From uspoerlein@gmail.com  Sat May 27 15:59:08 2006
Return-Path: <uspoerlein@gmail.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E276716B99C
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 27 May 2006 15:59:08 +0000 (UTC)
	(envelope-from uspoerlein@gmail.com)
Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 24BA143D48
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 27 May 2006 15:59:07 +0000 (GMT)
	(envelope-from uspoerlein@gmail.com)
Received: by nf-out-0910.google.com with SMTP id m18so11109nfc
        for <FreeBSD-gnats-submit@freebsd.org>; Sat, 27 May 2006 08:59:07 -0700 (PDT)
Received: by 10.48.226.14 with SMTP id y14mr361748nfg;
        Sat, 27 May 2006 07:54:43 -0700 (PDT)
Received: from roadrunner.q.local ( [217.185.119.165])
        by mx.gmail.com with ESMTP id l21sm1649749nfc.2006.05.27.07.56.18;
        Sat, 27 May 2006 07:56:21 -0700 (PDT)
Received: from roadrunner.q.local (localhost [127.0.0.1])
	by roadrunner.q.local (8.13.6/8.13.6) with ESMTP id k4P8YhKA001544
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 25 May 2006 10:34:44 +0200 (CEST)
	(envelope-from q@roadrunner.q.local)
Received: (from q@localhost)
	by roadrunner.q.local (8.13.6/8.13.6/Submit) id k4OFc1O4001715;
	Wed, 24 May 2006 17:38:01 +0200 (CEST)
	(envelope-from q)
Message-Id: <200605241538.k4OFc1O4001715@roadrunner.q.local>
Date: Wed, 24 May 2006 17:38:01 +0200 (CEST)
From: Ulrich Spoerlein <uspoerlein@gmail.com>
Reply-To: Ulrich Spoerlein <uspoerlein@gmail.com>
To: FreeBSD-gnats-submit@freebsd.org
Subject: [PATCH] bfe(4): double free in error handling path.
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         98015
>Category:       kern
>Synopsis:       [bfe] [patch] bfe(4): double free in error handling path.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    remko
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat May 27 16:00:44 GMT 2006
>Closed-Date:    Fri May 28 17:24:22 UTC 2010
>Last-Modified:  Fri May 28 17:24:22 UTC 2010
>Originator:     Ulrich Spoerlein
>Release:        FreeBSD 6.1-STABLE i386
>Organization:
>Environment:
>Description:
When bfe_attach() fails, bfe_release_resources() is sometimes called twice.

>How-To-Repeat:
Change one if (foo()) to if (foo() || 1) and watch it panic.
>Fix:

Please note, that I really don't know what I'm doing here! I looked at various
other drivers in the tree, and they are all similiar yet slightly different. I'm
pretty sure, there are more faulty drivers due to copy'n'paste.

Since bfe_release_resource() is now only called from bfe_detach(), these two
could/should be merged. This would bring bfe(4) more in line with other NIC
drivers. There are also some style(9) "violations"

NB: Found by:	Coverity CID 476

Then, there was a lock order reversal on kldunload. It seems it has vanished,
though I'm really not sure right now.

