From owner-freebsd-net@freebsd.org Sun Jun 18 09:04:25 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DB896D8C9C7; Sun, 18 Jun 2017 09:04:25 +0000 (UTC) (envelope-from baijiaju1990@163.com) Received: from m12-16.163.com (m12-16.163.com [220.181.12.16]) by mx1.freebsd.org (Postfix) with ESMTP id 12B1A64FB8; Sun, 18 Jun 2017 09:04:24 +0000 (UTC) (envelope-from baijiaju1990@163.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id; bh=qegnUfRz3U6eDlU+5X t9dFGsiZtZ9PmK2a2NCVwOHHs=; b=i0BxwWUSiYACzoW98ep8NMJfIxwxTKyazt 6LCYkB1AeaEma0TQZM6CGORneH/Mj2fIjnaQlY8mGsItCJwI+jUDMXTrSTpwNMWV sngd4R/sw7hKGXH4oqcxcUiMiamj5YoyvCnQL0Exh9EvWE/UuQ+N53mV8tfQoJmL UUPeTaq78= Received: from bai.tsinghua.edu.cn (unknown [166.111.70.9]) by smtp12 (Coremail) with SMTP id EMCowACXhEkSQkZZcCWbKQ--.61280S2; Sun, 18 Jun 2017 17:04:23 +0800 (CST) From: Jia-Ju Bai To: rkoberman@gmail.com, yongari@freebsd.org Cc: freebsd-drivers@freebsd.org, freebsd-net@freebsd.org, Jia-Ju Bai Subject: [Bug 220032][PATCH] if_alc: Fix possible sleep-under-mutex bugs Date: Sun, 18 Jun 2017 09:04:05 +0800 Message-Id: <20170618010405.40107-1-baijiaju1990@163.com> X-Mailer: git-send-email 2.13.0 X-CM-TRANSID: EMCowACXhEkSQkZZcCWbKQ--.61280S2 X-Coremail-Antispam: 1Uf129KBjvJXoW7tFW7CrWDXFyrtF4rCw4rZrb_yoW8CF45pa y3WF15Ww13Aw48Aa40gF1093W8t3s3ZrWUGFW8CFZxJrn8Jr1rX3y8A3WrZrWY9rZ3CF1f JryDu3s8KFWUAFUanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0zRdhL5UUUUU= X-Originating-IP: [166.111.70.9] X-CM-SenderInfo: xedlyx5dmximizq6il2tof0z/1tbiYxf6elaDtdThWQAAs4 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jun 2017 09:04:26 -0000 The alc driver may sleep under a mutex, and the function call paths in file "sys/dev/alc/if_alc.c" are: alc_resume [acquire the mutex] alc_init_locked alc_init_rx_ring alc_newbuf bus_dmamap_load_mbuf_sg(BUS_DMA_WAITOK) --> may sleep alc_start [acquire the mutex] alc_start_locked alc_encap bus_dmamap_load_mbuf_sg(BUS_DMA_WAITOK) --> may sleep The possible fix of these bugs is to set the last parameter in bus_dmamap_load_mbuf_sg to "BUS_DMA_NOWAIT". This bug is found by a static analysis tool written by myself, and it is checked by my review of the FreeBSD code. Signed-off-by: Jia-Ju Bai --- sys/dev/alc/if_alc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sys/dev/alc/if_alc.c b/sys/dev/alc/if_alc.c index ca7ae9d17b5..cb0f15e223b 100644 --- a/sys/dev/alc/if_alc.c +++ b/sys/dev/alc/if_alc.c @@ -2795,7 +2795,7 @@ alc_encap(struct alc_softc *sc, struct mbuf **m_head) map = txd->tx_dmamap; error = bus_dmamap_load_mbuf_sg(sc->alc_cdata.alc_tx_tag, map, - *m_head, txsegs, &nsegs, 0); + *m_head, txsegs, &nsegs, BUS_DMA_NOWAIT); if (error == EFBIG) { m = m_collapse(*m_head, M_NOWAIT, ALC_MAXTXSEGS); if (m == NULL) { @@ -2805,7 +2805,7 @@ alc_encap(struct alc_softc *sc, struct mbuf **m_head) } *m_head = m; error = bus_dmamap_load_mbuf_sg(sc->alc_cdata.alc_tx_tag, map, - *m_head, txsegs, &nsegs, 0); + *m_head, txsegs, &nsegs, BUS_DMA_NOWAIT); if (error != 0) { m_freem(*m_head); *m_head = NULL; @@ -3487,7 +3487,7 @@ alc_newbuf(struct alc_softc *sc, struct alc_rxdesc *rxd) #endif if (bus_dmamap_load_mbuf_sg(sc->alc_cdata.alc_rx_tag, - sc->alc_cdata.alc_rx_sparemap, m, segs, &nsegs, 0) != 0) { + sc->alc_cdata.alc_rx_sparemap, m, segs, &nsegs, BUS_DMA_NOWAIT) != 0) { m_freem(m); return (ENOBUFS); } -- 2.13.0