From yuriz@kolumbus.fi  Sat Apr 12 21:35:31 2014
Return-Path: <yuriz@kolumbus.fi>
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hub.freebsd.org (Postfix) with ESMTPS id 896A9386
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 12 Apr 2014 21:35:31 +0000 (UTC)
Received: from emh01.mail.saunalahti.fi (emh01.mail.saunalahti.fi [62.142.5.107])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "emh07.mail.saunalahti.fi", Issuer "emh07.mail.saunalahti.fi" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 189DC11FA
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 12 Apr 2014 21:35:30 +0000 (UTC)
Received: from guardian.highbaud.com (a91-155-238-23.elisa-laajakaista.fi [91.155.238.23])
	by emh01.mail.saunalahti.fi (Postfix) with ESMTP id A92FA90021
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 13 Apr 2014 00:26:22 +0300 (EEST)
Received: from guardian.highbaud.com (localhost [127.0.0.1])
	by guardian.highbaud.com (8.14.8/8.14.8) with ESMTP id s3CLOc9f002503
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 13 Apr 2014 00:24:38 +0300 (EEST)
	(envelope-from yuriz@guardian.highbaud.com)
Received: (from yuriz@localhost)
	by guardian.highbaud.com (8.14.8/8.14.8/Submit) id s3CLOcTk002502;
	Sun, 13 Apr 2014 00:24:38 +0300 (EEST)
	(envelope-from yuriz)
Message-Id: <201404122124.s3CLOcTk002502@guardian.highbaud.com>
Date: Sun, 13 Apr 2014 00:24:38 +0300 (EEST)
From: Yuri Zaporozhets <r_tty@yahoo.co.uk>
Reply-To: Yuri Zaporozhets <r_tty@yahoo.co.uk>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Revision 262226 of /sys/dev/pci/pci.c causes kernel hang on an Asus CUBX board
X-Send-Pr-Version: 3.114
X-GNATS-Notify:

>Number:         188534
>Category:       kern
>Synopsis:       [pci] Revision 262226 of /sys/dev/pci/pci.c causes kernel hang on an Asus CUBX board
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    truckman
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Apr 12 21:40:01 UTC 2014
>Closed-Date:    Tue May 20 16:48:32 UTC 2014
>Last-Modified:  Tue May 20 16:48:32 UTC 2014
>Originator:     Yuri Zaporozhets
>Release:        FreeBSD 8.4-STABLE i386
>Organization:
>Environment:
System: FreeBSD guardian.localdomain 8.4-STABLE FreeBSD 8.4-STABLE #7 r262226M: Sat Apr 12 15:07:08 EEST 2014 yuriz@guardian.localdomain:/usr/home/yuriz/freebsd/sys/i386/compile/GUARDIAN i386


	Machine: ASUS CUBX ACPI BIOS Revision 1008 Beta 004
	PCI devices:

	hostb0@pci0:0:0:0:	class=0x060000 card=0x80251043 chip=0x71908086 rev=0x03 hdr=0x00
	    vendor     = 'Intel Corporation'
	    device     = '82443BX/ZX 440BX/ZX CPU to PCI Bridge (AGP Implemented)'
	pcib1@pci0:0:1:0:	class=0x060400 card=0x00000000 chip=0x71918086 rev=0x03 hdr=0x01
	    vendor     = 'Intel Corporation'
	    device     = '440BX/ZX AGPset PCI-to-PCI bridge (82443BX/ZX)'
	isab0@pci0:0:4:0:	class=0x060100 card=0x00000000 chip=0x71108086 rev=0x02 hdr=0x00
	    vendor     = 'Intel Corporation'
	    device     = 'PIIX4/4E/4M ISBridgeA  (82371AB/EB/MB)'
	atapci0@pci0:0:4:1:	class=0x010180 card=0x00000000 chip=0x71118086 rev=0x01 hdr=0x00
	    vendor     = 'Intel Corporation'
	    device     = 'PIIX4/4E/4M IDE Controller (82371AB/EB/MB)'
	uhci0@pci0:0:4:2:	class=0x0c0300 card=0x00000000 chip=0x71128086 rev=0x01 hdr=0x00
	    vendor     = 'Intel Corporation'
	    device     = 'PIIX4/4E/4M USB Interface (82371AB/EB/MB)'
	none0@pci0:0:4:3:	class=0x068000 card=0x00000000 chip=0x71138086 rev=0x02 hdr=0x00
	    vendor     = 'Intel Corporation'
	atapci1@pci0:0:7:0:	class=0x010400 card=0x80251043 chip=0x06481095 rev=0x01 hdr=0x00
	    vendor     = 'Silicon Image Inc (Was: CMD Technology Inc)'
	    device     = 'Bus Master Ultra DMA PCI-IDE/ATA Chip (PCI-648)'
	fxp0@pci0:0:10:0:	class=0x020000 card=0x00408086 chip=0x12298086 rev=0x0c hdr=0x00
	    vendor     = 'Intel Corporation'
	    device     = '82550/1/7/8/9 EtherExpress PRO/100(B) Ethernet Adapter'
	vgapci0@pci0:0:11:0:	class=0x030000 card=0x00000000 chip=0x56315333 rev=0x06 hdr=0x00
	    vendor     = 'S3 Graphics Co., Ltd'
	    device     = 'Virge 3D  (86C325)'
	fxp1@pci0:0:13:0:	class=0x020000 card=0xb0d70e11 chip=0x12298086 rev=0x05 hdr=0x00
	    vendor     = 'Intel Corporation'
	    device     = '82550/1/7/8/9 EtherExpress PRO/100(B) Ethernet Adapter'

>Description:
	Revision 262226 of pci.c causes the kernel to hang/crash early during boot.
	The following line causes the crash (pci.c, near the line number 2743):

	flags = RF_ALIGNMENT_LOG2(mapsize);

	Setting flags to zero (as it was in the previous release) fixes the
	problem completely.

>How-To-Repeat:

	Just boot the system using r262226 or any later 8.4-STABLE kernel.
	The sign that something is wrong is visible on the screen immediately
	after boot: some text characters on the screen become overwritten by
	some apparently random symbols.
>Fix:

	Setting flags variable to zero fixes the problem (as it was in the
	previous release of this file, r262134).

	I added some debug print near the line where flags is set, namely

		flags = RF_ALIGNMENT_LOG2(mapsize);
	+device_printf(bus, "slot=0x%X, flags=0x%X\n", pci_get_slot(dev), flags);
	+flags = 0;

	and here are the values I got upon successful boot:

	pci0: slot=0x0, flags=0x6800
	pci0: slot=0x4, flags=0x1000
	pci0: slot=0x4, flags=0x1400
	pci0: slot=0x4, flags=0x1000
	pci0: slot=0x7, flags=0xC00
	pci0: slot=0x7, flags=0x800
	pci0: slot=0x7, flags=0xC00
	pci0: slot=0x7, flags=0x800
	pci0: slot=0x7, flags=0x1000
	pci0: slot=0xA, flags=0x3000
	pci0: slot=0xA, flags=0x1800
	pci0: slot=0xA, flags=0x4400
	pci0: slot=0xB, flags=0x6800
	pci0: slot=0xD, flags=0x3000
	pci0: slot=0xD, flags=0x1400
	pci0: slot=0xD, flags=0x5000
>Release-Note:
>Audit-Trail:

From: Yuri Zaporozhets <r_tty@yahoo.co.uk>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/188534: Revision 262226 of /sys/dev/pci/pci.c causes kernel
 hang on an Asus CUBX board
Date: Sun, 13 Apr 2014 22:26:39 +0300

 Hello,
 
 I just noticed that replacing
 
     flags = RF_ALIGNMENT_LOG2(mapsize);
 
 with
 
     flags = rman_make_alignment_flags(mapsize);
 
 fixes the problem and the kernel boots just fine.
 
 In these two cases the values for flags are obviously very different.
 Here is a table to compare (the case for my machine):
 
 slot	bad flags (buggy)	new flags (fine)
 ------------------------------------------------
 0x0	0x6800			0x1400
 0x4	0x1000			0x800
 0x4	0x1400			0xC00
 0x4	0x1000			0x800
 0x7	0xC00 			0x800
 0x7	0x800 			0x400
 0x7	0xC00 			0x800
 0x7	0x800 			0x400
 0x7	0x1000			0x800
 0xA	0x3000			0x1000
 0xA	0x1800			0xC00
 0xA	0x4400			0x1400
 0xB	0x6800			0x1400
 0xD	0x3000			0x1000
 0xD	0x1400			0xC00
 0xD	0x5000			0x1400
 
 If this is indeed a bug and not a design feature (I cannot be 100% sure since
 I haven't read the specifications or code thoroughly), then it looks quite
 serious, and presumably it may cause the crash not only on my particular
 machine configuration.
 
 -- 
 Regards,
 Yuri
Responsible-Changed-From-To: freebsd-bugs->jhb 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Apr 13 22:37:04 UTC 2014 
Responsible-Changed-Why:  
over to committer in question. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=188534 

From: John Baldwin <jhb@freebsd.org>
To: bug-followup@freebsd.org,
 r_tty@yahoo.co.uk
Cc:  
Subject: Re: kern/188534: [pci] Revision 262226 of /sys/dev/pci/pci.c causes kernel hang on an Asus CUBX board
Date: Mon, 14 Apr 2014 14:19:57 -0400

 rman_make_alignment_flags() is not appropriate as 'mapsize' is already a log 
 base 2 of the BAR's size.  Can you capture a verbose dmesg (boot -v) both with 
 and without the change to force flags to zero?
 
 -- 
 John Baldwin

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/188534: commit references a PR
Date: Mon,  5 May 2014 15:59:37 +0000 (UTC)

 Author: truckman
 Date: Mon May  5 15:59:31 2014
 New Revision: 265363
 URL: http://svnweb.freebsd.org/changeset/base/265363
 
 Log:
   Avoid unsigned integer overflow which can cause
   rman_reserve_resource_bound() to return incorrect results.
   
   Continue the initial search until the first viable region is found.
   
   Add a comment to explain the search termination test.
   
   PR:		kern/188534
   Reviewed by:	jhb (previous version)
   MFC after:	1 week
 
 Modified:
   head/sys/kern/subr_rman.c
 
 Modified: head/sys/kern/subr_rman.c
 ==============================================================================
 --- head/sys/kern/subr_rman.c	Mon May  5 14:57:38 2014	(r265362)
 +++ head/sys/kern/subr_rman.c	Mon May  5 15:59:31 2014	(r265363)
 @@ -456,7 +456,7 @@ rman_reserve_resource_bound(struct rman 
  	mtx_lock(rm->rm_mtx);
  
  	for (r = TAILQ_FIRST(&rm->rm_list);
 -	     r && r->r_end < start;
 +	     r && r->r_end < start + count - 1;
  	     r = TAILQ_NEXT(r, r_link))
  		;
  
 @@ -466,6 +466,11 @@ rman_reserve_resource_bound(struct rman 
  	}
  
  	amask = (1ul << RF_ALIGNMENT(flags)) - 1;
 +	if (start + amask < start) {
 +		DPRINTF(("start+amask wrapped around\n"));
 +		goto out;
 +	}
 +
  	/* If bound is 0, bmask will also be 0 */
  	bmask = ~(bound - 1);
  	/*
 @@ -473,11 +478,20 @@ rman_reserve_resource_bound(struct rman 
  	 */
  	for (s = r; s; s = TAILQ_NEXT(s, r_link)) {
  		DPRINTF(("considering [%#lx, %#lx]\n", s->r_start, s->r_end));
 -		if (s->r_start + count - 1 > end) {
 +		/*
 +		 * The resource list is sorted, so there is no point in
 +		 * searching further once r_start is too large.
 +		 */
 +		if (s->r_start > end - (count - 1)) {
  			DPRINTF(("s->r_start (%#lx) + count - 1> end (%#lx)\n",
  			    s->r_start, end));
  			break;
  		}
 +		if (s->r_start + amask < s->r_start) {
 +			DPRINTF(("s->r_start (%#lx) + amask (%#lx) wrapped\n",
 +			    s->r_start, amask));
 +			break;
 +		}
  		if (s->r_flags & RF_ALLOCATED) {
  			DPRINTF(("region is allocated\n"));
  			continue;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/188534: commit references a PR
Date: Mon, 12 May 2014 04:27:14 +0000 (UTC)

 Author: truckman
 Date: Mon May 12 04:27:10 2014
 New Revision: 265901
 URL: http://svnweb.freebsd.org/changeset/base/265901
 
 Log:
   MFC r265363
   
   Avoid unsigned integer overflow which can cause
   rman_reserve_resource_bound() to return incorrect results.
   
   Continue the initial search until the first viable region is found.
   
   Add a comment to explain the search termination test.
   
   PR:		kern/188534
   Reviewed by:	jhb (previous version)
 
 Modified:
   stable/10/sys/kern/subr_rman.c
 Directory Properties:
   stable/10/   (props changed)
 
 Modified: stable/10/sys/kern/subr_rman.c
 ==============================================================================
 --- stable/10/sys/kern/subr_rman.c	Mon May 12 02:56:27 2014	(r265900)
 +++ stable/10/sys/kern/subr_rman.c	Mon May 12 04:27:10 2014	(r265901)
 @@ -456,7 +456,7 @@ rman_reserve_resource_bound(struct rman 
  	mtx_lock(rm->rm_mtx);
  
  	for (r = TAILQ_FIRST(&rm->rm_list);
 -	     r && r->r_end < start;
 +	     r && r->r_end < start + count - 1;
  	     r = TAILQ_NEXT(r, r_link))
  		;
  
 @@ -466,6 +466,11 @@ rman_reserve_resource_bound(struct rman 
  	}
  
  	amask = (1ul << RF_ALIGNMENT(flags)) - 1;
 +	if (start + amask < start) {
 +		DPRINTF(("start+amask wrapped around\n"));
 +		goto out;
 +	}
 +
  	/* If bound is 0, bmask will also be 0 */
  	bmask = ~(bound - 1);
  	/*
 @@ -473,11 +478,20 @@ rman_reserve_resource_bound(struct rman 
  	 */
  	for (s = r; s; s = TAILQ_NEXT(s, r_link)) {
  		DPRINTF(("considering [%#lx, %#lx]\n", s->r_start, s->r_end));
 -		if (s->r_start + count - 1 > end) {
 +		/*
 +		 * The resource list is sorted, so there is no point in
 +		 * searching further once r_start is too large.
 +		 */
 +		if (s->r_start > end - (count - 1)) {
  			DPRINTF(("s->r_start (%#lx) + count - 1> end (%#lx)\n",
  			    s->r_start, end));
  			break;
  		}
 +		if (s->r_start + amask < s->r_start) {
 +			DPRINTF(("s->r_start (%#lx) + amask (%#lx) wrapped\n",
 +			    s->r_start, amask));
 +			break;
 +		}
  		if (s->r_flags & RF_ALLOCATED) {
  			DPRINTF(("region is allocated\n"));
  			continue;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/188534: commit references a PR
Date: Mon, 12 May 2014 04:30:57 +0000 (UTC)

 Author: truckman
 Date: Mon May 12 04:30:53 2014
 New Revision: 265902
 URL: http://svnweb.freebsd.org/changeset/base/265902
 
 Log:
   MFC r265363
   
   Avoid unsigned integer overflow which can cause
   rman_reserve_resource_bound() to return incorrect results.
   
   Continue the initial search until the first viable region is found.
   
   Add a comment to explain the search termination test.
   
   PR:		kern/188534
   Reviewed by:	jhb (previous version)
 
 Modified:
   stable/9/sys/kern/subr_rman.c
 Directory Properties:
   stable/9/sys/   (props changed)
 
 Modified: stable/9/sys/kern/subr_rman.c
 ==============================================================================
 --- stable/9/sys/kern/subr_rman.c	Mon May 12 04:27:10 2014	(r265901)
 +++ stable/9/sys/kern/subr_rman.c	Mon May 12 04:30:53 2014	(r265902)
 @@ -451,7 +451,7 @@ rman_reserve_resource_bound(struct rman 
  	mtx_lock(rm->rm_mtx);
  
  	for (r = TAILQ_FIRST(&rm->rm_list);
 -	     r && r->r_end < start;
 +	     r && r->r_end < start + count - 1;
  	     r = TAILQ_NEXT(r, r_link))
  		;
  
 @@ -461,6 +461,11 @@ rman_reserve_resource_bound(struct rman 
  	}
  
  	amask = (1ul << RF_ALIGNMENT(flags)) - 1;
 +	if (start + amask < start) {
 +		DPRINTF(("start+amask wrapped around\n"));
 +		goto out;
 +	}
 +
  	/* If bound is 0, bmask will also be 0 */
  	bmask = ~(bound - 1);
  	/*
 @@ -468,11 +473,20 @@ rman_reserve_resource_bound(struct rman 
  	 */
  	for (s = r; s; s = TAILQ_NEXT(s, r_link)) {
  		DPRINTF(("considering [%#lx, %#lx]\n", s->r_start, s->r_end));
 -		if (s->r_start + count - 1 > end) {
 +		/*
 +		 * The resource list is sorted, so there is no point in
 +		 * searching further once r_start is too large.
 +		 */
 +		if (s->r_start > end - (count - 1)) {
  			DPRINTF(("s->r_start (%#lx) + count - 1> end (%#lx)\n",
  			    s->r_start, end));
  			break;
  		}
 +		if (s->r_start + amask < s->r_start) {
 +			DPRINTF(("s->r_start (%#lx) + amask (%#lx) wrapped\n",
 +			    s->r_start, amask));
 +			break;
 +		}
  		if (s->r_flags & RF_ALLOCATED) {
  			DPRINTF(("region is allocated\n"));
  			continue;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/188534: commit references a PR
Date: Mon, 12 May 2014 07:05:49 +0000 (UTC)

 Author: truckman
 Date: Mon May 12 07:05:46 2014
 New Revision: 265905
 URL: http://svnweb.freebsd.org/changeset/base/265905
 
 Log:
   MFC r265363
   
   Avoid unsigned integer overflow which can cause
   rman_reserve_resource_bound() to return incorrect results.
   
   Continue the initial search until the first viable region is found.
   
   Add a comment to explain the search termination test.
   
   PR:		kern/188534
   Reviewed by:	jhb (previous version)
 
 Modified:
   stable/8/sys/kern/subr_rman.c
 Directory Properties:
   stable/8/sys/   (props changed)
   stable/8/sys/kern/   (props changed)
 
 Modified: stable/8/sys/kern/subr_rman.c
 ==============================================================================
 --- stable/8/sys/kern/subr_rman.c	Mon May 12 06:14:14 2014	(r265904)
 +++ stable/8/sys/kern/subr_rman.c	Mon May 12 07:05:46 2014	(r265905)
 @@ -451,7 +451,7 @@ rman_reserve_resource_bound(struct rman 
  	mtx_lock(rm->rm_mtx);
  
  	for (r = TAILQ_FIRST(&rm->rm_list);
 -	     r && r->r_end < start;
 +	     r && r->r_end < start + count - 1;
  	     r = TAILQ_NEXT(r, r_link))
  		;
  
 @@ -461,6 +461,11 @@ rman_reserve_resource_bound(struct rman 
  	}
  
  	amask = (1ul << RF_ALIGNMENT(flags)) - 1;
 +	if (start + amask < start) {
 +		DPRINTF(("start+amask wrapped around\n"));
 +		goto out;
 +	}
 +
  	/* If bound is 0, bmask will also be 0 */
  	bmask = ~(bound - 1);
  	/*
 @@ -468,11 +473,20 @@ rman_reserve_resource_bound(struct rman 
  	 */
  	for (s = r; s; s = TAILQ_NEXT(s, r_link)) {
  		DPRINTF(("considering [%#lx, %#lx]\n", s->r_start, s->r_end));
 -		if (s->r_start + count - 1 > end) {
 +		/*
 +		 * The resource list is sorted, so there is no point in
 +		 * searching further once r_start is too large.
 +		 */
 +		if (s->r_start > end - (count - 1)) {
  			DPRINTF(("s->r_start (%#lx) + count - 1> end (%#lx)\n",
  			    s->r_start, end));
  			break;
  		}
 +		if (s->r_start + amask < s->r_start) {
 +			DPRINTF(("s->r_start (%#lx) + amask (%#lx) wrapped\n",
 +			    s->r_start, amask));
 +			break;
 +		}
  		if (s->r_flags & RF_ALLOCATED) {
  			DPRINTF(("region is allocated\n"));
  			continue;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: truckman 
State-Changed-When: Mon May 12 07:11:36 UTC 2014 
State-Changed-Why:  
Take this. 

Patch merged to stable/8 in r265905. 


Responsible-Changed-From-To: jhb->truckman 
Responsible-Changed-By: truckman 
Responsible-Changed-When: Mon May 12 07:11:36 UTC 2014 
Responsible-Changed-Why:  
Take this. 

Patch merged to stable/8 in r265905. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=188534 
State-Changed-From-To: patched->closed 
State-Changed-By: truckman 
State-Changed-When: Tue May 20 16:46:42 UTC 2014 
State-Changed-Why:  
Confirmed fixed in latest kernel. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=188534 
>Unformatted:
