From owner-freebsd-bugs@FreeBSD.ORG  Sun Oct 30 19:50:11 2011
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A8050106564A
	for <freebsd-bugs@hub.freebsd.org>;
	Sun, 30 Oct 2011 19:50:11 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 7D8E78FC15
	for <freebsd-bugs@hub.freebsd.org>;
	Sun, 30 Oct 2011 19:50:11 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p9UJoBiW066893
	for <freebsd-bugs@freefall.freebsd.org>; Sun, 30 Oct 2011 19:50:11 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p9UJoBYI066892;
	Sun, 30 Oct 2011 19:50:11 GMT (envelope-from gnats)
Resent-Date: Sun, 30 Oct 2011 19:50:11 GMT
Resent-Message-Id: <201110301950.p9UJoBYI066892@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Ian Lepore <freebsd@damnhippie.dyndns.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id AB608106564A
	for <freebsd-gnats-submit@freebsd.org>;
	Sun, 30 Oct 2011 19:40:24 +0000 (UTC)
	(envelope-from ilepore@damnhippie.dyndns.org)
Received: from qmta08.emeryville.ca.mail.comcast.net
	(qmta08.emeryville.ca.mail.comcast.net [76.96.30.80])
	by mx1.freebsd.org (Postfix) with ESMTP id 9116B8FC0A
	for <freebsd-gnats-submit@freebsd.org>;
	Sun, 30 Oct 2011 19:40:24 +0000 (UTC)
Received: from omta20.emeryville.ca.mail.comcast.net ([76.96.30.87])
	by qmta08.emeryville.ca.mail.comcast.net with comcast
	id r7GK1h0011smiN4A87gG6z; Sun, 30 Oct 2011 19:40:16 +0000
Received: from damnhippie.dyndns.org ([24.8.232.202])
	by omta20.emeryville.ca.mail.comcast.net with comcast
	id r7a21h0064NgCEG8g7a658; Sun, 30 Oct 2011 19:34:06 +0000
Received: from revolution.hippie.lan (revolution.hippie.lan [172.22.42.240])
	by damnhippie.dyndns.org (8.14.3/8.14.3) with ESMTP id p9UJeIDt044357
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sun, 30 Oct 2011 13:40:18 -0600 (MDT)
	(envelope-from ilepore@damnhippie.dyndns.org)
Received: (from ilepore@localhost)
	by revolution.hippie.lan (8.14.5/8.14.4/Submit) id p9UJeITQ049268;
	Sun, 30 Oct 2011 13:40:18 -0600 (MDT) (envelope-from ilepore)
Message-Id: <201110301940.p9UJeITQ049268@revolution.hippie.lan>
Date: Sun, 30 Oct 2011 13:40:18 -0600 (MDT)
From: Ian Lepore <freebsd@damnhippie.dyndns.org>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: kern/162174: [patch] rman_manage_region() error return path leaves
	mutex locked
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Ian Lepore <freebsd@damnhippie.dyndns.org>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Oct 2011 19:50:11 -0000


>Number:         162174
>Category:       kern
>Synopsis:       [patch] rman_manage_region() error return path leaves mutex locked
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Oct 30 19:50:11 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Ian Lepore <freebsd@damnhippie.dyndns.org>
>Release:        FreeBSD 8.2-STABLE
>Organization:
Symmetricom, Inc.
>Environment:
FreeBSD tflex 8.2-STABLE FreeBSD 8.2-STABLE #29: Tue Oct 11 13:32:35 UTC 2011     root@revolution.hippie.lan:/usr/obj/arm/usr/src/sys/TFLEX  arm

>Description:
If rman_manage_region() detects an overlapping region and returns EBUSY it
leaves the rman mutex locked, causing a panic on some future rman call.

>How-To-Repeat:

>Fix:
This patch was generated against 8.2-STABLE but applies cleanly to -current.
The error handling idiom in this module seems to be the "goto out" style so
I did this same way.

--- kern_subr.diff begins here ---
diff -r 96e180d3dc91 sys/kern/subr_rman.c
--- sys/kern/subr_rman.c.orig	Sat Oct 29 17:47:07 2011 -0600
+++ sys/kern/subr_rman.c	Sun Oct 30 13:23:14 2011 -0600
@@ -158,6 +158,7 @@ rman_init(struct rman *rm)
 int
 rman_manage_region(struct rman *rm, u_long start, u_long end)
 {
+	int rv;
 	struct resource_i *r, *s, *t;
 
 	DPRINTF(("rman_manage_region: <%s> request: start %#lx, end %#lx\n",
@@ -184,14 +185,16 @@ rman_manage_region(struct rman *rm, u_lo
 		TAILQ_INSERT_TAIL(&rm->rm_list, r, r_link);
 	} else {
 		/* Check for any overlap with the current region. */
-		if (r->r_start <= s->r_end && r->r_end >= s->r_start)
-			return EBUSY;
-
+		if (r->r_start <= s->r_end && r->r_end >= s->r_start) {
+			rv = EBUSY;
+			goto out;
+		}
 		/* Check for any overlap with the next region. */
 		t = TAILQ_NEXT(s, r_link);
-		if (t && r->r_start <= t->r_end && r->r_end >= t->r_start)
-			return EBUSY;
-
+		if (t && r->r_start <= t->r_end && r->r_end >= t->r_start) {
+			rv = EBUSY;
+			goto out;
+		}
 		/*
 		 * See if this region can be merged with the next region.  If
 		 * not, clear the pointer.
@@ -222,8 +225,10 @@ rman_manage_region(struct rman *rm, u_lo
 		}
 	}
 
+	rv = 0;
+out:
 	mtx_unlock(rm->rm_mtx);
-	return 0;
+	return (rv);
 }
 
 int
--- kern_subr.diff ends here ---

>Release-Note:
>Audit-Trail:
>Unformatted: