netbsd-bugs: kern/36945: Bug in IEEE1394 fwohci_at

Subject: kern/36945: Bug in IEEE1394 fwohci_at_output()
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <ross.philipson@gmail.com>
List: netbsd-bugs
Date: 09/07/2007 18:50:01

>Number:         36945
>Category:       kern
>Synopsis:       Bug in IEEE1394 fwohci_at_output()
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Sep 07 18:50:00 +0000 2007
>Originator:     Ross Philipson
>Release:        3.0.1
>Organization:
>Environment:
NA
>Description:
The bug is down deep in some of the 1394 code and it would only happen (presumably) under low resource conditions. I didn't actually see it happen, just noted it in the code.

Within the 1394 function fwohci_at_output():

// START HERE: this line allocs a new fwohci_buf
fb = malloc(sizeof(*fb), M_DEVBUF, M_WAITOK);
if (ndesc > 2) {
  if ((error = bus_dmamap_create(sc->sc_dmat, pkt->fp_dlen,
       OHCI_DESC_MAX - 2, pkt->fp_dlen, 0, BUS_DMA_WAITOK,
       &fb->fb_dmamap)) != 0) {
    // BAD: no descriptors have been allocated yet! Note second
    // case just below is incorrect too.
    fwohci_desc_put(sc, fb->fb_desc, ndesc);
    free(fb, M_DEVBUF);
    return error;
  }
  // etc.
}
>How-To-Repeat:
NA
>Fix:
Just removed to 2 calls to fwohci_desc_put() where they are not needed.