[Bug 219701] crash in camperiphfree()

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Jun 27 19:26:49 UTC 2017 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219701

--- Comment #4 from commit-hook at freebsd.org ---
A commit references this bug:

Author: ken
Date: Tue Jun 27 19:26:03 UTC 2017
New revision: 320421
URL: https://svnweb.freebsd.org/changeset/base/320421

Log:
  Fix a panic in camperiphfree().

  If a peripheral driver (e.g. da, sa, cd) is added or removed from the
  peripheral driver list while an unrelated peripheral driver instance (e.g.
  da0, sa5, cd2) is going away and is inside camperiphfree(), we could
  dereference an invalid pointer.

  When peripheral drivers are added or removed (see periphdriver_register()
  and periphdriver_unregister()), the peripheral driver array is resized
  and existing entries are moved.

  Although we hold the topology lock while we traverse the peripheral driver
  list, we retain a pointer to the location of the peripheral driver pointer
  and then drop the topology lock.  So we are still vulnerable to the list
  getting moved around while the lock is dropped.

  To solve the problem, cache a copy of the peripheral driver pointer.  If
  its storage location in the list changes while we have the lock dropped, it
  won't have any effect.

  This doesn't solve the issue that peripheral drivers ("da", "cd", as opposed
  to individual instances like "da0", "cd0") are not generally part of a
  reference counting scheme to guard against deregistering them while there
  are instances active.  The caller (generally the person unloading a module)
  has to be aware of active drivers and not unload something that is in use.

  sys/cam/cam_periph.c:
        In camperiphfree(), cache a pointer to the peripheral driver
        instance to avoid holding a pointer to an invalid memory location
        in the event that the peripheral driver list changes while we have
        the topology lock dropped.

  PR:           kern/219701
  Submitted by: avg
  MFC after:    3 days
  Sponsored by: Spectra Logic

Changes:
  head/sys/cam/cam_periph.c

-- 
You are receiving this mail because:
You are on the CC list for the bug.

More information about the freebsd-scsi mailing list