netbsd-bugs: kern/3216: illegal use of bus_addr_t as bus_space_handle_t in if_le

Subject: kern/3216: illegal use of bus_addr_t as bus_space_handle_t in if_le_isa.c
To: None <gnats-bugs@gnats.netbsd.org>
From: Matthias Drochner <drochner@zelz28.zel.kfa-juelich.de>
List: netbsd-bugs
Date: 02/12/1997 19:02:00

>Number:         3216
>Category:       kern
>Synopsis:       illegal use of bus_addr_t as bus_space_handle_t in if_le_isa.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Feb 12 10:20:01 1997
>Last-Modified:
>Originator:     Matthias Drochner
>Organization:
	KFA Juelich
>Release:        current
>Environment:
	NetBSD-current, i386
System: NetBSD zelz28 1.2C NetBSD 1.2C (TULIP) #10: Tue Feb 11 11:48:43 MET 1997 drochner@zelz26:/home/drochner/netbsd-970206/sys/arch/i386/compile/TULIP i386


>Description:
	In sys/dev/isa/if_le_isa.c, function depca_isa_probe(), the second
argument to bus_space_unmap() is the physical memory address, not the handle as
returned by bus_space_map() before. For the i386, this causes a panic in extent_free()
because the pmap_extract() in bus_space_unmap() returned a "0".

Possible / future bugs:
To check if this bug or similar ones occur in other drivers too, I made bus_space_handle_t
more abstract and compiled a "GENERIC" kernel. The following compiler warnings appeared:
-sys/dev/isa/sb_isa.c: similar bug in sb_isa_match() (but without consequences up to now
 because handles and addresses are identical for ISA on i386)
-sys/i386/isa/if_fea.c: in pdq_eisa_devinit(), arithmetics with handles
-sys/i386/isa/isapnp_machdep.c: in isapnp_map() and isapnp_map_readport(), use of
 integer constants as handles

>How-To-Repeat:
	put something like "le0	at isa? port 0x200 iomem 0xc8000 iosiz 0x8000 irq 5"
into the configuration file and boot the resulting kernel
>Fix:
	(only for the first 2 bugs, the other 2 require some more code cleanup)
*** if_le_isa.c.orig    Wed Feb 12 17:03:53 1997
--- if_le_isa.c Wed Feb 12 17:04:25 1997
***************
*** 170,174 ****

        /* Just needed to check mapability; don't need it anymore. */
!       bus_space_unmap(ia->ia_memt, ia->ia_maddr, ia->ia_msize);

        lesc->sc_iot = iot;
--- 170,174 ----

        /* Just needed to check mapability; don't need it anymore. */
!       bus_space_unmap(ia->ia_memt, memh, ia->ia_msize);

        lesc->sc_iot = iot;
*** sb_isa.c.orig       Wed Feb 12 17:50:55 1997
--- sb_isa.c    Wed Feb 12 17:52:06 1997
***************
*** 104,108 ****

        if (!sbmatch(sc)) {
!               bus_space_unmap(sc->sc_iot, ia->ia_iobase, SBP_NPORT);
                return 0;
        }
--- 104,108 ----

        if (!sbmatch(sc)) {
!               bus_space_unmap(sc->sc_iot, sc->sc_ioh, SBP_NPORT);
                return 0;
        }

>Audit-Trail:
>Unformatted: