kern/55855: call pci_intr_release twice at xhci_pci_attach

[hashikaw%mail.ru@localhost]

>Number:         55855
>Category:       kern
>Synopsis:       call pci_intr_release twice at xhci_pci_attach
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Dec 09 13:45:00 +0000 2020
>Originator:     Kouichi Hashikawa
>Release:        NetBSD-current
>Organization:
>Environment:
>Description:
when 
psc->sc_ih = pci_intr_establish_xname(pc, psc->sc_pihp[0], IPL_USB,
            xhci_intr, sc, device_xname(sc->sc_dev));
failed, pci_intr_release(pc, psc->sc_pihp, 1) is called in
if (psc->sc_ih == NULL) {...}
first time, and in fail: second time.

Then, panic at kmem_size_check() at subr_kmem.c with message,
panic: kmem_free(0xffff0000fbfe7320, 8) != allocated size 18446744073709551615; overwrote?


>How-To-Repeat:

>Fix:
--- src/sys/dev/pci/xhci_pci.c-dist     2019-12-02 12:06:51.000000000 +0900
+++ src/sys/dev/pci//xhci_pci.c     2020-12-09 22:41:37.553851897 +0900
@@ -214,6 +214,7 @@
        if (psc->sc_ih == NULL) {
                pci_intr_release(pc, psc->sc_pihp, 1);
                psc->sc_ih = NULL;
+               psc->sc_pihp = NULL;
                aprint_error_dev(self, "couldn't establish interrupt");
                if (intrstr != NULL)
                        aprint_error(" at %s", intrstr);