Project

General

Profile

Actions

Bug #8625

closed

nvme causes bad free panic in IOMMU

Added by Hans Rosenfeld almost 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Start date:
2017-09-07
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

When nvme tries to clean up after a DMA allocation failed due to #8624, it will cause a "bad free" panic in the IOMMU code.

When cleaning up a DMA allocation nvme will call ddi_dma_unbind_handle(), even if it isn't bound because binding failed earlier. Without IOMMU this works fine, the rootnex code will handle this gracefully.

When IOMMU is enabled and the binding fails due to #8624, the cleanup path in rootnex_coredma_bindhdl() will do a dvma unmap it had mapped earlier. Then it will cleanup the handle and reset various fields in it, including dp_dvma_used to inidicate there is no dvma mapping. The problem is that when rootnex_coredma_unbindhdl() is called on this handle, it will just check whether IOMMU is enabled for the device and try to do the dvma unmap again, which causes the panic.

This can easily be avoided by making rootnex_coredma_unbindhdl() check dp_dvma_used before unmapping.

Actions

Also available in: Atom PDF