port-amd64/42208: x86 DMA-bouncebuf alloc failure may blow up kernel

[Wolfgang.Stukenbrock%nagler-company.com@localhost]

>Number:         42208
>Category:       port-amd64
>Synopsis:       x86 DMA-bouncebuf alloc failure may blow up kernel
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    port-amd64-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Oct 21 09:40:01 +0000 2009
>Originator:     Wolfgang Stukenbrock
>Release:        NetBSD 4.0
>Organization:
Dr. Nagler & Company GmbH
        
>Environment:
        
        
System: NetBSD s012 4.0 NetBSD 4.0 (NSW-S012) #9: Fri Mar 13 12:31:52 CET 2009 
wgstuken@s012:/usr/src/sys/arch/amd64/compile/NSW-S012 amd64
Architecture: x86_64
Machine: amd64
>Description:
        If an allocation for a bounce buffer failed, the _bus_dmamem_free() is 
called anyway, but the number of segments
        may contain some garbage.
        This may blow up the memory management!
        The problem is located in /usr/src/sys/arch/x86/x86/bus_dma.c - so all 
x86 architectures are affected!
        Due to the fact that allocation errors are rare - this bug is normaly 
not triggered.
>How-To-Repeat:
        Found by a look into the sources while searching for an other DMA 
alloc-problem on SuperMicro systems.
>Fix:
        The following patch will fix the problem:

--- bus_dma.c   2009/10/21 09:28:05     1.1
+++ bus_dma.c   2009/10/21 09:29:17
@@ -897,10 +897,10 @@
            cookie->id_nbouncesegs, cookie->id_bouncebuflen,
            (caddr_t *)&cookie->id_bouncebuf, flags);
 
- out:
        if (error) {
                _bus_dmamem_free(t, cookie->id_bouncesegs,
                    cookie->id_nbouncesegs);
+ out:
                cookie->id_bouncebuflen = 0;
                cookie->id_nbouncesegs = 0;
        } else {

>Unformatted: