netbsd-bugs: port-acorn32/23783: panic in simide

Subject: port-acorn32/23783: panic in simide_attach
To: None <gnats-bugs@gnats.netbsd.org>
From: Mike Pumford <mpumford@black-star.demon.co.uk>
List: netbsd-bugs
Date: 12/17/2003 19:24:34
>Number:         23783
>Category:       port-acorn32
>Synopsis:       panic in simide_attach
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    port-acorn32-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Dec 17 19:26:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     Mike Pumford
>Release:        NetBSD 1.6ZG
>Organization:
None
	
>Environment:
	
	
System: NetBSD black-star.demon.co.uk 1.6ZG NetBSD 1.6ZG (BSTAR_WS) #30: Wed Dec 17 18:13:18 GMT 2003 mpumford@trigati.home.net:/work/src/sys/arch/acorn32/compile/obj.acorn32/BSTAR_WS acorn32
Architecture: arm
Machine: acorn32
>Description:
The bus space subregioning code in simide attach uses DRIVE_REGISTERS_SPACE
as the upperlimit to the number of registers to be subregioned instead of 
WDC_NREG. Since DRIVE_REGISTERS_SPACE is 0x800 this causes us to run
off the end of the array in the channel_softc structure.

>How-To-Repeat:
Boot a kernel on a machine with a Simtec IDE card fitted. It will panic when
the device is attached.
	
>Fix:
The attached patch corrects this fault and this fault is being reported
on a kernel with the patch applied.

Index: simide.c
===================================================================
RCS file: /cvsroot/src/sys/arch/acorn32/podulebus/simide.c,v
retrieving revision 1.14
diff -c -r1.14 simide.c
*** simide.c    2003/12/02 23:47:20     1.14
--- simide.c    2003/12/17 19:24:07
***************
*** 268,274 ****
                    simide_info[channel].drive_registers,
                    DRIVE_REGISTERS_SPACE, 0, &cp->cmd_baseioh)) 
                        continue;
!               for (i = 0; i < DRIVE_REGISTERS_SPACE; i++) {
                        if (bus_space_subregion(cp->cmd_iot, cp->cmd_baseioh,
                                i, i == 0 ? 4 : 1, &cp->cmd_iohs[i]) != 0) {
                                bus_space_unmap(cp->cmd_iot, cp->cmd_baseioh,
--- 268,274 ----
                    simide_info[channel].drive_registers,
                    DRIVE_REGISTERS_SPACE, 0, &cp->cmd_baseioh)) 
                        continue;
!               for (i = 0; i < WDC_NREG; i++) {
                        if (bus_space_subregion(cp->cmd_iot, cp->cmd_baseioh,
                                i, i == 0 ? 4 : 1, &cp->cmd_iohs[i]) != 0) {
                                bus_space_unmap(cp->cmd_iot, cp->cmd_baseioh,

>Release-Note:
>Audit-Trail:
>Unformatted: