Date: Mon, 03 Jul 2017 18:21:39 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-scsi@FreeBSD.org Subject: [Bug 219701] crash in camperiphfree() Message-ID: <bug-219701-5312-gmg6X74mCn@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-219701-5312@https.bugs.freebsd.org/bugzilla/> References: <bug-219701-5312@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219701 --- Comment #9 from commit-hook@freebsd.org --- A commit references this bug: Author: ken Date: Mon Jul 3 18:20:45 UTC 2017 New revision: 320608 URL: https://svnweb.freebsd.org/changeset/base/320608 Log: Merge r320602 from stable/11 into releng/11.1: ------------------------------------------------------------------------ r320602 | ken | 2017-07-03 09:34:21 -0600 (Mon, 03 Jul 2017) | 45 lines MFC r320421: ---------------------------------------------------------------------= --- r320421 | ken | 2017-06-27 13:26:02 -0600 (Tue, 27 Jun 2017) | 37 lin= es Fix a panic in camperiphfree(). If a peripheral driver (e.g. da, sa, cd) is added or removed from the peripheral driver list while an unrelated peripheral driver instance (e.g. da0, sa5, cd2) is going away and is inside camperiphfree(), we could dereference an invalid pointer. When peripheral drivers are added or removed (see periphdriver_regist= er() and periphdriver_unregister()), the peripheral driver array is resized and existing entries are moved. Although we hold the topology lock while we traverse the peripheral driver list, we retain a pointer to the location of the peripheral driver pointer and then drop the topology lock. So we are still vulnerable to the l= ist getting moved around while the lock is dropped. To solve the problem, cache a copy of the peripheral driver pointer. = If its storage location in the list changes while we have the lock dropp= ed, it won't have any effect. This doesn't solve the issue that peripheral drivers ("da", "cd", as opposed to individual instances like "da0", "cd0") are not generally part of a reference counting scheme to guard against deregistering them while t= here are instances active. The caller (generally the person unloading a module) has to be aware of active drivers and not unload something that is in use. sys/cam/cam_periph.c: In camperiphfree(), cache a pointer to the peripheral driver instance to avoid holding a pointer to an invalid memory location in the event that the peripheral driver list changes while we have the topology lock dropped. PR: kern/219701 Submitted by: avg Sponsored by: Spectra Logic ---------------------------------------------------------------------= --- ------------------------------------------------------------------------ Approved by: re (gjb) Changes: _U releng/11.1/ releng/11.1/sys/cam/cam_periph.c --=20 You are receiving this mail because: You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-219701-5312-gmg6X74mCn>