From owner-freebsd-hackers@freebsd.org  Mon Jun 19 01:44:34 2017
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C4C4AD9261B;
 Mon, 19 Jun 2017 01:44:34 +0000 (UTC)
 (envelope-from baijiaju1990@163.com)
Received: from m12-17.163.com (m12-17.163.com [220.181.12.17])
 by mx1.freebsd.org (Postfix) with ESMTP id B6E0E82EDB;
 Mon, 19 Jun 2017 01:44:33 +0000 (UTC)
 (envelope-from baijiaju1990@163.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
 s=s110527; h=From:Subject:Date:Message-Id; bh=+0LHRb+LMcOqQR2+F7
 wijw17SuqFmnAyTMLSZxQ65XU=; b=gN17AxkJQIsjpAUscQsWNSsUfUxSdeA5s1
 OOLHOanMfkGixOBeNwTF/IKjn2K76HNS+WbN93i5w/toQPFV4+21+OA4WcJ/T+xc
 yyAvP/VZmXPrvkF+sgeB8CExfUw8aq4bv+to5iZQq2l1Vb/rshtuVxsPZn8S1Ky0
 5bi7CbTRM=
Received: from bai.tsinghua.edu.cn (unknown [166.111.70.9])
 by smtp13 (Coremail) with SMTP id EcCowACHjVF2LEdZJ2EiLg--.19880S2;
 Mon, 19 Jun 2017 09:44:26 +0800 (CST)
From: Jia-Ju Bai <baijiaju1990@163.com>
To: freebsd-drivers@freebsd.org, freebsd-bugs@freebsd.org,
 freebsd-hackers@freebsd.org
Cc: Jia-Ju Bai <baijiaju1990@163.com>
Subject: [PATCH] mlx: Fix a possible sleep-under-mutex bug in mlx_alloccmd
Date: Mon, 19 Jun 2017 09:44:19 +0800
Message-Id: <20170619014419.43824-1-baijiaju1990@163.com>
X-Mailer: git-send-email 2.13.0
X-CM-TRANSID: EcCowACHjVF2LEdZJ2EiLg--.19880S2
X-Coremail-Antispam: 1Uf129KBjvdXoW7GF45ArWDCFWxWr1kKw1UGFg_yoWkJFXEgF
 yktr1rGr1fKr1avw1xCrWrCr9Fg3yrWrn7ur4Sg3W3Jw1xGrZ3KFs2qr43WryfWa40krW3
 Wryq9r48CF12yjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT
 9fnUUvcSsGvfC2KfnxnUUI43ZEXa7IUboqcUUUUUU==
X-Originating-IP: [166.111.70.9]
X-CM-SenderInfo: xedlyx5dmximizq6il2tof0z/1tbiThn7elUCydyQyAAAsM
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jun 2017 01:44:34 -0000

The driver may sleep under a mutex, and the function call path is:
mlx_attach [line 432: acquire the mutex]
  mlx_enquire
    mlx_alloccmd
      bus_dmamap_create(BUS_DMA_WAITOK) --> may sleep

The possible fix of this bug is to replace "BUS_DMA_WAITOK" in bus_dmamap_create with "BUS_DMA_NOWAIT".

This bug is found by a static analysis tool written by myself, and it is
checked by my review of the FreeBSD code.

Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
---
 sys/dev/mlx/mlx.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sys/dev/mlx/mlx.c b/sys/dev/mlx/mlx.c
index e3b09582a36..c2e8ba3c595 100644
--- a/sys/dev/mlx/mlx.c
+++ b/sys/dev/mlx/mlx.c
@@ -2426,7 +2426,8 @@ mlx_alloccmd(struct mlx_softc *sc)
 	mc = (struct mlx_command *)malloc(sizeof(*mc), M_DEVBUF, M_NOWAIT | M_ZERO);
 	if (mc != NULL) {
 	    mc->mc_sc = sc;
-	    error = bus_dmamap_create(sc->mlx_buffer_dmat, 0, &mc->mc_dmamap);
+	    error = bus_dmamap_create(sc->mlx_buffer_dmat, BUS_DMA_NOWAIT, 
+							&mc->mc_dmamap);
 	    if (error) {
 		free(mc, M_DEVBUF);
 		return(NULL);
-- 
2.13.0