From owner-freebsd-i386@FreeBSD.ORG  Sun Feb 20 20:20:08 2005
Return-Path: <owner-freebsd-i386@FreeBSD.ORG>
Delivered-To: freebsd-i386@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F218F16A4CE
	for <freebsd-i386@hub.freebsd.org>;
	Sun, 20 Feb 2005 20:20:07 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B94C143D1F
	for <freebsd-i386@hub.freebsd.org>;
	Sun, 20 Feb 2005 20:20:07 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j1KKK7sP085414
	for <freebsd-i386@freefall.freebsd.org>; Sun, 20 Feb 2005 20:20:07 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j1KKK75i085413;
	Sun, 20 Feb 2005 20:20:07 GMT
	(envelope-from gnats)
Resent-Date: Sun, 20 Feb 2005 20:20:07 GMT
Resent-Message-Id: <200502202020.j1KKK75i085413@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-i386@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	"Frank Mayhar" <frank@exit.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1AA5316A521
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sun, 20 Feb 2005 20:12:56 +0000 (GMT)
Received: from tinker.exit.com (tinker.exit.com [206.223.0.1])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6E72043D41
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sun, 20 Feb 2005 20:12:55 +0000 (GMT)	(envelope-from frank@exit.com)
Received: from realtime.exit.com (realtime [206.223.0.5])
	by tinker.exit.com (8.13.1/8.13.1) with ESMTP id j1KKCqpT085075
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sun, 20 Feb 2005 12:12:54 -0800 (PST)	(envelope-from frank@exit.com)
Message-Id: <1108930374.0@realtime.exit.com>
Date: Sun, 20 Feb 2005 12:12:54 -0800
From: "Frank Mayhar" <frank@exit.com>
To: "FreeBSD gnats submit" <FreeBSD-gnats-submit@FreeBSD.org>
X-Send-Pr-Version: gtk-send-pr 0.4.4 
Subject: i386/77804: Reusing freed memory in if_bfe.c
X-BeenThere: freebsd-i386@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: I386-specific issues for FreeBSD <freebsd-i386.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-i386>,
	<mailto:freebsd-i386-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-i386>
List-Post: <mailto:freebsd-i386@freebsd.org>
List-Help: <mailto:freebsd-i386-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-i386>,
	<mailto:freebsd-i386-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Feb 2005 20:20:08 -0000


>Number:         77804
>Category:       i386
>Synopsis:       Reusing freed memory in if_bfe.c
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-i386
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Feb 20 20:20:07 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Frank Mayhar
>Release:        FreeBSD 4.11-STABLE i386
>Organization:
Exit Consulting 
>Environment:


FreeBSD lap 6.0-CURRENT FreeBSD 6.0-CURRENT #15: Sat Feb 19 18:46:46 PST 2005     frank@fw94:/home/obj/usr/src/sys/AUTON  i386



>Description:


In my recent hunt for my hard hang, I ran into a panic in
bfe_intr() in which it was dereferencing a freed dmamap
entry.  It turns out that doing an "ifconfig bfe0 down" forces
a call to bfe_stop(), which destroys the ring buffer dmamaps.
This is bad, since they are never recreated.

The fix (patch is attached) is to not destroy the dmamaps in
bfe_rx_ring_free()/bfe_tx_ring_free(), since they will be reused.
Instead, destroy them in the detach routine.  It turned out that
the detach routine was already destroying the tx ring buffer
dmamaps, but not the rx ones.

Patch follows.


>How-To-Repeat:





>Fix:


--- bfe-bug.diff begins here ---
Index: sys/dev/bfe/if_bfe.c
===================================================================
RCS file: /cvs/repos/src/sys/dev/bfe/if_bfe.c,v
retrieving revision 1.20
diff -u -r1.20 if_bfe.c
--- sys/dev/bfe/if_bfe.c	9 Jan 2005 19:57:55 -0000	1.20
+++ sys/dev/bfe/if_bfe.c	20 Feb 2005 19:56:00 -0000
@@ -541,8 +541,6 @@
 			sc->bfe_tx_ring[i].bfe_mbuf = NULL;
 			bus_dmamap_unload(sc->bfe_tag,
 					sc->bfe_tx_ring[i].bfe_map);
-			bus_dmamap_destroy(sc->bfe_tag,
-					sc->bfe_tx_ring[i].bfe_map);
 		}
 	}
 	bzero(sc->bfe_tx_list, BFE_TX_LIST_SIZE);
@@ -560,15 +558,12 @@
 			sc->bfe_rx_ring[i].bfe_mbuf = NULL;
 			bus_dmamap_unload(sc->bfe_tag,
 					sc->bfe_rx_ring[i].bfe_map);
-			bus_dmamap_destroy(sc->bfe_tag,
-					sc->bfe_rx_ring[i].bfe_map);
 		}
 	}
 	bzero(sc->bfe_rx_list, BFE_RX_LIST_SIZE);
 	bus_dmamap_sync(sc->bfe_rx_tag, sc->bfe_rx_map, BUS_DMASYNC_PREREAD);
 }
 
-
 static int
 bfe_list_rx_init(struct bfe_softc *sc)
 {
@@ -975,6 +970,8 @@
 		for(i = 0; i < BFE_TX_LIST_CNT; i++) {
 			bus_dmamap_destroy(sc->bfe_tag,
 			    sc->bfe_tx_ring[i].bfe_map);
+			bus_dmamap_destroy(sc->bfe_tag,
+			    sc->bfe_rx_ring[i].bfe_map);
 		}
 		bus_dma_tag_destroy(sc->bfe_tag);
 		sc->bfe_tag = NULL;
--- bfe-bug.diff ends here ---



>Release-Note:
>Audit-Trail:
>Unformatted: