1 // SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0
2 /*******************************************************************************
3  *
4  * Module Name: utdelete - object deletion and reference count utilities
5  *
6  ******************************************************************************/
7 
8 #include <acpi/acpi.h>
9 #include "accommon.h"
10 #include "acinterp.h"
11 #include "acnamesp.h"
12 #include "acevents.h"
13 
14 #define _COMPONENT          ACPI_UTILITIES
15 ACPI_MODULE_NAME("utdelete")
16 
17 /* Local prototypes */
18 static void acpi_ut_delete_internal_obj(union acpi_operand_object *object);
19 
20 static void
21 acpi_ut_update_ref_count(union acpi_operand_object *object, u32 action);
22 
23 /*******************************************************************************
24  *
25  * FUNCTION:    acpi_ut_delete_internal_obj
26  *
27  * PARAMETERS:  object         - Object to be deleted
28  *
29  * RETURN:      None
30  *
31  * DESCRIPTION: Low level object deletion, after reference counts have been
32  *              updated (All reference counts, including sub-objects!)
33  *
34  ******************************************************************************/
35 
acpi_ut_delete_internal_obj(union acpi_operand_object * object)36 static void acpi_ut_delete_internal_obj(union acpi_operand_object *object)
37 {
38 	void *obj_pointer = NULL;
39 	union acpi_operand_object *handler_desc;
40 	union acpi_operand_object *second_desc;
41 	union acpi_operand_object *next_desc;
42 	union acpi_operand_object *start_desc;
43 	union acpi_operand_object **last_obj_ptr;
44 
45 	ACPI_FUNCTION_TRACE_PTR(ut_delete_internal_obj, object);
46 
47 	if (!object) {
48 		return_VOID;
49 	}
50 
51 	/*
52 	 * Must delete or free any pointers within the object that are not
53 	 * actual ACPI objects (for example, a raw buffer pointer).
54 	 */
55 	switch (object->common.type) {
56 	case ACPI_TYPE_STRING:
57 
58 		ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
59 				  "**** String %p, ptr %p\n", object,
60 				  object->string.pointer));
61 
62 		/* Free the actual string buffer */
63 
64 		if (!(object->common.flags & AOPOBJ_STATIC_POINTER)) {
65 
66 			/* But only if it is NOT a pointer into an ACPI table */
67 
68 			obj_pointer = object->string.pointer;
69 		}
70 		break;
71 
72 	case ACPI_TYPE_BUFFER:
73 
74 		ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
75 				  "**** Buffer %p, ptr %p\n", object,
76 				  object->buffer.pointer));
77 
78 		/* Free the actual buffer */
79 
80 		if (!(object->common.flags & AOPOBJ_STATIC_POINTER)) {
81 
82 			/* But only if it is NOT a pointer into an ACPI table */
83 
84 			obj_pointer = object->buffer.pointer;
85 		}
86 		break;
87 
88 	case ACPI_TYPE_PACKAGE:
89 
90 		ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
91 				  " **** Package of count %X\n",
92 				  object->package.count));
93 
94 		/*
95 		 * Elements of the package are not handled here, they are deleted
96 		 * separately
97 		 */
98 
99 		/* Free the (variable length) element pointer array */
100 
101 		obj_pointer = object->package.elements;
102 		break;
103 
104 		/*
105 		 * These objects have a possible list of notify handlers.
106 		 * Device object also may have a GPE block.
107 		 */
108 	case ACPI_TYPE_DEVICE:
109 
110 		if (object->device.gpe_block) {
111 			(void)acpi_ev_delete_gpe_block(object->device.
112 						       gpe_block);
113 		}
114 
115 		/*lint -fallthrough */
116 
117 	case ACPI_TYPE_PROCESSOR:
118 	case ACPI_TYPE_THERMAL:
119 
120 		/* Walk the address handler list for this object */
121 
122 		handler_desc = object->common_notify.handler;
123 		while (handler_desc) {
124 			next_desc = handler_desc->address_space.next;
125 			acpi_ut_remove_reference(handler_desc);
126 			handler_desc = next_desc;
127 		}
128 		break;
129 
130 	case ACPI_TYPE_MUTEX:
131 
132 		ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
133 				  "***** Mutex %p, OS Mutex %p\n",
134 				  object, object->mutex.os_mutex));
135 
136 		if (object == acpi_gbl_global_lock_mutex) {
137 
138 			/* Global Lock has extra semaphore */
139 
140 			(void)
141 			    acpi_os_delete_semaphore
142 			    (acpi_gbl_global_lock_semaphore);
143 			acpi_gbl_global_lock_semaphore = NULL;
144 
145 			acpi_os_delete_mutex(object->mutex.os_mutex);
146 			acpi_gbl_global_lock_mutex = NULL;
147 		} else {
148 			acpi_ex_unlink_mutex(object);
149 			acpi_os_delete_mutex(object->mutex.os_mutex);
150 		}
151 		break;
152 
153 	case ACPI_TYPE_EVENT:
154 
155 		ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
156 				  "***** Event %p, OS Semaphore %p\n",
157 				  object, object->event.os_semaphore));
158 
159 		(void)acpi_os_delete_semaphore(object->event.os_semaphore);
160 		object->event.os_semaphore = NULL;
161 		break;
162 
163 	case ACPI_TYPE_METHOD:
164 
165 		ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
166 				  "***** Method %p\n", object));
167 
168 		/* Delete the method mutex if it exists */
169 
170 		if (object->method.mutex) {
171 			acpi_os_delete_mutex(object->method.mutex->mutex.
172 					     os_mutex);
173 			acpi_ut_delete_object_desc(object->method.mutex);
174 			object->method.mutex = NULL;
175 		}
176 
177 		if (object->method.node) {
178 			object->method.node = NULL;
179 		}
180 		break;
181 
182 	case ACPI_TYPE_REGION:
183 
184 		ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
185 				  "***** Region %p\n", object));
186 
187 		/*
188 		 * Update address_range list. However, only permanent regions
189 		 * are installed in this list. (Not created within a method)
190 		 */
191 		if (!(object->region.node->flags & ANOBJ_TEMPORARY)) {
192 			acpi_ut_remove_address_range(object->region.space_id,
193 						     object->region.node);
194 		}
195 
196 		second_desc = acpi_ns_get_secondary_object(object);
197 		if (second_desc) {
198 			/*
199 			 * Free the region_context if and only if the handler is one of the
200 			 * default handlers -- and therefore, we created the context object
201 			 * locally, it was not created by an external caller.
202 			 */
203 			handler_desc = object->region.handler;
204 			if (handler_desc) {
205 				next_desc =
206 				    handler_desc->address_space.region_list;
207 				start_desc = next_desc;
208 				last_obj_ptr =
209 				    &handler_desc->address_space.region_list;
210 
211 				/* Remove the region object from the handler list */
212 
213 				while (next_desc) {
214 					if (next_desc == object) {
215 						*last_obj_ptr =
216 						    next_desc->region.next;
217 						break;
218 					}
219 
220 					/* Walk the linked list of handlers */
221 
222 					last_obj_ptr = &next_desc->region.next;
223 					next_desc = next_desc->region.next;
224 
225 					/* Prevent infinite loop if list is corrupted */
226 
227 					if (next_desc == start_desc) {
228 						ACPI_ERROR((AE_INFO,
229 							    "Circular region list in address handler object %p",
230 							    handler_desc));
231 						return_VOID;
232 					}
233 				}
234 
235 				if (handler_desc->address_space.handler_flags &
236 				    ACPI_ADDR_HANDLER_DEFAULT_INSTALLED) {
237 
238 					/* Deactivate region and free region context */
239 
240 					if (handler_desc->address_space.setup) {
241 						(void)handler_desc->
242 						    address_space.setup(object,
243 									ACPI_REGION_DEACTIVATE,
244 									handler_desc->
245 									address_space.
246 									context,
247 									&second_desc->
248 									extra.
249 									region_context);
250 					}
251 				}
252 
253 				acpi_ut_remove_reference(handler_desc);
254 			}
255 
256 			/* Now we can free the Extra object */
257 
258 			acpi_ut_delete_object_desc(second_desc);
259 		}
260 		break;
261 
262 	case ACPI_TYPE_BUFFER_FIELD:
263 
264 		ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
265 				  "***** Buffer Field %p\n", object));
266 
267 		second_desc = acpi_ns_get_secondary_object(object);
268 		if (second_desc) {
269 			acpi_ut_delete_object_desc(second_desc);
270 		}
271 		break;
272 
273 	case ACPI_TYPE_LOCAL_BANK_FIELD:
274 
275 		ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
276 				  "***** Bank Field %p\n", object));
277 
278 		second_desc = acpi_ns_get_secondary_object(object);
279 		if (second_desc) {
280 			acpi_ut_delete_object_desc(second_desc);
281 		}
282 		break;
283 
284 	default:
285 
286 		break;
287 	}
288 
289 	/* Free any allocated memory (pointer within the object) found above */
290 
291 	if (obj_pointer) {
292 		ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
293 				  "Deleting Object Subptr %p\n", obj_pointer));
294 		ACPI_FREE(obj_pointer);
295 	}
296 
297 	/* Now the object can be safely deleted */
298 
299 	ACPI_DEBUG_PRINT_RAW((ACPI_DB_ALLOCATIONS,
300 			      "%s: Deleting Object %p [%s]\n",
301 			      ACPI_GET_FUNCTION_NAME, object,
302 			      acpi_ut_get_object_type_name(object)));
303 
304 	acpi_ut_delete_object_desc(object);
305 	return_VOID;
306 }
307 
308 /*******************************************************************************
309  *
310  * FUNCTION:    acpi_ut_delete_internal_object_list
311  *
312  * PARAMETERS:  obj_list        - Pointer to the list to be deleted
313  *
314  * RETURN:      None
315  *
316  * DESCRIPTION: This function deletes an internal object list, including both
317  *              simple objects and package objects
318  *
319  ******************************************************************************/
320 
acpi_ut_delete_internal_object_list(union acpi_operand_object ** obj_list)321 void acpi_ut_delete_internal_object_list(union acpi_operand_object **obj_list)
322 {
323 	union acpi_operand_object **internal_obj;
324 
325 	ACPI_FUNCTION_ENTRY();
326 
327 	/* Walk the null-terminated internal list */
328 
329 	for (internal_obj = obj_list; *internal_obj; internal_obj++) {
330 		acpi_ut_remove_reference(*internal_obj);
331 	}
332 
333 	/* Free the combined parameter pointer list and object array */
334 
335 	ACPI_FREE(obj_list);
336 	return;
337 }
338 
339 /*******************************************************************************
340  *
341  * FUNCTION:    acpi_ut_update_ref_count
342  *
343  * PARAMETERS:  object          - Object whose ref count is to be updated
344  *              action          - What to do (REF_INCREMENT or REF_DECREMENT)
345  *
346  * RETURN:      None. Sets new reference count within the object
347  *
348  * DESCRIPTION: Modify the reference count for an internal acpi object
349  *
350  ******************************************************************************/
351 
352 static void
acpi_ut_update_ref_count(union acpi_operand_object * object,u32 action)353 acpi_ut_update_ref_count(union acpi_operand_object *object, u32 action)
354 {
355 	u16 original_count;
356 	u16 new_count = 0;
357 	acpi_cpu_flags lock_flags;
358 	char *message;
359 
360 	ACPI_FUNCTION_NAME(ut_update_ref_count);
361 
362 	if (!object) {
363 		return;
364 	}
365 
366 	/*
367 	 * Always get the reference count lock. Note: Interpreter and/or
368 	 * Namespace is not always locked when this function is called.
369 	 */
370 	lock_flags = acpi_os_acquire_lock(acpi_gbl_reference_count_lock);
371 	original_count = object->common.reference_count;
372 
373 	/* Perform the reference count action (increment, decrement) */
374 
375 	switch (action) {
376 	case REF_INCREMENT:
377 
378 		new_count = original_count + 1;
379 		object->common.reference_count = new_count;
380 		acpi_os_release_lock(acpi_gbl_reference_count_lock, lock_flags);
381 
382 		/* The current reference count should never be zero here */
383 
384 		if (!original_count) {
385 			ACPI_WARNING((AE_INFO,
386 				      "Obj %p, Reference Count was zero before increment\n",
387 				      object));
388 		}
389 
390 		ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
391 				  "Obj %p Type %.2X [%s] Refs %.2X [Incremented]\n",
392 				  object, object->common.type,
393 				  acpi_ut_get_object_type_name(object),
394 				  new_count));
395 		message = "Incremement";
396 		break;
397 
398 	case REF_DECREMENT:
399 
400 		/* The current reference count must be non-zero */
401 
402 		if (original_count) {
403 			new_count = original_count - 1;
404 			object->common.reference_count = new_count;
405 		}
406 
407 		acpi_os_release_lock(acpi_gbl_reference_count_lock, lock_flags);
408 
409 		if (!original_count) {
410 			ACPI_WARNING((AE_INFO,
411 				      "Obj %p, Reference Count is already zero, cannot decrement\n",
412 				      object));
413 		}
414 
415 		ACPI_DEBUG_PRINT_RAW((ACPI_DB_ALLOCATIONS,
416 				      "%s: Obj %p Type %.2X Refs %.2X [Decremented]\n",
417 				      ACPI_GET_FUNCTION_NAME, object,
418 				      object->common.type, new_count));
419 
420 		/* Actually delete the object on a reference count of zero */
421 
422 		if (new_count == 0) {
423 			acpi_ut_delete_internal_obj(object);
424 		}
425 		message = "Decrement";
426 		break;
427 
428 	default:
429 
430 		acpi_os_release_lock(acpi_gbl_reference_count_lock, lock_flags);
431 		ACPI_ERROR((AE_INFO, "Unknown Reference Count action (0x%X)",
432 			    action));
433 		return;
434 	}
435 
436 	/*
437 	 * Sanity check the reference count, for debug purposes only.
438 	 * (A deleted object will have a huge reference count)
439 	 */
440 	if (new_count > ACPI_MAX_REFERENCE_COUNT) {
441 		ACPI_WARNING((AE_INFO,
442 			      "Large Reference Count (0x%X) in object %p, Type=0x%.2X Operation=%s",
443 			      new_count, object, object->common.type, message));
444 	}
445 }
446 
447 /*******************************************************************************
448  *
449  * FUNCTION:    acpi_ut_update_object_reference
450  *
451  * PARAMETERS:  object              - Increment ref count for this object
452  *                                    and all sub-objects
453  *              action              - Either REF_INCREMENT or REF_DECREMENT
454  *
455  * RETURN:      Status
456  *
457  * DESCRIPTION: Increment the object reference count
458  *
459  * Object references are incremented when:
460  * 1) An object is attached to a Node (namespace object)
461  * 2) An object is copied (all subobjects must be incremented)
462  *
463  * Object references are decremented when:
464  * 1) An object is detached from an Node
465  *
466  ******************************************************************************/
467 
468 acpi_status
acpi_ut_update_object_reference(union acpi_operand_object * object,u16 action)469 acpi_ut_update_object_reference(union acpi_operand_object *object, u16 action)
470 {
471 	acpi_status status = AE_OK;
472 	union acpi_generic_state *state_list = NULL;
473 	union acpi_operand_object *next_object = NULL;
474 	union acpi_operand_object *prev_object;
475 	union acpi_generic_state *state;
476 	u32 i;
477 
478 	ACPI_FUNCTION_NAME(ut_update_object_reference);
479 
480 	while (object) {
481 
482 		/* Make sure that this isn't a namespace handle */
483 
484 		if (ACPI_GET_DESCRIPTOR_TYPE(object) == ACPI_DESC_TYPE_NAMED) {
485 			ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
486 					  "Object %p is NS handle\n", object));
487 			return (AE_OK);
488 		}
489 
490 		/*
491 		 * All sub-objects must have their reference count incremented
492 		 * also. Different object types have different subobjects.
493 		 */
494 		switch (object->common.type) {
495 		case ACPI_TYPE_DEVICE:
496 		case ACPI_TYPE_PROCESSOR:
497 		case ACPI_TYPE_POWER:
498 		case ACPI_TYPE_THERMAL:
499 			/*
500 			 * Update the notify objects for these types (if present)
501 			 * Two lists, system and device notify handlers.
502 			 */
503 			for (i = 0; i < ACPI_NUM_NOTIFY_TYPES; i++) {
504 				prev_object =
505 				    object->common_notify.notify_list[i];
506 				while (prev_object) {
507 					next_object =
508 					    prev_object->notify.next[i];
509 					acpi_ut_update_ref_count(prev_object,
510 								 action);
511 					prev_object = next_object;
512 				}
513 			}
514 			break;
515 
516 		case ACPI_TYPE_PACKAGE:
517 			/*
518 			 * We must update all the sub-objects of the package,
519 			 * each of whom may have their own sub-objects.
520 			 */
521 			for (i = 0; i < object->package.count; i++) {
522 				/*
523 				 * Null package elements are legal and can be simply
524 				 * ignored.
525 				 */
526 				next_object = object->package.elements[i];
527 				if (!next_object) {
528 					continue;
529 				}
530 
531 				switch (next_object->common.type) {
532 				case ACPI_TYPE_INTEGER:
533 				case ACPI_TYPE_STRING:
534 				case ACPI_TYPE_BUFFER:
535 					/*
536 					 * For these very simple sub-objects, we can just
537 					 * update the reference count here and continue.
538 					 * Greatly increases performance of this operation.
539 					 */
540 					acpi_ut_update_ref_count(next_object,
541 								 action);
542 					break;
543 
544 				default:
545 					/*
546 					 * For complex sub-objects, push them onto the stack
547 					 * for later processing (this eliminates recursion.)
548 					 */
549 					status =
550 					    acpi_ut_create_update_state_and_push
551 					    (next_object, action, &state_list);
552 					if (ACPI_FAILURE(status)) {
553 						goto error_exit;
554 					}
555 					break;
556 				}
557 			}
558 			next_object = NULL;
559 			break;
560 
561 		case ACPI_TYPE_BUFFER_FIELD:
562 
563 			next_object = object->buffer_field.buffer_obj;
564 			break;
565 
566 		case ACPI_TYPE_LOCAL_REGION_FIELD:
567 
568 			next_object = object->field.region_obj;
569 			break;
570 
571 		case ACPI_TYPE_LOCAL_BANK_FIELD:
572 
573 			next_object = object->bank_field.bank_obj;
574 			status =
575 			    acpi_ut_create_update_state_and_push(object->
576 								 bank_field.
577 								 region_obj,
578 								 action,
579 								 &state_list);
580 			if (ACPI_FAILURE(status)) {
581 				goto error_exit;
582 			}
583 			break;
584 
585 		case ACPI_TYPE_LOCAL_INDEX_FIELD:
586 
587 			next_object = object->index_field.index_obj;
588 			status =
589 			    acpi_ut_create_update_state_and_push(object->
590 								 index_field.
591 								 data_obj,
592 								 action,
593 								 &state_list);
594 			if (ACPI_FAILURE(status)) {
595 				goto error_exit;
596 			}
597 			break;
598 
599 		case ACPI_TYPE_LOCAL_REFERENCE:
600 			/*
601 			 * The target of an Index (a package, string, or buffer) or a named
602 			 * reference must track changes to the ref count of the index or
603 			 * target object.
