1 // SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0
2 /*******************************************************************************
3  *
4  * Module Name: utdelete - object deletion and reference count utilities
5  *
6  ******************************************************************************/
7 
8 #include <acpi/acpi.h>
9 #include "accommon.h"
10 #include "acinterp.h"
11 #include "acnamesp.h"
12 #include "acevents.h"
13 
14 #define _COMPONENT          ACPI_UTILITIES
15 ACPI_MODULE_NAME("utdelete")
16 
17 /* Local prototypes */
18 static void acpi_ut_delete_internal_obj(union acpi_operand_object *object);
19 
20 static void
21 acpi_ut_update_ref_count(union acpi_operand_object *object, u32 action);
22 
23 /*******************************************************************************
24  *
25  * FUNCTION:    acpi_ut_delete_internal_obj
26  *
27  * PARAMETERS:  object         - Object to be deleted
28  *
29  * RETURN:      None
30  *
31  * DESCRIPTION: Low level object deletion, after reference counts have been
32  *              updated (All reference counts, including sub-objects!)
33  *
34  ******************************************************************************/
35 
acpi_ut_delete_internal_obj(union acpi_operand_object * object)36 static void acpi_ut_delete_internal_obj(union acpi_operand_object *object)
37 {
38 	void *obj_pointer = NULL;
39 	union acpi_operand_object *handler_desc;
40 	union acpi_operand_object *second_desc;
41 	union acpi_operand_object *next_desc;
42 	union acpi_operand_object *start_desc;
43 	union acpi_operand_object **last_obj_ptr;
44 
45 	ACPI_FUNCTION_TRACE_PTR(ut_delete_internal_obj, object);
46 
47 	if (!object) {
48 		return_VOID;
49 	}
50 
51 	/*
52 	 * Must delete or free any pointers within the object that are not
53 	 * actual ACPI objects (for example, a raw buffer pointer).
54 	 */
55 	switch (object->common.type) {
56 	case ACPI_TYPE_STRING:
57 
58 		ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
59 				  "**** String %p, ptr %p\n", object,
60 				  object->string.pointer));
61 
62 		/* Free the actual string buffer */
63 
64 		if (!(object->common.flags & AOPOBJ_STATIC_POINTER)) {
65 
66 			/* But only if it is NOT a pointer into an ACPI table */
67 
68 			obj_pointer = object->string.pointer;
69 		}
70 		break;
71 
72 	case ACPI_TYPE_BUFFER:
73 
74 		ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
75 				  "**** Buffer %p, ptr %p\n", object,
76 				  object->buffer.pointer));
77 
78 		/* Free the actual buffer */
79 
80 		if (!(object->common.flags & AOPOBJ_STATIC_POINTER)) {
81 
82 			/* But only if it is NOT a pointer into an ACPI table */
83 
84 			obj_pointer = object->buffer.pointer;
85 		}
86 		break;
87 
88 	case ACPI_TYPE_PACKAGE:
89 
90 		ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
91 				  " **** Package of count %X\n",
92 				  object->package.count));
93 
94 		/*
95 		 * Elements of the package are not handled here, they are deleted
96 		 * separately
97 		 */
98 
99 		/* Free the (variable length) element pointer array */
100 
101 		obj_pointer = object->package.elements;
102 		break;
103 
104 		/*
105 		 * These objects have a possible list of notify handlers.
106 		 * Device object also may have a GPE block.
107 		 */
108 	case ACPI_TYPE_DEVICE:
109 
110 		if (object->device.gpe_block) {
111 			(void)acpi_ev_delete_gpe_block(object->device.
