Bug #8625
closed
nvme causes bad free panic in IOMMU
100%
Description
When nvme tries to clean up after a DMA allocation failed due to #8624, it will cause a "bad free" panic in the IOMMU code.
When cleaning up a DMA allocation nvme will call ddi_dma_unbind_handle(), even if it isn't bound because binding failed earlier. Without IOMMU this works fine, the rootnex code will handle this gracefully.
When IOMMU is enabled and the binding fails due to #8624, the cleanup path in rootnex_coredma_bindhdl() will do a dvma unmap it had mapped earlier. Then it will cleanup the handle and reset various fields in it, including dp_dvma_used to inidicate there is no dvma mapping. The problem is that when rootnex_coredma_unbindhdl() is called on this handle, it will just check whether IOMMU is enabled for the device and try to do the dvma unmap again, which causes the panic.
This can easily be avoided by making rootnex_coredma_unbindhdl() check dp_dvma_used before unmapping.
Updated by Hans Rosenfeld over 5 years ago
Webrev: https://grumpf.hope-2000.org/illumos-8622-8623-8625/
This was tested on a system with IOMMU enabled. No other effects seen than the fixing of the panic in nvme.
This change has been in illumos-joyent since around June.
Updated by Electric Monk over 5 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
git commit 2cedd8f0ecbd2b29bf0aac72bb8b7413b0326938
commit 2cedd8f0ecbd2b29bf0aac72bb8b7413b0326938
Author: Hans Rosenfeld <hans.rosenfeld@joyent.com>
Date: 2017-09-20T18:35:31.000Z
8622 panic in PTE_set_all()
8623 IMMU_CONTIG_PADDR is broken for cookies with more than one page
8625 nvme causes bad free panic in IOMMU
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Approved by: Garrett D'Amore <garrett@damore.org>