From owner-freebsd-drivers@freebsd.org  Mon Jun 19 01:28:25 2017
Return-Path: <owner-freebsd-drivers@freebsd.org>
Delivered-To: freebsd-drivers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5025FD921E3;
 Mon, 19 Jun 2017 01:28:25 +0000 (UTC)
 (envelope-from baijiaju1990@163.com)
Received: from m12-13.163.com (m12-13.163.com [220.181.12.13])
 by mx1.freebsd.org (Postfix) with ESMTP id 35F8B827E8;
 Mon, 19 Jun 2017 01:28:23 +0000 (UTC)
 (envelope-from baijiaju1990@163.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
 s=s110527; h=From:Subject:Date:Message-Id; bh=CIw6Vf/V9jrdt9ZWjR
 iLesifxgPY60E9XLcxRzR1+Yk=; b=LsCvAXVMrLcXZZ3/7CQ9PISgCCCKz8drdA
 sPmB0OFYTVQ4tveMidcPr2pE6z5TelRFWICGupDYVdEYbTnO4RcpEOF2DjSxJMXr
 TO4yTEju0XNuxwTHXqCg0CofFmBTMABYgRp0pc3CPaSTSrRso03bvW1lQIcT71BE
 8YT5uXYwg=
Received: from bai.tsinghua.edu.cn (unknown [166.111.70.9])
 by smtp9 (Coremail) with SMTP id DcCowAD3lVGmKEdZs3VPLQ--.57901S2;
 Mon, 19 Jun 2017 09:28:10 +0800 (CST)
From: Jia-Ju Bai <baijiaju1990@163.com>
To: wpaul@ctr.columbia.edu
Cc: freebsd-drivers@freebsd.org, freebsd-bugs@freebsd.org,
 freebsd-net@freebsd.org, Jia-Ju Bai <baijiaju1990@163.com>
Subject: [PATCH] if_xl: Fix a possible sleep-under-mutex bug in xl_list_rx_init
Date: Mon, 19 Jun 2017 09:28:04 +0800
Message-Id: <20170619012804.43725-1-baijiaju1990@163.com>
X-Mailer: git-send-email 2.13.0
X-CM-TRANSID: DcCowAD3lVGmKEdZs3VPLQ--.57901S2
X-Coremail-Antispam: 1Uf129KBjvdXoW7XF1xWFykXw4DJw1kZr1fZwb_yoWDArXEgF
 WkZr1xGr4akF1xKw1kuF4I9r12y3yfWrn3uryfXanrtr17Jrn8ta1vqrn3XF95uw4IyrWr
 Xayjqr48CF17CjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT
 9fnUUvcSsGvfC2KfnxnUUI43ZEXa7IUboGQPUUUUU==
X-Originating-IP: [166.111.70.9]
X-CM-SenderInfo: xedlyx5dmximizq6il2tof0z/1tbiTQz7elc69srXqwAAst
X-BeenThere: freebsd-drivers@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Writing device drivers for FreeBSD <freebsd-drivers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-drivers>, 
 <mailto:freebsd-drivers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-drivers/>
List-Post: <mailto:freebsd-drivers@freebsd.org>
List-Help: <mailto:freebsd-drivers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-drivers>, 
 <mailto:freebsd-drivers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jun 2017 01:28:25 -0000

The driver may sleep under a mutex, and the code path is:
xl_resume [acquire the mutex]
  xl_init_locked
    xl_list_rx_init
      bus_dmamap_create(BUS_DMA_WAITOK) --> may sleep

The possible fix of this bug is to replace "BUS_DMA_WAITOK" in bus_dmamap_create with "BUS_DMA_NOWAIT".

This bug is found by a static analysis tool written by myself, and it is
checked by my review of the FreeBSD code.

Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
---
 sys/dev/xl/if_xl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/dev/xl/if_xl.c b/sys/dev/xl/if_xl.c
index 4c1c238981d..59b29ddc7ca 100644
--- a/sys/dev/xl/if_xl.c
+++ b/sys/dev/xl/if_xl.c
@@ -1726,7 +1726,7 @@ xl_list_rx_init(struct xl_softc *sc)
 
 	for (i = 0; i < XL_RX_LIST_CNT; i++) {
 		cd->xl_rx_chain[i].xl_ptr = &ld->xl_rx_list[i];
-		error = bus_dmamap_create(sc->xl_mtag, 0,
+		error = bus_dmamap_create(sc->xl_mtag, BUS_DMA_NOWAIT,
 		    &cd->xl_rx_chain[i].xl_map);
 		if (error)
 			return (error);
-- 
2.13.0