NetBSD Problem Report #42208
From Wolfgang.Stukenbrock@nagler-company.com Wed Oct 21 09:36:02 2009
Return-Path: <Wolfgang.Stukenbrock@nagler-company.com>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 7CED163B877
for <gnats-bugs@gnats.NetBSD.org>; Wed, 21 Oct 2009 09:36:02 +0000 (UTC)
Message-Id: <20091021093558.8CA734EA9FE@s012.nagler-company.com>
Date: Wed, 21 Oct 2009 11:35:58 +0200 (CEST)
From: Wolfgang.Stukenbrock@nagler-company.com
Reply-To: Wolfgang.Stukenbrock@nagler-company.com
To: gnats-bugs@gnats.NetBSD.org
Subject: x86 DMA-bouncebuf alloc failure may blow up kernel
X-Send-Pr-Version: 3.95
>Number: 42208
>Category: port-amd64
>Synopsis: x86 DMA-bouncebuf alloc failure may blow up kernel
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: port-amd64-maintainer
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Oct 21 09:40:01 +0000 2009
>Closed-Date: Fri Nov 06 23:11:05 +0000 2009
>Last-Modified: Fri Nov 06 23:15:02 +0000 2009
>Originator: Wolfgang Stukenbrock
>Release: NetBSD 4.0
>Organization:
Dr. Nagler & Company GmbH
>Environment:
System: NetBSD s012 4.0 NetBSD 4.0 (NSW-S012) #9: Fri Mar 13 12:31:52 CET 2009 wgstuken@s012:/usr/src/sys/arch/amd64/compile/NSW-S012 amd64
Architecture: x86_64
Machine: amd64
>Description:
If an allocation for a bounce buffer failed, the _bus_dmamem_free() is called anyway, but the number of segments
may contain some garbage.
This may blow up the memory management!
The problem is located in /usr/src/sys/arch/x86/x86/bus_dma.c - so all x86 architectures are affected!
Due to the fact that allocation errors are rare - this bug is normaly not triggered.
>How-To-Repeat:
Found by a look into the sources while searching for an other DMA alloc-problem on SuperMicro systems.
>Fix:
The following patch will fix the problem:
--- bus_dma.c 2009/10/21 09:28:05 1.1
+++ bus_dma.c 2009/10/21 09:29:17
@@ -897,10 +897,10 @@
cookie->id_nbouncesegs, cookie->id_bouncebuflen,
(caddr_t *)&cookie->id_bouncebuf, flags);
- out:
if (error) {
_bus_dmamem_free(t, cookie->id_bouncesegs,
cookie->id_nbouncesegs);
+ out:
cookie->id_bouncebuflen = 0;
cookie->id_nbouncesegs = 0;
} else {
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed
State-Changed-By: dsl@NetBSD.org
State-Changed-When: Fri, 06 Nov 2009 23:11:05 +0000
State-Changed-Why:
patch applied
From: David Laight <dsl@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/42208 CVS commit: src/sys/arch/x86/x86
Date: Fri, 6 Nov 2009 23:10:10 +0000
Module Name: src
Committed By: dsl
Date: Fri Nov 6 23:10:10 UTC 2009
Modified Files:
src/sys/arch/x86/x86: bus_dma.c
Log Message:
Don't call _bus_dmamem_free() when _bus_dmamem_alloc() fails.
Fixes PR/42208
To generate a diff of this commit:
cvs rdiff -u -r1.51 -r1.52 src/sys/arch/x86/x86/bus_dma.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.