From owner-freebsd-stable@FreeBSD.ORG  Thu Oct 30 21:32:51 2003
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 001FD16A4CE
	for <freebsd-stable@freebsd.org>;
	Thu, 30 Oct 2003 21:32:50 -0800 (PST)
Received: from alcorcon.madritel.es (alcorcon.madritel.es [213.37.2.159])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 953D643FBD
	for <freebsd-stable@freebsd.org>;
	Thu, 30 Oct 2003 21:32:44 -0800 (PST)
	(envelope-from juanmasf@mi.madritel.es)
Received: from mi.madritel.es ([213.37.22.133]) by
          alcorcon.madritel.es (Netscape Messaging Server 4.15) with ESMTP
          id HNLWP501.CLI for <freebsd-stable@freebsd.org>; Fri, 31 Oct
          2003 06:31:54 +0100 
Message-ID: <3FA1F3ED.1010306@mi.madritel.es>
Date: Fri, 31 Oct 2003 06:32:29 +0100
From: Juan Manuel Sanchez <juanmasf@mi.madritel.es>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
	rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-stable@freebsd.org
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [PATCH] avoid kernel panic during ATA probe
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Oct 2003 05:32:51 -0000

The ata raid code in STABLE allows 15 seconds for reading the disk 
headers. If during probe the ata channels need several resets to find a 
working configuration that time might be exceeded. When the request 
finally succeds the buffer was already freed by ar_rw(), and kernel 
panics at any access to corrupt pointers.

Try this simple patch:

-----------------------------------------------------------------------
Index: ata-raid.c
===================================================================
RCS file: /usr/home/ncvs/src/sys/dev/ata/ata-raid.c,v
retrieving revision 1.3.2.19
diff -w -u -r1.3.2.19 ata-raid.c
--- ata-raid.c	30 Jan 2003 07:19:59 -0000	1.3.2.19
+++ ata-raid.c	30 Oct 2003 22:28:30 -0000
@@ -1427,8 +1427,8 @@
      AR_STRATEGY((struct buf *)bp);

      if (flags & AR_WAIT) {
-	while ((retry++ < (15*hz/10)) && (error = !(bp->b_flags & B_DONE)))
-	    error = tsleep(bp, PRIBIO, "arrw", 10);
+	/* AR_STRATEGY success or timeout will wake us up */
+	error = tsleep(bp, PRIBIO, "arrw", 0);
  	if (!error && (bp->b_flags & B_ERROR))
  	    error = bp->b_error;
  	free(bp, M_AR);
-----------------------------------------------------------------------