Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 16 May 2021 12:55:20 -0400
From:      Mark Johnston <markj@freebsd.org>
To:        Edward Tomasz Napierala <trasz@freebsd.org>
Cc:        src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org
Subject:   Re: git: 0f206cc91279 - main - cam: add missing zeroing of a stack-allocated CCB.
Message-ID:  <YKFOeDlJhm8sJHJX@nuc>
In-Reply-To: <202105161045.14GAjZIL093217@gitrepo.freebsd.org>
References:  <202105161045.14GAjZIL093217@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, May 16, 2021 at 10:45:35AM +0000, Edward Tomasz Napierala wrote:
> The branch main has been updated by trasz:
> 
> URL: https://cgit.FreeBSD.org/src/commit/?id=0f206cc91279e630ad9e733eb6e330b7dbe6c70e
> 
> commit 0f206cc91279e630ad9e733eb6e330b7dbe6c70e
> Author:     Edward Tomasz Napierala <trasz@FreeBSD.org>
> AuthorDate: 2021-05-16 09:28:04 +0000
> Commit:     Edward Tomasz Napierala <trasz@FreeBSD.org>
> CommitDate: 2021-05-16 10:38:26 +0000
> 
>     cam: add missing zeroing of a stack-allocated CCB.
>     
>     This could cause a panic at boot.

There are other instances of this, for example syzbot is currently
hitting an assertion, seemingly because the alloc_flags field of a
stack-allocated CCB was not zeroed:
https://syzkaller.appspot.com/bug?extid=2e9ce63919709feb3d1c

I think the patch below will fix it, but I did not audit other callers.
It feels a bit strange to require all callers of xpt_setup_ccb() to
manually zero the structure first, can we provide a single routine to
initialize stack-allocated CCBs?

diff --git a/sys/dev/virtio/scsi/virtio_scsi.c b/sys/dev/virtio/scsi/virtio_scsi.c
index 51d9e5f532f7..adf4fd17fc5b 100644
--- a/sys/dev/virtio/scsi/virtio_scsi.c
+++ b/sys/dev/virtio/scsi/virtio_scsi.c
@@ -700,6 +700,7 @@ vtscsi_register_async(struct vtscsi_softc *sc)
 {
 	struct ccb_setasync csa;
 
+	memset(&csa, 0, sizeof(csa));
 	xpt_setup_ccb(&csa.ccb_h, sc->vtscsi_path, 5);
 	csa.ccb_h.func_code = XPT_SASYNC_CB;
 	csa.event_enable = AC_LOST_DEVICE | AC_FOUND_DEVICE;
@@ -716,6 +717,7 @@ vtscsi_deregister_async(struct vtscsi_softc *sc)
 {
 	struct ccb_setasync csa;
 
+	memset(&csa, 0, sizeof(csa));
 	xpt_setup_ccb(&csa.ccb_h, sc->vtscsi_path, 5);
 	csa.ccb_h.func_code = XPT_SASYNC_CB;
 	csa.event_enable = 0;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YKFOeDlJhm8sJHJX>