NetBSD Problem Report #55855

From www@netbsd.org  Wed Dec  9 13:44:00 2020
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id A82191A9217
	for <gnats-bugs@gnats.NetBSD.org>; Wed,  9 Dec 2020 13:44:00 +0000 (UTC)
Message-Id: <20201209134359.A1F9C1A9239@mollari.NetBSD.org>
Date: Wed,  9 Dec 2020 13:43:59 +0000 (UTC)
From: hashikaw@mail.ru
Reply-To: hashikaw@mail.ru
To: gnats-bugs@NetBSD.org
Subject: call pci_intr_release twice at xhci_pci_attach
X-Send-Pr-Version: www-1.0

>Number:         55855
>Category:       kern
>Synopsis:       call pci_intr_release twice at xhci_pci_attach
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Dec 09 13:45:00 +0000 2020
>Closed-Date:    Mon May 17 16:48:17 +0000 2021
>Last-Modified:  Mon May 17 16:48:17 +0000 2021
>Originator:     Kouichi Hashikawa
>Release:        NetBSD-current
>Organization:
>Environment:
>Description:
when 
psc->sc_ih = pci_intr_establish_xname(pc, psc->sc_pihp[0], IPL_USB,
            xhci_intr, sc, device_xname(sc->sc_dev));
failed, pci_intr_release(pc, psc->sc_pihp, 1) is called in
if (psc->sc_ih == NULL) {...}
first time, and in fail: second time.

Then, panic at kmem_size_check() at subr_kmem.c with message,
panic: kmem_free(0xffff0000fbfe7320, 8) != allocated size 18446744073709551615; overwrote?


>How-To-Repeat:

>Fix:
--- src/sys/dev/pci/xhci_pci.c-dist     2019-12-02 12:06:51.000000000 +0900
+++ src/sys/dev/pci//xhci_pci.c     2020-12-09 22:41:37.553851897 +0900
@@ -214,6 +214,7 @@
        if (psc->sc_ih == NULL) {
                pci_intr_release(pc, psc->sc_pihp, 1);
                psc->sc_ih = NULL;
+               psc->sc_pihp = NULL;
                aprint_error_dev(self, "couldn't establish interrupt");
                if (intrstr != NULL)
                        aprint_error(" at %s", intrstr);

>Release-Note:

>Audit-Trail:
From: "Jonathan A. Kollasch" <jakllsch@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/55855 CVS commit: src/sys/dev/pci
Date: Wed, 9 Dec 2020 14:21:09 +0000

 Module Name:	src
 Committed By:	jakllsch
 Date:		Wed Dec  9 14:21:09 UTC 2020

 Modified Files:
 	src/sys/dev/pci: xhci_pci.c

 Log Message:
 xhci_pci: avoid potential double free of interrupt handles

 Found by Kouichi Hashikawa in PR 55855.


 To generate a diff of this commit:
 cvs rdiff -u -r1.25 -r1.26 src/sys/dev/pci/xhci_pci.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->feedback
State-Changed-By: jakllsch@NetBSD.org
State-Changed-When: Wed, 09 Dec 2020 14:37:29 +0000
State-Changed-Why:
functionally identical patch committed, is it satisfactory?


From: Kouichi Hashikawa <hashikaw@mail.ru>
To: gnats-bugs@netbsd.org
Cc: kern-bug-people@netbsd.org, netbsd-bugs@netbsd.org,
 gnats-admin@netbsd.org, jakllsch@netbsd.org
Subject: Re: kern/55855 (call pci_intr_release twice at xhci_pci_attach)
Date: Thu, 10 Dec 2020 00:43:37 +0900

 Thank you  applying  patch.
 No problem on my environment.

 Please apply this patch to netbsd-9 branch
 .

 --=20
 Kouichi Hashikawa

 > 2020/12/09 23:37=E3=80=81jakllsch@netbsd.org=E3=81=AE=E3=83=A1=E3=83=BC=E3=
 =83=AB:
 >=20
 > =EF=BB=BFSynopsis: call pci_intr_release twice at xhci_pci_attach
 >=20
 > State-Changed-From-To: open->feedback
 > State-Changed-By: jakllsch@NetBSD.org
 > State-Changed-When: Wed, 09 Dec 2020 14:37:29 +0000
 > State-Changed-Why:
 > functionally identical patch committed, is it satisfactory?
 >=20
 >=20
 >=20

From: Kouichi Hashikawa <hashikaw@mail.ru>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: kern/55855 (call pci_intr_release twice at xhci_pci_attach)
Date: Thu, 10 Dec 2020 00:39:57 +0900

 Thank you  applying  patch.
 No problem on my environment.

 Please apply this patch to netbsd-9 branch
 .


 --=20
 Kouichi Hashikawa

 > 2020/12/09 23:37=E3=80=81jakllsch@netbsd.org=E3=81=AE=E3=83=A1=E3=83=BC=E3=
 =83=AB:
 >=20
 > =EF=BB=BFSynopsis: call pci_intr_release twice at xhci_pci_attach
 >=20
 > State-Changed-From-To: open->feedback
 > State-Changed-By: jakllsch@NetBSD.org
 > State-Changed-When: Wed, 09 Dec 2020 14:37:29 +0000
 > State-Changed-Why:
 > functionally identical patch committed, is it satisfactory?
 >=20
 >=20
 >=20

From: Kouichi Hashikawa <hashikaw@mail.ru>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: kern/55855
Date: Thu, 14 Jan 2021 00:59:23 +0900

 =EF=BB=BFThank you applying patch.
 No problem on my environment.

 Please apply this patch to netbsd-9 branch.

 --=20
 Kouichi Hashikawa


From: Kouichi Hashikawa <hashikaw@mail.ru>
To: gnats-bugs@netbsd.org
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org, jakllsch@netbsd.org
Subject: Re: kern/55855 (call pci_intr_release twice at xhci_pci_attach)
Date: Wed, 3 Mar 2021 01:24:46 +0900

 > State-Changed-Why:
 > functionally identical patch committed, is it satisfactory? 

 Thank you applying patch.
 No problem on my environment.

 Please apply this patch to netbsd-9 branch, and close the problem.

 -- 
 Kouichi Hashikawa


State-Changed-From-To: feedback->needs-pullups
State-Changed-By: maya@NetBSD.org
State-Changed-When: Thu, 29 Apr 2021 17:29:40 +0000
State-Changed-Why:
Appropriate state, sorry for the feedback emails, ... also this email


From: Kouichi Hashikawa <hashikaw@mail.ru>
To: gnats-bugs@netbsd.org
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org, maya@netbsd.org
Subject: Re: kern/55855 (call pci_intr_release twice at xhci_pci_attach)
Date: Fri, 30 Apr 2021 03:41:28 +0900

 > Appropriate state, sorry for the feedback emails, ... also this email 

 Thank you applying patch.
 No problem on my environment.

 Please apply this patch to netbsd-9 branch, and close the problem.

 -- 
 Kouichi Hashikawa


From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/55855 CVS commit: [netbsd-9] src/sys/dev/pci
Date: Mon, 17 May 2021 15:50:35 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Mon May 17 15:50:35 UTC 2021

 Modified Files:
 	src/sys/dev/pci [netbsd-9]: xhci_pci.c

 Log Message:
 Pull up following revision(s) (requested by jakllsch in ticket #1273):

 	sys/dev/pci/xhci_pci.c: revision 1.26

 xhci_pci: avoid potential double free of interrupt handles

 Found by Kouichi Hashikawa in PR 55855.


 To generate a diff of this commit:
 cvs rdiff -u -r1.21 -r1.21.4.1 src/sys/dev/pci/xhci_pci.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: needs-pullups->closed
State-Changed-By: jakllsch@NetBSD.org
State-Changed-When: Mon, 17 May 2021 16:48:17 +0000
State-Changed-Why:
pullup to -9 complete


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.