From nobody Tue Nov 01 17:46:24 2022 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4N1yB92BB6z4gtD6; Tue, 1 Nov 2022 17:46:25 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4N1yB91YYcz47R0; Tue, 1 Nov 2022 17:46:25 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1667324785; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cnJGYxvCT9xMHUQ9fjy57TLLaKwg6x/zv9jjtcUvAzs=; b=HcHGKkHMnLOhu3D2qxaNU32I/EkiVuJ+kK00GbfZSracgHJV4Fb1hwU1p6TOgxsS//UoZN YRt3yZYSUmGNU+BH/hW+bzPI9Gups565YSYzyCXuc2xX54XVLAr2NUwINptFHy7KxijtJP JXV9SZAslNIrnVCkTtHtzsQFybUDzYJydg4mD4Ji/YTYUY0rZdIFB/8w71OpJCN8w77ldS 2Ig+PWWR3f+9O9M7B0Ru1FY1D4hcAYdb7rgJmviIfTDjOtkxjM5yUCnOfg9COJ6Pbc33nO HXAdV5URO6/9LDj3VjmMc4r+S7qxKOwfeLMk6pZjLI5owWq8h5/GLWEefuD03A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4N1yB90K6WzQ3S; Tue, 1 Nov 2022 17:46:25 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2A1HkO4V085827; Tue, 1 Nov 2022 17:46:24 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2A1HkOrN085826; Tue, 1 Nov 2022 17:46:24 GMT (envelope-from git) Date: Tue, 1 Nov 2022 17:46:24 GMT Message-Id: <202211011746.2A1HkOrN085826@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Andrew Gallatin Subject: git: 8b19898a78d5 - main - Fix a panic on boot introduced by 555a861d6826 List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gallatin X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 8b19898a78d52b351f4d7a6ad1d8b074d037e3b7 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1667324785; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cnJGYxvCT9xMHUQ9fjy57TLLaKwg6x/zv9jjtcUvAzs=; b=DqmV5Hb2SWNWdFd8WxON/iFBSORuU4SL2zAdAve5sIjPCl+Xxd4HSFrnfhPRACzworYQMh OfxekFxuOPQoHt8bhbHL77RMio1iA1Vs2CJGm6gi674VQxxCaHP/fvne0VCyJKfAncqDMT QjP0GJBbw4yNq9Pe3uv3Jzg+T2eQXOKgZfxbRp0I0Ty2nKGZkIuJaBhbSNgmZ8oRBnQLNJ SB+2jBgJQhxE21SWbEMbtTudFWn1IUYASM7dko9kzIYZ+j36cZKlnfDob2xSUiuCdg6Vzj x1yZWDrcieRtVpKO6H0Ic4oKTIkOPycAF24UEUg7xIfzws0KXq1bUTK16/xaog== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1667324785; a=rsa-sha256; cv=none; b=xbRA+PN8wkZz8Ci5jRhMizhYUKy5s6TP+dTu6YeIhoqDYdlT1m+6tyZw8fTILk5eQTBtyX V7Ej9oMPCHs4eWjgKlj1TycBltSt5WEwb8TX6NyTtXRCYTqMgyVGAq1AP5CMpiNb97RsKJ WqD6pAiqZTiBPa0gDLPt8CYTglgEvSMsQus5kYkHSIRJIlWXWi+lReSFpwObyhb4HP6juQ GnHrtgcEYSPyPQ8Fbd6NfUzLAWWW4nWp3Uj0oMvU56QAiwMjyWU1tQwGyWTcWtKpsp47fH WoUpHa2w1RTJfIHr2jhP1j2Kg7dZ8DuNnQ49Naf8F3wAGodJiHANyKVF7rnMfw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by gallatin: URL: https://cgit.FreeBSD.org/src/commit/?id=8b19898a78d52b351f4d7a6ad1d8b074d037e3b7 commit 8b19898a78d52b351f4d7a6ad1d8b074d037e3b7 Author: Andrew Gallatin AuthorDate: 2022-11-01 17:44:39 +0000 Commit: Andrew Gallatin CommitDate: 2022-11-01 17:44:39 +0000 Fix a panic on boot introduced by 555a861d6826 First, an sbuf_new() in device_get_path() shadows the sb passed in by dev_wired_cache_add(), leaving its sb in an unfinished state, leading to a failed KASSERT(). Fixing this is as simple as removing the sbuf_new() from device_get_path() Second, we cannot simply take a pointer to the sbuf memory and store it in the device location cache, because that sbuf is freed immediately after we add data to the cache, leading to a use-after-free and eventually a double-free. Fixing this requires allocating memory for the path. After a discussion with jhb, we decided that one malloc was better than two in dev_wired_cache_add, which is why it changed so much. Reviewed by: jhb Sponsored by: Netflix MFC after: 14 days --- sys/kern/subr_bus.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/sys/kern/subr_bus.c b/sys/kern/subr_bus.c index 5c165419af2d..2fcf650b0289 100644 --- a/sys/kern/subr_bus.c +++ b/sys/kern/subr_bus.c @@ -5310,7 +5310,7 @@ device_get_path(device_t dev, const char *locator, struct sbuf *sb) device_t parent; int error; - sb = sbuf_new(NULL, NULL, 0, SBUF_AUTOEXTEND | SBUF_INCLUDENUL); + KASSERT(sb != NULL, ("sb is NULL")); parent = device_get_parent(dev); if (parent == NULL) { error = sbuf_printf(sb, "/"); @@ -5663,8 +5663,6 @@ dev_wired_cache_fini(device_location_cache_t *dcp) struct device_location_node *dln, *tdln; TAILQ_FOREACH_SAFE(dln, &dcp->dlc_list, dln_link, tdln) { - /* Note: one allocation for both node and locator, but not path */ - free(__DECONST(void *, dln->dln_path), M_BUS); free(dln, M_BUS); } free(dcp, M_BUS); @@ -5687,12 +5685,15 @@ static struct device_location_node * dev_wired_cache_add(device_location_cache_t *dcp, const char *locator, const char *path) { struct device_location_node *dln; - char *l; - - dln = malloc(sizeof(*dln) + strlen(locator) + 1, M_BUS, M_WAITOK | M_ZERO); - dln->dln_locator = l = (char *)(dln + 1); - memcpy(l, locator, strlen(locator) + 1); - dln->dln_path = path; + size_t loclen, pathlen; + + loclen = strlen(locator) + 1; + pathlen = strlen(path) + 1; + dln = malloc(sizeof(*dln) + loclen + pathlen, M_BUS, M_WAITOK | M_ZERO); + dln->dln_locator = (char *)(dln + 1); + memcpy(__DECONST(char *, dln->dln_locator), locator, loclen); + dln->dln_path = dln->dln_locator + loclen; + memcpy(__DECONST(char *, dln->dln_path), path, pathlen); TAILQ_INSERT_HEAD(&dcp->dlc_list, dln, dln_link); return (dln);