From 8bfa51e4c485ec85c872254a4cf724a40554370f Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Mon, 29 Jun 2020 16:18:37 -0600 Subject: acpi: Avoid freeing a device twice The current implementation of acpi_dp_write() frees the node after it has written it. If the structure contains a ACPI_DP_TYPE_CHILD then a recursive call to acpi_dp_write() frees the child and then frees it again when returning from the call. This results in a double free. Split the implementation into two steps, one that ones and one that frees. This is easier to understand and fixes the bug. Note: This likely has no effect in coreboot since it doesn't seem to have a proper free() implementation. But it might gain one one day. BUG=none Signed-off-by: Simon Glass Change-Id: Ife3917af10bc35a3c3eee38d8292f927ef15409d Reviewed-on: https://review.coreboot.org/c/coreboot/+/42892 Reviewed-by: Patrick Georgi Tested-by: build bot (Jenkins) --- src/acpi/device.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/acpi/device.c b/src/acpi/device.c index 9ce86ebdbf..b119abd61f 100644 --- a/src/acpi/device.c +++ b/src/acpi/device.c @@ -770,7 +770,7 @@ static bool acpi_dp_write_properties(struct acpi_dp *prop, const char *uuid) return false; } -void acpi_dp_write(struct acpi_dp *table) +static void acpi_dp_write_(struct acpi_dp *table) { struct acpi_dp *dp, *prop; char *dp_count; @@ -826,7 +826,12 @@ void acpi_dp_write(struct acpi_dp *table) /* Recursively parse children into separate tables */ for (dp = prop; dp; dp = dp->next) if (dp->type == ACPI_DP_TYPE_CHILD) - acpi_dp_write(dp->child); + acpi_dp_write_(dp->child); +} + +void acpi_dp_write(struct acpi_dp *table) +{ + acpi_dp_write_(table); /* Clean up */ acpi_dp_free(table); -- cgit v1.2.3