112 						       gpe_block);
113 		}
114 
115 		ACPI_FALLTHROUGH;
116 
117 	case ACPI_TYPE_PROCESSOR:
118 	case ACPI_TYPE_THERMAL:
119 
120 		/* Walk the address handler list for this object */
121 
122 		handler_desc = object->common_notify.handler;
123 		while (handler_desc) {
124 			next_desc = handler_desc->address_space.next;
125 			acpi_ut_remove_reference(handler_desc);
126 			handler_desc = next_desc;
127 		}
128 		break;
129 
130 	case ACPI_TYPE_MUTEX:
131 
132 		ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
133 				  "***** Mutex %p, OS Mutex %p\n",
134 				  object, object->mutex.os_mutex));
135 
136 		if (object == acpi_gbl_global_lock_mutex) {
137 
138 			/* Global Lock has extra semaphore */
139 
140 			(void)
141 			    acpi_os_delete_semaphore
142 			    (acpi_gbl_global_lock_semaphore);
143 			acpi_gbl_global_lock_semaphore = NULL;
144 
145 			acpi_os_delete_mutex(object->mutex.os_mutex);
146 			acpi_gbl_global_lock_mutex = NULL;
147 		} else {
148 			acpi_ex_unlink_mutex(object);
149 			acpi_os_delete_mutex(object->mutex.os_mutex);
150 		}
151 		break;
152 
153 	case ACPI_TYPE_EVENT:
154 
155 		ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
156 				  "***** Event %p, OS Semaphore %p\n",
157 				  object, object->event.os_semaphore));
158 
159 		(void)acpi_os_delete_semaphore(object->event.os_semaphore);
160 		object->event.os_semaphore = NULL;
161 		break;
162 
163 	case ACPI_TYPE_METHOD:
164 
165 		ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
166 				  "***** Method %p\n", object));
167 
168 		/* Delete the method mutex if it exists */
169 
170 		if (object->method.mutex) {
171 			acpi_os_delete_mutex(object->method.mutex->mutex.
172 					     os_mutex);
173 			acpi_ut_delete_object_desc(object->method.mutex);
174 			object->method.mutex = NULL;
175 		}
176 
177 		if (object->method.node) {
178 			object->method.node = NULL;
179 		}
180 		break;
181 
182 	case ACPI_TYPE_REGION:
183 
184 		ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
185 				  "***** Region %p\n", object));
186 
187 		/*
188 		 * Update address_range list. However, only permanent regions
189 		 * are installed in this list. (Not created within a method)
190 		 */
191 		if (!(object->region.node->flags & ANOBJ_TEMPORARY)) {
192 			acpi_ut_remove_address_range(object->region.space_id,
193 						     object->region.node);
194 		}
195 
196 		second_desc = acpi_ns_get_secondary_object(object);
197 		if (second_desc) {
198 			/*
199 			 * Free the region_context if and only if the handler is one of the
200 			 * default handlers -- and therefore, we created the context object
201 			 * locally, it was not created by an external caller.
202 			 */
203 			handler_desc = object->region.handler;
204 			if (handler_desc) {
205 				next_desc =
206 				    handler_desc->address_space.region_list;
207 				start_desc = next_desc;
208 				last_obj_ptr =
209 				    &handler_desc->address_space.region_list;
210 
211 				/* Remove the region object from the handler list */
212 
213 				while (next_desc) {
214 					if (next_desc == object) {
215 						*last_obj_ptr =
216 						    next_desc->region.next;
217 						break;
218 					}
219 
220 					/* Walk the linked list of handlers */
221 
222 					last_obj_ptr = &next_desc->region.next;
223 					next_desc = next_desc->region.next;
224 
225 					/* Prevent infinite loop if list is corrupted */
226 
227 					if (next_desc == start_desc) {
228 						ACPI_ERROR((AE_INFO,
229 							    "Circular region list in address handler object %p",
230 							    handler_desc));
231 						return_VOID;
232 					}
233 				}
234 
235 				if (handler_desc->address_space.handler_flags &
236 				    ACPI_ADDR_HANDLER_DEFAULT_INSTALLED) {
237 
238 					/* Deactivate region and free region context */
239 
240 					if (handler_desc->address_space.setup) {
241 						(void)handler_desc->
242 						    address_space.setup(object,
243 									ACPI_REGION_DEACTIVATE,
244 									handler_desc->
245 									address_space.
246 									context,
247 									&second_desc->
248 									extra.
