When acpi_ns_repair_CID() is called for a _CID which returns a package of strings, it calls acpi_ns_repair_HID() for each of the package elements. acpi_ns_repair_HID() calls acpi_ut_remove_reference() on the original object, but acpi_ns_repair_CID() calls it again on return, leading to a double free. This problem was seen on a Acer TravelMate P449-G2-MG. Thanks to Daniel Drake for helping investigating this problem. Signed-off-by: João Paulo Rechi Vita <jprvita@xxxxxxxxxxxx> --- drivers/acpi/acpica/nsrepair2.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/acpi/acpica/nsrepair2.c b/drivers/acpi/acpica/nsrepair2.c index d5336122486b..c429c8eca476 100644 --- a/drivers/acpi/acpica/nsrepair2.c +++ b/drivers/acpi/acpica/nsrepair2.c @@ -411,8 +411,6 @@ acpi_ns_repair_CID(struct acpi_evaluate_info *info, (*element_ptr)->common.reference_count = original_ref_count; - - acpi_ut_remove_reference(original_element); } element_ptr++; -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe linux-acpi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
