git: 76720b010873 - stable/15 - pci: bcm2838: cleanup on attach failure to fix devmatch panic

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kyle Evans <kevans_at_FreeBSD.org>
Date: Wed, 10 Jun 2026 04:01:19 UTC
The branch stable/15 has been updated by kevans:

URL: https://cgit.FreeBSD.org/src/commit/?id=76720b010873f350b94231c5380e2d19b8839795

commit 76720b010873f350b94231c5380e2d19b8839795
Author:     Kyle Evans <kevans@FreeBSD.org>
AuthorDate: 2026-05-09 02:49:35 +0000
Commit:     Kyle Evans <kevans@FreeBSD.org>
CommitDate: 2026-06-10 04:00:38 +0000

    pci: bcm2838: cleanup on attach failure to fix devmatch panic
    
    Specifically on the RPi CM4, we currently don't set the controller up
    right and it never moves into the ready state (we don't observe the link
    active bit).  Failure to cleanup here actually results in a panic not
    long after, due to a use-after-free in the rman bits.  Further down in
    pci_host_generic, we have some rman stashed in the softc that are
    initialized and placed onto the rman tailq, then the softc is later
    freed without an rman_fini() to pull them off of the tailq properly.
    
    Note that PCIe on this board won't come up at boot without something
    plugged in, so it currently can't be booted with an empty slot with the
    intent to hotplug a supported card.  Some issues with controller startup
    have been observed with Broadcom NICs in the wild, but no problems have
    been observed with other NICs and a variety of different PCIe cards.
    
    Shout-out to Vince <git@darkain.com> for the extensive debugging and
    analysis to arrive at this conclusion.
    
    Reviewed by:    andrew, imp
    
    (cherry picked from commit a05af6ddf9016e4ea4f0b361aa674e7ece6fe7ec)
---
 sys/arm/broadcom/bcm2835/bcm2838_pci.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/sys/arm/broadcom/bcm2835/bcm2838_pci.c b/sys/arm/broadcom/bcm2835/bcm2838_pci.c
index 2b2ad1e3bdf8..80a7516f5331 100644
--- a/sys/arm/broadcom/bcm2835/bcm2838_pci.c
+++ b/sys/arm/broadcom/bcm2835/bcm2838_pci.c
@@ -646,7 +646,7 @@ bcm_pcib_attach(device_t dev)
 
 	error = bcm_pcib_check_ranges(dev);
 	if (error != 0)
-		return (error);
+		goto failed;
 
 	mtx_init(&sc->config_mtx, "bcm_pcib: config_mtx", NULL, MTX_DEF);
 
@@ -680,7 +680,8 @@ bcm_pcib_attach(device_t dev)
 		if (tries > 100) {
 			device_printf(dev,
 			    "error: controller failed to start.\n");
-			return (ENXIO);
+			error = ENXIO;
+			goto failed;
 		}
 
 		DELAY(1000);
@@ -690,7 +691,8 @@ bcm_pcib_attach(device_t dev)
 	if (!link_state) {
 		device_printf(dev, "error: controller started but link is not "
 		    "up.\n");
-		return (ENXIO);
+		error = ENXIO;
+		goto failed;
 	}
 	if (bootverbose)
 		device_printf(dev, "note: reported link speed is %s.\n",
@@ -741,12 +743,15 @@ bcm_pcib_attach(device_t dev)
 	/* Configure interrupts. */
 	error = bcm_pcib_msi_attach(dev);
 	if (error != 0)
-		return (error);
+		goto failed;
 
 	/* Done. */
 	device_add_child(dev, "pci", DEVICE_UNIT_ANY);
 	bus_attach_children(dev);
 	return (0);
+failed:
+	pci_host_generic_destroy_fdt(dev);
+	return (error);
 }
 
 /*