Simon Glass has uploaded this change for review.

View Change

acpi: Avoid freeing a device twice

The current implementation of acpi_dp_write() frees the node after it has
written it.

If the structure contains a ACPI_DP_TYPE_CHILD then a recursive call to
acpi_dp_write() frees the child and then frees it again when returning
from the call. This results in a double free.

Split the implementation into two steps, one that ones and one that frees.
This is easier to understand and fixes the bug.

Note: This likely has no effect in coreboot since it doesn't seem to have
a proper free() implementation. But it might gain one one day.

BUG=none

Signed-off-by: Simon Glass <sjg@chromium.org>
Change-Id: Ife3917af10bc35a3c3eee38d8292f927ef15409d
---
M src/acpi/device.c
1 file changed, 6 insertions(+), 1 deletion(-)

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/92/42892/1
diff --git a/src/acpi/device.c b/src/acpi/device.c
index 9ce86eb..49e1d46 100644
--- a/src/acpi/device.c
+++ b/src/acpi/device.c
@@ -770,7 +770,7 @@
 	return false;
 }
 
-void acpi_dp_write(struct acpi_dp *table)
+static void acpi_dp_write_(struct acpi_dp *table)
 {
 	struct acpi_dp *dp, *prop;
 	char *dp_count;
@@ -827,6 +827,11 @@
 	for (dp = prop; dp; dp = dp->next)
 		if (dp->type == ACPI_DP_TYPE_CHILD)
 			acpi_dp_write(dp->child);
+}
+
+void acpi_dp_write(struct acpi_dp *table)
+{
+	acpi_dp_write_(table);
 
 	/* Clean up */
 	acpi_dp_free(table);

To view, visit change 42892. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Ife3917af10bc35a3c3eee38d8292f927ef15409d
Gerrit-Change-Number: 42892
Gerrit-PatchSet: 1
Gerrit-Owner: Simon Glass <sjg@chromium.org>
Gerrit-MessageType: newchange