Red Hat Bugzilla – Bug 189905
ide_release_iomio_dma may release same region twice, and leave another dangling
Last modified: 2007-11-30 17:07:24 EST
Description of problem: This was found via code inspection by Stratus. It does not affect Stratus, but I'm entering it here because it may hurt somebody else. Here's the code for ide_release_iomio_dma: int ide_release_iomio_dma (ide_hwif_t *hwif) { if ((hwif->dma_extra) && (hwif->channel == 0)) release_region((hwif->dma_base + 16), hwif->dma_extra); release_region(hwif->dma_base, 8); if (hwif->dma_base2) release_region(hwif->dma_base, 8); return 1; } Notice the second and third calls to release_region pass in exactly the same address. I suspect the third call to release_region ought to be passing hwif->dma_base2. Version-Release number of selected component (if applicable): RHEL4, and upstream How reproducible: Our platform does not expose this bug, because on our platform dma_base2 does not exist. I am merely entering this BUG on behalf of other ide users. Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: Code inspection reveals that this BUG is present upstream as well. I hope someone with the right IDE hardware can demonstrate this bug and fix it. The code change I suggest above seems like common sense, but I don't have the right hardware to verify either the BUG or the solution.
This was posted as a courtesy by Stratus, they found this, but this bug isn't being exhibited on their hardware, and can't fix/test this. Suggesting someone else take ownership of this.
I submitted it upstream, but according to Sergei Shtylyov (http://marc.theaimsgroup.com/?l=linux-ide&m=115377116801390&w=2) the usage of dma_base2 will be removed soon, so this patch won't be accepted. The patch used to remove dma_base2 (http://marc.theaimsgroup.com/?l=linux-ide&m=115377284117091&w=2) is a lot more intrusive than the one to fix ide_release_iomio_dma(), so, I'll submit the last one for inclusion on RHEL-4.
The only in-tree drivers that use dma_base2 are siimage and sgiioc4. Both drivers don't have a cleanup function, so, even if them was compiled as modules, they wouldn't be able to be removed, thus never touching the code path this patch fixes.
It's still possible to trigger this if ide_alloc_dma_engine() fails. Submitting the patch to list.
Created attachment 133788 [details] the original patch
Created attachment 133789 [details] patch used to trigger the bug
Closing this bug for these reasons: - triggering the bug is very unlikely as the IDE modules are built-in and the only affected ones (sgiioc4 and siimage) don't have cleanup functions and the only way to trigger it would failing ide_alloc_dma_engine() at boot time. - at least siimage driver can't handle a failure in ide_alloc_dma_engine(), causing an oops while being tested with patch from comment #9.