acpi: Avoid freeing a device twice

The current implementation of acpi_dp_write() frees the node after it has written it. If the structure contains a ACPI_DP_TYPE_CHILD then a recursive call to acpi_dp_write() frees the child and then frees it again when returning from the call. This results in a double free. Split the implementation into two steps, one that ones and one that frees. This is easier to understand and fixes the bug. Note: This likely has no effect in coreboot since it doesn't seem to have a proper free() implementation. But it might gain one one day. BUG=none Signed-off-by: Simon Glass <sjg@chromium.org> Change-Id: Ife3917af10bc35a3c3eee38d8292f927ef15409d Reviewed-on: https://review.coreboot.org/c/coreboot/+/42892 Reviewed-by: Patrick Georgi <pgeorgi@google.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2020-06-29 16:18:37 -06:00 · 2020-06-29 16:18:37 -06:00 · 8bfa51e4c4
parent 84b9653b38
commit 8bfa51e4c4
1 changed files with 7 additions and 2 deletions
--- a/src/acpi/device.c
+++ b/src/acpi/device.c
@ -770,7 +770,7 @@ static bool acpi_dp_write_properties(struct acpi_dp *prop, const char *uuid)
 	return false;
 }

-void acpi_dp_write(struct acpi_dp *table)
+static void acpi_dp_write_(struct acpi_dp *table)
 {
 	struct acpi_dp *dp, *prop;
 	char *dp_count;
@ -826,7 +826,12 @@ void acpi_dp_write(struct acpi_dp *table)
 	/* Recursively parse children into separate tables */
 	for (dp = prop; dp; dp = dp->next)
 		if (dp->type == ACPI_DP_TYPE_CHILD)
-			acpi_dp_write(dp->child);
+			acpi_dp_write_(dp->child);
+}
+
+void acpi_dp_write(struct acpi_dp *table)
+{
+	acpi_dp_write_(table);

 	/* Clean up */
 	acpi_dp_free(table);