	by athlon.pn.xcllnt.net (8.12.9/8.12.9/Submit) id h41LfrI1044864
	for acpi-jp@jp.FreeBSD.org; Thu, 1 May 2003 14:41:53 -0700 (PDT)
From: Marcel Moolenaar <marcel@xcllnt.net>
To: acpi-jp@jp.FreeBSD.org
Message-ID: <20030501214152.GA16132@athlon.pn.xcllnt.net>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="7AUc2qLy4jB3hD7Z"
Content-Disposition: inline
User-Agent: Mutt/1.5.3i
Reply-To: acpi-jp@jp.FreeBSD.org
Precedence: list
Date: Thu, 1 May 2003 14:41:52 -0700
X-Sequence: acpi-jp 2154
Subject: [acpi-jp 2154] [patch] panic uninstalling multiple tables
Sender: owner-acpi-jp@jp.FreeBSD.org
X-Originator: marcel@xcllnt.net
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+030405


--7AUc2qLy4jB3hD7Z
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Gang,

The HP rx2600 machines (ia64) have multiple SSDT tables. These
tables get nicely linked together. The first table descriptor
is static, the following table descriptors are allocated. When
shutting down the machine, these tables (and descriptors) will
get uninstalled. This however contains a bug: the ListHead is
removed first and since (head->next != head->prev) when more
than one instance of a table exists, it is not identified as
the list head and thus is being deallocated.

A tested patch is attached first. A minimal (untested) patch
is attached second. I like the second for it's simplicity.
Both patches try to fix the same problem: deallocation (freeing)
memory that was not previously allocated.

Note that with 5.1 around the corner it would be nice to have this
resolved soon, or otherwise determined what the best fix would be.
We can hopefully import a snapshot (in May) that contains a fix
for this or fix it locally in a way that doesn't conflict with
future upgrades.

Thanks,

PS: I'm not subscribed to the list. Please keep me CC'd.

-- 
 Marcel Moolenaar	  USPA: A-39004		 marcel@xcllnt.net

--7AUc2qLy4jB3hD7Z
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="acpi1.diff"

Index: sys/contrib/dev/acpica/actables.h
===========================================================================
--- sys/contrib/dev/acpica/actables.h	2003/05/01 14:20:15	#7
+++ sys/contrib/dev/acpica/actables.h	2003/05/01 14:20:15
@@ -254,7 +254,7 @@
 AcpiTbDeleteSingleTable (
     ACPI_TABLE_DESC         *TableDesc);
 
-ACPI_TABLE_DESC *
+void
 AcpiTbUninstallTable (
     ACPI_TABLE_DESC         *TableDesc);
 
Index: sys/contrib/dev/acpica/tbinstal.c
===========================================================================
--- sys/contrib/dev/acpica/tbinstal.c	2003/05/01 14:20:15	#14
+++ sys/contrib/dev/acpica/tbinstal.c	2003/05/01 14:20:15
@@ -537,25 +537,23 @@
     ACPI_TABLE_DESC         *ListHead)
 {
     ACPI_TABLE_DESC         *TableDesc;
-    UINT32                  Count;
-    UINT32                  i;
 
 
     ACPI_FUNCTION_TRACE_PTR ("TbFreeAcpiTablesOfType", ListHead);
 
 
-    /* Get the head of the list */
-
-    TableDesc   = ListHead;
-    Count       = ListHead->Count;
-
     /*
      * Walk the entire list, deleting both the allocated tables
      * and the table descriptors
      */
-    for (i = 0; i < Count; i++)
+    while ((ListHead->Next) != (ListHead->Prev))
+    {
+        TableDesc   = ListHead->Next;
+        AcpiTbUninstallTable (TableDesc);
+    }
+    if (ListHead->Count > 0)
     {
-        TableDesc = AcpiTbUninstallTable (TableDesc);
+        AcpiTbUninstallTable (ListHead);
     }
 
     return_VOID;
@@ -625,11 +623,10 @@
  *
  ******************************************************************************/
 
-ACPI_TABLE_DESC *
+void
 AcpiTbUninstallTable (
     ACPI_TABLE_DESC         *TableDesc)
 {
-    ACPI_TABLE_DESC         *NextDesc;
 
 
     ACPI_FUNCTION_TRACE_PTR ("AcpiTbUninstallTable", TableDesc);
@@ -637,7 +634,7 @@
 
     if (!TableDesc)
     {
-        return_PTR (NULL);
+        return_VOID;
     }
 
     /* Unlink the descriptor */
@@ -660,7 +657,6 @@
 
     if ((TableDesc->Prev) == (TableDesc->Next))
     {
-        NextDesc = NULL;
 
         /* Clear the list head */
 
@@ -672,11 +668,10 @@
     {
         /* Free the table descriptor */
 
-        NextDesc = TableDesc->Next;
         ACPI_MEM_FREE (TableDesc);
     }
 
-    return_PTR (NextDesc);
+    return_VOID;
 }
 
 

--7AUc2qLy4jB3hD7Z
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="acpi2.diff"

Index: sys/contrib/dev/acpica/tbinstal.c
===================================================================
RCS file: /home/ncvs/src/sys/contrib/dev/acpica/tbinstal.c,v
retrieving revision 1.1.1.19
diff -u -r1.1.1.19 tbinstal.c
--- sys/contrib/dev/acpica/tbinstal.c	29 Apr 2003 18:38:54 -0000	1.1.1.19
+++ sys/contrib/dev/acpica/tbinstal.c	1 May 2003 02:38:16 -0000
@@ -544,9 +544,9 @@
     ACPI_FUNCTION_TRACE_PTR ("TbFreeAcpiTablesOfType", ListHead);
 
 
-    /* Get the head of the list */
+    /* Don't delete the list head first. */
 
-    TableDesc   = ListHead;
+    TableDesc   = ListHead->Next;
     Count       = ListHead->Count;
 
     /*

--7AUc2qLy4jB3hD7Z--
