Here's the sequence of events as I see it:
Repair_HID is a standalone function that removes one reference on the incoming object. For
simple _HID objects, this in fact deletes the object.
For _CID, all elements of the package are examined. If a repair was made on a _HID within
the _CID function, one reference on the original object was removed by Repair_HID.
However, since the object is part of a package, it has an extra reference to reflect this
fact. Thus, in the case in question, the elements of the package all have at least two
references. Repair_HID removes one reference, thus the extra RemoveReference is needed in
Repair_CID to bring the reference count down to zero actually delete the object (in the
typical case where the object had two references).
From: João Paulo Rechi Vita [mailto:firstname.lastname@example.org]
Sent: Friday, February 03, 2017 12:57 PM
To: Moore, Robert; Zheng, Lv; Wysocki, Rafael J; Len Brown; Lin Ming
Cc: linux-acpi(a)vger.kernel.org; devel(a)acpica.org; linux-
kernel(a)vger.kernel.org; Daniel Drake; linux(a)endlessm.com; João Paulo Rechi
Subject: [PATCH] acpica: Fix double-free in acpi_ns_repair_CID()
When acpi_ns_repair_CID() is called for a _CID which returns a package of
strings, it calls acpi_ns_repair_HID() for each of the package elements.
acpi_ns_repair_HID() calls acpi_ut_remove_reference() on the original
object, but acpi_ns_repair_CID() calls it again on return, leading to a
This problem was seen on a Acer TravelMate P449-G2-MG.
Thanks to Daniel Drake for helping investigating this problem.
Signed-off-by: João Paulo Rechi Vita <jprvita(a)endlessm.com>
drivers/acpi/acpica/nsrepair2.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/acpi/acpica/nsrepair2.c
b/drivers/acpi/acpica/nsrepair2.c index d5336122486b..c429c8eca476 100644
@@ -411,8 +411,6 @@ acpi_ns_repair_CID(struct acpi_evaluate_info *info,