From owner-freebsd-bugs@freebsd.org  Sat Jan 16 12:31:47 2016
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7EF99A83EAD
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Sat, 16 Jan 2016 12:31:47 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 707DB1B07
 for <freebsd-bugs@FreeBSD.org>; Sat, 16 Jan 2016 12:31:47 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u0GCVlxu039537
 for <freebsd-bugs@FreeBSD.org>; Sat, 16 Jan 2016 12:31:47 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-bugs@FreeBSD.org
Subject: [Bug 206310] The vnic driver may lock an uninitialised mutex
Date: Sat, 16 Jan 2016 12:31:47 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 11.0-CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: Andrew@FreeBSD.org
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-206310-8@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Jan 2016 12:31:47 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206310

            Bug ID: 206310
           Summary: The vnic driver may lock an uninitialised mutex
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: arm64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: Andrew@FreeBSD.org

If you configure the ThunderX vnic with iovctl -C, then before using it del=
ete
the children the kernel will panic with  NULL pointer dereference in
__mtx_lock_sleep.

The issue is nicvf_free_cmp_queue will attempt to lock it's mutex, however =
the
mutex may not have been initialised. The call to mtx_init is in
nicvf_init_cmp_queue, this seems to only be called when ioctl configures the
interface.

There is a second issue where, if nicvf_alloc_resources fails we could call
nicvf_free_cmp_queue where the queue_set may have not been initialised.

I would expect a correct solution will have either the nicvf_free_* functio=
ns
will handle being called on when the object they are freeing has not been
initialised, or they will not be called when this is the case.

The stacktrace is as follows.

b> bt
Tracing pid 9149 tid 100575 td 0xffffffc0540e8000
db_trace_self() at db_stack_trace+0xf0
         pc =3D 0xffffff80005af4e4  lr =3D 0xffffff8000072440
         sp =3D 0xffffff87ccb4ae90  fp =3D 0xffffff87ccb4aec0

db_stack_trace() at db_command+0x248
         pc =3D 0xffffff8000072440  lr =3D 0xffffff80000720cc
         sp =3D 0xffffff87ccb4aed0  fp =3D 0xffffff87ccb4afb0

db_command() at db_command_loop+0x60
         pc =3D 0xffffff80000720cc  lr =3D 0xffffff8000071e68
         sp =3D 0xffffff87ccb4afc0  fp =3D 0xffffff87ccb4afe0

db_command_loop() at db_trap+0xf0
         pc =3D 0xffffff8000071e68  lr =3D 0xffffff80000748fc
         sp =3D 0xffffff87ccb4aff0  fp =3D 0xffffff87ccb4b220

db_trap() at kdb_trap+0x180
         pc =3D 0xffffff80000748fc  lr =3D 0xffffff800030772c
         sp =3D 0xffffff87ccb4b230  fp =3D 0xffffff87ccb4b290

kdb_trap() at data_abort+0x17c
         pc =3D 0xffffff800030772c  lr =3D 0xffffff80005c2d38
         sp =3D 0xffffff87ccb4b2a0  fp =3D 0xffffff87ccb4b350

data_abort() at handle_el1h_sync+0x6c
         pc =3D 0xffffff80005c2d38  lr =3D 0xffffff80005b086c
         sp =3D 0xffffff87ccb4b360  fp =3D 0xffffff87ccb4b470

handle_el1h_sync() at __mtx_lock_sleep+0x70
         pc =3D 0xffffff80005b086c  lr =3D 0xffffff80002a2a08
         sp =3D 0xffffff87ccb4b480  fp =3D 0xffffff87ccb4b550

__mtx_lock_sleep() at nicvf_free_resources+0x37c
         pc =3D 0xffffff80002a2a08  lr =3D 0xffffff80005d059c
         sp =3D 0xffffff87ccb4b560  fp =3D 0xffffff87ccb4b5c0

nicvf_free_resources() at nicvf_config_data_transfer+0xa2c
         pc =3D 0xffffff80005d059c  lr =3D 0xffffff80005cfad0
         sp =3D 0xffffff87ccb4b5d0  fp =3D 0xffffff87ccb4b690

nicvf_config_data_transfer() at nicvf_stop_locked+0xc8
         pc =3D 0xffffff80005cfad0  lr =3D 0xffffff80005ceadc
         sp =3D 0xffffff87ccb4b6a0  fp =3D 0xffffff87ccb4b6d0

nicvf_stop_locked() at nicvf_detach+0x94
         pc =3D 0xffffff80005ceadc  lr =3D 0xffffff80005cda78
         sp =3D 0xffffff87ccb4b6e0  fp =3D 0xffffff87ccb4b700

--=20
You are receiving this mail because:
You are the assignee for the bug.=