249 									region_context);
250 					}
251 				}
252 
253 				acpi_ut_remove_reference(handler_desc);
254 			}
255 
256 			/* Now we can free the Extra object */
257 
258 			acpi_ut_delete_object_desc(second_desc);
259 		}
260 		if (object->field.internal_pcc_buffer) {
261 			ACPI_FREE(object->field.internal_pcc_buffer);
262 		}
263 
264 		break;
265 
266 	case ACPI_TYPE_BUFFER_FIELD:
267 
268 		ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
269 				  "***** Buffer Field %p\n", object));
270 
271 		second_desc = acpi_ns_get_secondary_object(object);
272 		if (second_desc) {
273 			acpi_ut_delete_object_desc(second_desc);
274 		}
275 		break;
276 
277 	case ACPI_TYPE_LOCAL_BANK_FIELD:
278 
279 		ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
280 				  "***** Bank Field %p\n", object));
281 
282 		second_desc = acpi_ns_get_secondary_object(object);
283 		if (second_desc) {
284 			acpi_ut_delete_object_desc(second_desc);
285 		}
286 		break;
287 
288 	case ACPI_TYPE_LOCAL_ADDRESS_HANDLER:
289 
290 		ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
291 				  "***** Address handler %p\n", object));
292 
293 		acpi_os_delete_mutex(object->address_space.context_mutex);
294 		break;
295 
296 	default:
297 
298 		break;
299 	}
300 
301 	/* Free any allocated memory (pointer within the object) found above */
302 
303 	if (obj_pointer) {
304 		ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
305 				  "Deleting Object Subptr %p\n", obj_pointer));
306 		ACPI_FREE(obj_pointer);
307 	}
308 
309 	/* Now the object can be safely deleted */
310 
311 	ACPI_DEBUG_PRINT_RAW((ACPI_DB_ALLOCATIONS,
312 			      "%s: Deleting Object %p [%s]\n",
313 			      ACPI_GET_FUNCTION_NAME, object,
314 			      acpi_ut_get_object_type_name(object)));
315 
316 	acpi_ut_delete_object_desc(object);
317 	return_VOID;
318 }
319 
320 /*******************************************************************************
321  *
322  * FUNCTION:    acpi_ut_delete_internal_object_list
323  *
324  * PARAMETERS:  obj_list        - Pointer to the list to be deleted
325  *
326  * RETURN:      None
327  *
328  * DESCRIPTION: This function deletes an internal object list, including both
329  *              simple objects and package objects
330  *
331  ******************************************************************************/
332 
acpi_ut_delete_internal_object_list(union acpi_operand_object ** obj_list)333 void acpi_ut_delete_internal_object_list(union acpi_operand_object **obj_list)
334 {
335 	union acpi_operand_object **internal_obj;
336 
337 	ACPI_FUNCTION_ENTRY();
338 
339 	/* Walk the null-terminated internal list */
340 
341 	for (internal_obj = obj_list; *internal_obj; internal_obj++) {
342 		acpi_ut_remove_reference(*internal_obj);
343 	}
344 
345 	/* Free the combined parameter pointer list and object array */
346 
347 	ACPI_FREE(obj_list);
348 	return;
349 }
350 
351 /*******************************************************************************
352  *
353  * FUNCTION:    acpi_ut_update_ref_count
354  *
355  * PARAMETERS:  object          - Object whose ref count is to be updated
356  *              action          - What to do (REF_INCREMENT or REF_DECREMENT)
357  *
358  * RETURN:      None. Sets new reference count within the object
359  *
360  * DESCRIPTION: Modify the reference count for an internal acpi object
361  *
362  ******************************************************************************/
363 
364 static void
acpi_ut_update_ref_count(union acpi_operand_object * object,u32 action)365 acpi_ut_update_ref_count(union acpi_operand_object *object, u32 action)
366 {
367 	u16 original_count;
368 	u16 new_count = 0;
369 	acpi_cpu_flags lock_flags;
370 	char *message;
371 
372 	ACPI_FUNCTION_NAME(ut_update_ref_count);
373 
374 	if (!object) {
375 		return;
376 	}
377 
378 	/*
379 	 * Always get the reference count lock. Note: Interpreter and/or
380 	 * Namespace is not always locked when this function is called.
381 	 */
382 	lock_flags = acpi_os_acquire_lock(acpi_gbl_reference_count_lock);
383 	original_count = object->common.reference_count;
384 
385 	/* Perform the reference count action (increment, decrement) */
386 
387 	switch (action) {
388 	case REF_INCREMENT:
389 
390 		new_count = original_count + 1;
391 		object->common.reference_count = new_count;
392 		acpi_os_release_lock(acpi_gbl_reference_count_lock, lock_flags);
393 
394 		/* The current reference count should never be zero here */
395 
396 		if (!original_count) {
397 			ACPI_WARNING((AE_INFO,
398 				      "Obj %p, Reference Count was zero before increment\n",
399 				      object));
400 		}
401 
402 		ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
403 				  "Obj %p Type %.2X [%s] Refs %.2X [Incremented]\n",
404 				  object, object->common.type,
405 				  acpi_ut_get_object_type_name(object),
406 				  new_count));
407 		message = "Incremement";
408 		break;
409 
410 	case REF_DECREMENT:
411 
412 		/* The current reference count must be non-zero */
413 
414 		if (original_count) {
415 			new_count = original_count - 1;
416 			object->common.reference_count = new_count;
417 		}
418 
419 		acpi_os_release_lock(acpi_gbl_reference_count_lock, lock_flags);
420 
421 		if (!original_count) {
422 			ACPI_WARNING((AE_INFO,
423 				      "Obj %p, Reference Count is already zero, cannot decrement\n",
424 				      object));
425 			return;
426 		}
427 
428 		ACPI_DEBUG_PRINT_RAW((ACPI_DB_ALLOCATIONS,
429 				      "%s: Obj %p Type %.2X Refs %.2X [Decremented]\n",
430 				      ACPI_GET_FUNCTION_NAME, object,
431 				      object->common.type, new_count));
432 
433 		/* Actually delete the object on a reference count of zero */
434 
435 		if (new_count == 0) {
436 			acpi_ut_delete_internal_obj(object);
437 		}
438 		message = "Decrement";
439 		break;
440 
441 	default:
442 
443 		acpi_os_release_lock(acpi_gbl_reference_count_lock, lock_flags);
444 		ACPI_ERROR((AE_INFO, "Unknown Reference Count action (0x%X)",
445 			    action));
446 		return;
447 	}
448 
449 	/*
450 	 * Sanity check the reference count, for debug purposes only.
451 	 * (A deleted object will have a huge reference count)
452 	 */
453 	if (new_count > ACPI_MAX_REFERENCE_COUNT) {
454 		ACPI_WARNING((AE_INFO,
455 			      "Large Reference Count (0x%X) in object %p, Type=0x%.2X Operation=%s",
456 			      new_count, object, object->common.type, message));
457 	}
458 }
459 
460 /*******************************************************************************
461  *
462  * FUNCTION:    acpi_ut_update_object_reference
463  *
464  * PARAMETERS:  object              - Increment or decrement the ref count for
465  *                                    this object and all sub-objects
466  *              action              - Either REF_INCREMENT or REF_DECREMENT
467  *
468  * RETURN:      Status
469  *
470  * DESCRIPTION: Increment or decrement the object reference count
471  *
472  * Object references are incremented when:
473  * 1) An object is attached to a Node (namespace object)
474  * 2) An object is copied (all subobjects must be incremented)
475  *
476  * Object references are decremented when:
477  * 1) An object is detached from an Node
478  *
479  ******************************************************************************/
480 
481 acpi_status
acpi_ut_update_object_reference(union acpi_operand_object * object,u16 action)482 acpi_ut_update_object_reference(union acpi_operand_object *object, u16 action)
483 {
484 	acpi_status status = AE_OK;
485 	union acpi_generic_state *state_list = NULL;
486 	union acpi_operand_object *next_object = NULL;
487 	union acpi_operand_object *prev_object;
488 	union acpi_generic_state *state;
489 	u32 i;
490 
491 	ACPI_FUNCTION_NAME(ut_update_object_reference);
492 
493 	while (object) {
494 
495 		/* Make sure that this isn't a namespace handle */
496 
497 		if (ACPI_GET_DESCRIPTOR_TYPE(object) == ACPI_DESC_TYPE_NAMED) {
498 			ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
499 					  "Object %p is NS handle\n", object));
500 			return (AE_OK);
501 		}
502 
503 		/*
504 		 * All sub-objects must have their reference count updated
505 		 * also. Different object types have different subobjects.
506 		 */
507 		switch (object->common.type) {
508 		case ACPI_TYPE_DEVICE:
509 		case ACPI_TYPE_PROCESSOR:
510 		case ACPI_TYPE_POWER:
511 		case ACPI_TYPE_THERMAL:
512 			/*
513 			 * Update the notify objects for these types (if present)
514 			 * Two lists, system and device notify handlers.
515 			 */
516 			for (i = 0; i < ACPI_NUM_NOTIFY_TYPES; i++) {
517 				prev_object =
518 				    object->common_notify.notify_list[i];
519 				while (prev_object) {
520 					next_object =
521 					    prev_object->notify.next[i];
522 					acpi_ut_update_ref_count(prev_object,
523 								 action);
524 					prev_object = next_object;
525 				}
526 			}
527 			break;
528 
529 		case ACPI_TYPE_PACKAGE:
530 			/*
531 			 * We must update all the sub-objects of the package,
532 			 * each of whom may have their own sub-objects.
533 			 */
534 			for (i = 0; i < object->package.count; i++) {
535 				/*
536 				 * Null package elements are legal and can be simply
537 				 * ignored.
538 				 */
539 				next_object = object->package.elements[i];
540 				if (!next_object) {
541 					continue;
542 				}
543 
544 				switch (next_object->common.type) {
545 				case ACPI_TYPE_INTEGER:
546 				case ACPI_TYPE_STRING:
547 				case ACPI_TYPE_BUFFER:
548 					/*
549 					 * For these very simple sub-objects, we can just
550 					 * update the reference count here and continue.
551 					 * Greatly increases performance of this operation.
552 					 */
553 					acpi_ut_update_ref_count(next_object,
554 								 action);
555 					break;
556 
557 				default:
558 					/*
559 					 * For complex sub-objects, push them onto the stack
560 					 * for later processing (this eliminates recursion.)
561 					 */
562 					status =
563 					    acpi_ut_create_update_state_and_push
564 					    (next_object, action, &state_list);
565 					if (ACPI_FAILURE(status)) {
566 						goto error_exit;
567 					}
568 					break;
569 				}
570 			}
571 
572 			next_object = NULL;
573 			break;
574 
575 		case ACPI_TYPE_BUFFER_FIELD:
576 
577 			next_object = object->buffer_field.buffer_obj;
578 			break;
579 
580 		case ACPI_TYPE_LOCAL_BANK_FIELD:
581 
582 			next_object = object->bank_field.bank_obj;
583 			status =
584 			    acpi_ut_create_update_state_and_push(object->
585 								 bank_field.
586 								 region_obj,
587 								 action,
588 								 &state_list);
589 			if (ACPI_FAILURE(status)) {
590 				goto error_exit;
591 			}
592 			break;
593 
594 		case ACPI_TYPE_LOCAL_INDEX_FIELD:
595 
596 			next_object = object->index_field.index_obj;
597 			status =
598 			    acpi_ut_create_update_state_and_push(object->
599 								 index_field.
600 								 data_obj,
601 								 action,
602 								 &state_list);
603 			if (ACPI_FAILURE(status)) {
604 				goto error_exit;
605 			}
606 			break;
607 
608 		case ACPI_TYPE_LOCAL_REFERENCE:
609 			/*
610 			 * The target of an Index (a package, string, or buffer) or a named
611 			 * reference must track changes to the ref count of the index or
612 			 * target object.
613 			 */
614 			if ((object->reference.class == ACPI_REFCLASS_INDEX) ||
615 			    (object->reference.class == ACPI_REFCLASS_NAME)) {
616 				next_object = object->reference.object;
617 			}
618 			break;
619 
620 		case ACPI_TYPE_LOCAL_REGION_FIELD:
621 		case ACPI_TYPE_REGION:
622 		default:
623 
624 			break;	/* No subobjects for all other types */
625 		}
626 
627 		/*
628 		 * Now we can update the count in the main object. This can only
629 		 * happen after we update the sub-objects in case this causes the
630 		 * main object to be deleted.
631 		 */
632 		acpi_ut_update_ref_count(object, action);
633 		object = NULL;
634 
635 		/* Move on to the next object to be updated */
636 
637 		if (next_object) {
638 			object = next_object;
639 			next_object = NULL;
640 		} else if (state_list) {
641 			state = acpi_ut_pop_generic_state(&state_list);
642 			object = state->update.object;
643 			acpi_ut_delete_generic_state(state);
644 		}
645 	}
646 
647 	return (AE_OK);
648 
649 error_exit:
650 
651 	ACPI_EXCEPTION((AE_INFO, status,
652 			"Could not update object reference count"));
653 
654 	/* Free any stacked Update State objects */
655 
656 	while (state_list) {
657 		state = acpi_ut_pop_generic_state(&state_list);
658 		acpi_ut_delete_generic_state(state);
659 	}
660 
661 	return (status);
662 }
663 
664 /*******************************************************************************
665  *
666  * FUNCTION:    acpi_ut_add_reference
667  *
668  * PARAMETERS:  object          - Object whose reference count is to be
669  *                                incremented
670  *
671  * RETURN:      None
672  *
673  * DESCRIPTION: Add one reference to an ACPI object
674  *
675  ******************************************************************************/
676 
acpi_ut_add_reference(union acpi_operand_object * object)677 void acpi_ut_add_reference(union acpi_operand_object *object)
678 {
679 
680 	ACPI_FUNCTION_NAME(ut_add_reference);
681 
682 	/* Ensure that we have a valid object */
683 
684 	if (!acpi_ut_valid_internal_object(object)) {
685 		return;
686 	}
687 
688 	ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
689 			  "Obj %p Current Refs=%X [To Be Incremented]\n",
690 			  object, object->common.reference_count));
691 
692 	/* Increment the reference count */
693 
694 	(void)acpi_ut_update_object_reference(object, REF_INCREMENT);
695 	return;
696 }
697 
698 /*******************************************************************************
699  *
700  * FUNCTION:    acpi_ut_remove_reference
701  *
702  * PARAMETERS:  object         - Object whose ref count will be decremented
703  *
704  * RETURN:      None
705  *
706  * DESCRIPTION: Decrement the reference count of an ACPI internal object
707  *
708  ******************************************************************************/
709 
acpi_ut_remove_reference(union acpi_operand_object * object)710 void acpi_ut_remove_reference(union acpi_operand_object *object)
711 {
712 
713 	ACPI_FUNCTION_NAME(ut_remove_reference);
714 
715 	/*
716 	 * Allow a NULL pointer to be passed in, just ignore it. This saves
717 	 * each caller from having to check. Also, ignore NS nodes.
718 	 */
719 	if (!object ||
720 	    (ACPI_GET_DESCRIPTOR_TYPE(object) == ACPI_DESC_TYPE_NAMED)) {
721 		return;
722 	}
723 
724 	/* Ensure that we have a valid object */
725 
726 	if (!acpi_ut_valid_internal_object(object)) {
727 		return;
728 	}
729 
730 	ACPI_DEBUG_PRINT_RAW((ACPI_DB_ALLOCATIONS,
731 			      "%s: Obj %p Current Refs=%X [To Be Decremented]\n",
732 			      ACPI_GET_FUNCTION_NAME, object,
733 			      object->common.reference_count));
734 
735 	/*
736 	 * Decrement the reference count, and only actually delete the object
737 	 * if the reference count becomes 0. (Must also decrement the ref count
738 	 * of all subobjects!)
739 	 */
740 	(void)acpi_ut_update_object_reference(object, REF_DECREMENT);
741 	return;
742 }
743