604 			 */
605 			if ((object->reference.class == ACPI_REFCLASS_INDEX) ||
606 			    (object->reference.class == ACPI_REFCLASS_NAME)) {
607 				next_object = object->reference.object;
608 			}
609 			break;
610 
611 		case ACPI_TYPE_REGION:
612 		default:
613 
614 			break;	/* No subobjects for all other types */
615 		}
616 
617 		/*
618 		 * Now we can update the count in the main object. This can only
619 		 * happen after we update the sub-objects in case this causes the
620 		 * main object to be deleted.
621 		 */
622 		acpi_ut_update_ref_count(object, action);
623 		object = NULL;
624 
625 		/* Move on to the next object to be updated */
626 
627 		if (next_object) {
628 			object = next_object;
629 			next_object = NULL;
630 		} else if (state_list) {
631 			state = acpi_ut_pop_generic_state(&state_list);
632 			object = state->update.object;
633 			acpi_ut_delete_generic_state(state);
634 		}
635 	}
636 
637 	return (AE_OK);
638 
639 error_exit:
640 
641 	ACPI_EXCEPTION((AE_INFO, status,
642 			"Could not update object reference count"));
643 
644 	/* Free any stacked Update State objects */
645 
646 	while (state_list) {
647 		state = acpi_ut_pop_generic_state(&state_list);
648 		acpi_ut_delete_generic_state(state);
649 	}
650 
651 	return (status);
652 }
653 
654 /*******************************************************************************
655  *
656  * FUNCTION:    acpi_ut_add_reference
657  *
658  * PARAMETERS:  object          - Object whose reference count is to be
659  *                                incremented
660  *
661  * RETURN:      None
662  *
663  * DESCRIPTION: Add one reference to an ACPI object
664  *
665  ******************************************************************************/
666 
acpi_ut_add_reference(union acpi_operand_object * object)667 void acpi_ut_add_reference(union acpi_operand_object *object)
668 {
669 
670 	ACPI_FUNCTION_NAME(ut_add_reference);
671 
672 	/* Ensure that we have a valid object */
673 
674 	if (!acpi_ut_valid_internal_object(object)) {
675 		return;
676 	}
677 
678 	ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
679 			  "Obj %p Current Refs=%X [To Be Incremented]\n",
680 			  object, object->common.reference_count));
681 
682 	/* Increment the reference count */
683 
684 	(void)acpi_ut_update_object_reference(object, REF_INCREMENT);
685 	return;
686 }
687 
688 /*******************************************************************************
689  *
690  * FUNCTION:    acpi_ut_remove_reference
691  *
692  * PARAMETERS:  object         - Object whose ref count will be decremented
693  *
694  * RETURN:      None
695  *
696  * DESCRIPTION: Decrement the reference count of an ACPI internal object
697  *
698  ******************************************************************************/
699 
acpi_ut_remove_reference(union acpi_operand_object * object)700 void acpi_ut_remove_reference(union acpi_operand_object *object)
701 {
702 
703 	ACPI_FUNCTION_NAME(ut_remove_reference);
704 
705 	/*
706 	 * Allow a NULL pointer to be passed in, just ignore it. This saves
707 	 * each caller from having to check. Also, ignore NS nodes.
708 	 */
709 	if (!object ||
710 	    (ACPI_GET_DESCRIPTOR_TYPE(object) == ACPI_DESC_TYPE_NAMED)) {
711 		return;
712 	}
713 
714 	/* Ensure that we have a valid object */
715 
716 	if (!acpi_ut_valid_internal_object(object)) {
717 		return;
718 	}
719 
720 	ACPI_DEBUG_PRINT_RAW((ACPI_DB_ALLOCATIONS,
721 			      "%s: Obj %p Current Refs=%X [To Be Decremented]\n",
722 			      ACPI_GET_FUNCTION_NAME, object,
723 			      object->common.reference_count));
724 
725 	/*
726 	 * Decrement the reference count, and only actually delete the object
727 	 * if the reference count becomes 0. (Must also decrement the ref count
728 	 * of all subobjects!)
729 	 */
730 	(void)acpi_ut_update_object_reference(object, REF_DECREMENT);
731 	return;
732 }
733