kern/54899: crash DIAGNOSTIC in extent_alloc_region in ahd driver attach

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/54899: crash DIAGNOSTIC in extent_alloc_region in ahd driver attach
From: kardel%netbsd.org@localhost
Date: Mon, 27 Jan 2020 07:40:01 +0000 (UTC)

>Number:         54899
>Category:       kern
>Synopsis:       crash DIAGNOSTIC in extent_alloc_region in ahd driver attach
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jan 27 07:40:01 +0000 2020
>Originator:     Frank Kardel
>Release:        NetBSD 9.99.42
>Organization:
	
>Environment:
	
	
System: NetBSD pip.kardel.name 9.99.42 NetBSD 9.99.42 (PIPGEN) #0: Sat Jan 25 16:40:30 CET 2020 kardel@...:/src/NetBSD/act/src/obj.amd64/sys/arch/amd64/compile/PIPGEN amd64
Architecture: x86_64
Machine: amd64
>Description:
	When added a SCSI interface for the ahd driver The system crashes while attaching in extent_alloc_region.
/*
 * Allocate a specific region in an extent map.
 */
int
extent_alloc_region(struct extent *ex, u_long start, u_long size, int flags)
{
        struct extent_region *rp, *last, *myrp;
        u_long end = start + (size - 1);
        int error;

#ifdef DIAGNOSTIC
        /* Check arguments. */
        if (ex == NULL)
                panic("extent_alloc_region: NULL extent");
        if (size < 1) {
                printf("extent_alloc_region: extent `%s', size 0x%lx\n",
                    ex->ex_name, size);
                panic("extent_alloc_region: bad size");
        }
        if (end < start) {
                printf(
                 "extent_alloc_region: extent `%s', start 0x%lx, size 0x%lx\n",
#### -> crash     ex->ex_name, start, size);   #### <--- crash
                panic("extent_alloc_region: overflow");
        }
#endif

ex->ex_name is not correctly initialized/passed.
Also there seems to be an issue with the start and size paramters as
end < start is true. I try to gather the actual values of start and size
this evening.

Stack (manual partial copy from photo)
extent_alloc_region()
bus_space_reserve()
bus_space_map()
pci_mapreg_submap()
pci_mapreg_map()
ahd_pci_attach()
...

>How-To-Repeat:
	Use a ASUS PRIME X570-PRO motherboard with a Ryzen 9 CPU and a AIC-7901X 
	based SCSI controller.
>Fix:
	?

>Unformatted:

Follow-Ups:
- Re: kern/54899: crash DIAGNOSTIC in extent_alloc_region in ahd driver attach
  - From: Frank Kardel

Prev by Date: NetBSD Nightly Trouble Ticket Report
Next by Date: bin/54900: gpt(8) can not show MBR partitions on non 512 byte/sector disks
Previous by Thread: Re: kern/54897 (ipsec tests now fail randomly on real hardware)
Next by Thread: Re: kern/54899: crash DIAGNOSTIC in extent_alloc_region in ahd driver attach
Indexes:

Home | Main Index | Thread Index | Old Index