--- syscall (444, FreeBSD ELF32, kldunloadf), eip = 0x480b45cb, esp = 0xbfbfe89c, ebp = 0xbfbfed08 ---
lock order reversal: (sleepable after non-sleepable)
 1st 0xc5020114 bfe0 (network driver) @ /usr/src/sys/modules/bfe/../../dev/bfe/if_bfe.c:446
 2nd 0xc08b3b40 ACPI root bus (ACPI root bus) @ /usr/src/sys/modules/acpi/acpi/../../../dev/acpica/acpi.c:1075
KDB: stack backtrace:
kdb_backtrace(0,ffffffff,c072b2c0,c072bc20,c06f2d8c) at kdb_backtrace+0x29
witness_checkorder(c08b3b40,9,c08ac97b,433) at witness_checkorder+0x578
_sx_xlock(c08b3b40,c08ac97b,433,c4b4cc00,c4dc1640) at _sx_xlock+0x50
acpi_release_resource(c4b4cc00,c4c28500,1,0,c4dc1640) at acpi_release_resource+0x23
bus_generic_release_resource(c4b4c700,c4c28500,1,0,c4dc1640) at bus_generic_release_resource+0x64
resource_list_release(c4c4cd04,c4c04980,c4c28500,1,0) at resource_list_release+0x6e
bus_generic_rl_release_resource(c4c04980,c4c28500,1,0,c4dc1640) at bus_generic_rl_release_resource+0x5e
bus_generic_release_resource(c4c04600,c4c28500,1,0,c4dc1640) at bus_generic_release_resource+0x64
resource_list_release(c4c4cd04,c4c28580,c4c28500,1,0) at resource_list_release+0xfb
bus_generic_rl_release_resource(c4c28580,c4c28500,1,0,c4dc1640) at bus_generic_rl_release_resource+0x5e
bus_release_resource(c4c28500,1,0,c4dc1640,c501e000) at bus_release_resource+0x61
bfe_release_resources(c4dc9c00,c4c28500,c4c28500,c4ef4800,ed0cdc30) at bfe_release_resources+0x142
bfe_detach(c4c28500) at bfe_detach+0x58
device_detach(c4c28500) at device_detach+0x70
devclass_delete_driver(c4b0a240,c501d6f0,c4dc1900,c4f6d700,0) at devclass_delete_driver+0x8c
driver_module_handler(c4dc1900,1,c501d6dc,c4dc1900,ed0cdcb0) at driver_module_handler+0xa5
module_unload(c4dc1900,0,c071c500,c06b0e72,1fb) at module_unload+0x37
linker_file_unload(c4f6d700,0,0,c4db1900,ed0cdcdc) at linker_file_unload+0x72
kern_kldunload(c4db1900,1d,0,ed0cdd30,c0678e17) at kern_kldunload+0x7c
kldunloadf(c4db1900,ed0cdd04,2,0,292) at kldunloadf+0x1e
syscall(3b,3b,3b,1d,bfbfee37) at syscall+0x22f
Xint0x80_syscall() at Xint0x80_syscall+0x1f
--- syscall (444, FreeBSD ELF32, kldunloadf), eip = 0x480b45cb, esp = 0xbfbfe89c, ebp = 0xbfbfed08 ---


--- if_bfe.patch begins here ---
--- if_bfe.c.orig	Tue May 23 19:49:54 2006
+++ if_bfe.c	Wed May 24 17:16:32 2006
@@ -369,7 +369,6 @@
 	if (bfe_dma_alloc(dev)) {
 		printf("bfe%d: failed to allocate DMA resources\n",
 		    sc->bfe_unit);
-		bfe_release_resources(sc);
 		error = ENXIO;
 		goto fail;
 	}
@@ -424,13 +423,14 @@
 			bfe_intr, sc, &sc->bfe_intrhand);
 
 	if (error) {
-		bfe_release_resources(sc);
 		printf("bfe%d: couldn't set up irq\n", unit);
+		ether_ifdetach(ifp);
 		goto fail;
 	}
 fail:
 	if (error)
-		bfe_release_resources(sc);
+		bfe_detach(dev);
+
 	return (error);
 }
 
@@ -443,24 +443,17 @@
 	sc = device_get_softc(dev);
 
 	KASSERT(mtx_initialized(&sc->bfe_mtx), ("bfe mutex not initialized"));
-	BFE_LOCK(sc);
-
 	ifp = sc->bfe_ifp;
 
 	if (device_is_attached(dev)) {
+		BFE_LOCK(sc);
 		bfe_stop(sc);
+		bfe_chip_reset(sc);
+		BFE_UNLOCK(sc);
 		ether_ifdetach(ifp);
 	}
 
-	bfe_chip_reset(sc);
-
-	bus_generic_detach(dev);
-	if(sc->bfe_miibus != NULL)
-		device_delete_child(dev, sc->bfe_miibus);
-
 	bfe_release_resources(sc);
-	BFE_UNLOCK(sc);
-	mtx_destroy(&sc->bfe_mtx);
 
 	return (0);
 }
@@ -922,6 +915,11 @@
 
 	dev = sc->bfe_dev;
 
+	if (sc->bfe_miibus != NULL)
+		device_delete_child(dev, sc->bfe_miibus);
+
+	bus_generic_detach(dev);
+
 	if (sc->bfe_vpd_prodname != NULL)
 		free(sc->bfe_vpd_prodname, M_DEVBUF);
 
@@ -971,6 +969,8 @@
 
 	if(sc->bfe_parent_tag != NULL)
 		bus_dma_tag_destroy(sc->bfe_parent_tag);
+
+	mtx_destroy(&sc->bfe_mtx);
 
 	return;
 }
--- if_bfe.patch ends here ---


>Release-Note:
>Audit-Trail:

From: Gavin Atkinson <gavin.atkinson@ury.york.ac.uk>
To: bug-followup@FreeBSD.org, uspoerlein@gmail.com
Cc: pjd@FreeBSD.org
Subject: Re: kern/98015: [bfe] [patch] bfe(4): double free in error
	handling path.
Date: Wed, 09 May 2007 15:22:02 +0100

 Hi,
 
 A patch was committed to -HEAD by pjd (if_bfe.c 1.32) with a simpler
 patch (as it doesn't attempt to use the bfe_detach routine) and had the
 following log message:
 
 Don't call bfe_release_resources() twice.
 Found by:	Coverity Prevent analysis tool
 CID:		600
 MFC after:	1 week
 
 This patch was never MFC'd, but looks to fix the issue reported.  pjd,
 is there any reason this cannot be MFC'd?
 
 Gavin

From: Pawel Jakub Dawidek <pjd@FreeBSD.org>
To: Gavin Atkinson <gavin.atkinson@ury.york.ac.uk>
Cc: bug-followup@FreeBSD.org, uspoerlein@gmail.com
Subject: Re: kern/98015: [bfe] [patch] bfe(4): double free in error handling path.
Date: Wed, 9 May 2007 17:27:41 +0200

 --qD3brAgIG4LbUq6d
 Content-Type: text/plain; charset=iso-8859-2
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Wed, May 09, 2007 at 03:22:02PM +0100, Gavin Atkinson wrote:
 > Hi,
 >=20
 > A patch was committed to -HEAD by pjd (if_bfe.c 1.32) with a simpler
 > patch (as it doesn't attempt to use the bfe_detach routine) and had the
 > following log message:
 >=20
 > Don't call bfe_release_resources() twice.
 > Found by:	Coverity Prevent analysis tool
 > CID:		600
 > MFC after:	1 week
 >=20
 > This patch was never MFC'd, but looks to fix the issue reported.  pjd,
 > is there any reason this cannot be MFC'd?
 
 I probably simply forgot to do it. If it fixes the problem for problem
 reporter, can you handle MFCing it?
 
 --=20
 Pawel Jakub Dawidek                       http://www.wheel.pl
 pjd@FreeBSD.org                           http://www.FreeBSD.org
 FreeBSD committer                         Am I Evil? Yes, I Am!
 
 --qD3brAgIG4LbUq6d
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.6 (FreeBSD)
 
 iD8DBQFGQehsForvXbEpPzQRAu8BAKCPEhAXM1+g/MCa7b0/51ARc13ALQCgrNzz
 O2ht0PdB6EI1G5fCmZghH7g=
 =cQ4K
 -----END PGP SIGNATURE-----
 
 --qD3brAgIG4LbUq6d--
State-Changed-From-To: open->patched 
State-Changed-By: linimon 
State-Changed-When: Sun May 13 04:34:04 UTC 2007 
State-Changed-Why:  
This was commmitted but not MFCed; set the flag to so note. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=98015 

From: Ulrich Spoerlein <uspoerlein@gmail.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/98015: [bfe] [patch] bfe(4): double free in error
	handling path.
Date: Wed, 30 Jan 2008 22:34:29 +0100

 Hi,
 
 please close this PR, I can no longer test this easily on 6.x
 
 Thanks!
 Uli
Responsible-Changed-From-To: freebsd-bugs->remko  
Responsible-Changed-By: brucec 
Responsible-Changed-When: Thu Jul 10 21:56:26 UTC 2008 
Responsible-Changed-Why:  
Over to remko 

http://www.freebsd.org/cgi/query-pr.cgi?pr=98015 
State-Changed-From-To: patched->closed 
State-Changed-By: uqs 
State-Changed-When: Fri May 28 17:23:11 UTC 2010 
State-Changed-Why:  
Newer releases have this, an MFC to older branches seems unlikely at this point 

http://www.freebsd.org/cgi/query-pr.cgi?pr=98015 
>Unformatted:
