From owner-svn-src-head@FreeBSD.ORG Mon Sep 17 07:32:54 2012 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 554F81065672; Mon, 17 Sep 2012 07:32:54 +0000 (UTC) (envelope-from trociny@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 3F6858FC1E; Mon, 17 Sep 2012 07:32:54 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q8H7Ws4H070016; Mon, 17 Sep 2012 07:32:54 GMT (envelope-from trociny@svn.freebsd.org) Received: (from trociny@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q8H7Wsvr070014; Mon, 17 Sep 2012 07:32:54 GMT (envelope-from trociny@svn.freebsd.org) Message-Id: <201209170732.q8H7Wsvr070014@svn.freebsd.org> From: Mikolaj Golub Date: Mon, 17 Sep 2012 07:32:54 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r240595 - head/usr.sbin/bsnmpd/modules/snmp_hostres X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 07:32:54 -0000 Author: trociny Date: Mon Sep 17 07:32:53 2012 New Revision: 240595 URL: http://svn.freebsd.org/changeset/base/240595 Log: In snmp_hostres, device_map table is used for consistent device table indexing. When a device has gone it is not removed from device_map table but just its entry_p field is set to NULL. So when traversing device_map in disk_OS_get_ATA_disks() and disk_OS_get_MD_disks() check for entry_p being NULL, otherwise the bsnmpd crash is possible when a removed map entry is dereferenced. Before the fix, for disk_OS_get_ATA_disks() the crash could be easily reproduced running: atacontrol detach ata1 The crash was not observed in disk_OS_get_MD_disks() because currently snmp_hostres does no see md(4) disks: to get the device list it uses devinfo(3), which does not return md devices. Reported by: Miroslav Lachman 000.fbsd quip.cz MFC after: 1 week Modified: head/usr.sbin/bsnmpd/modules/snmp_hostres/hostres_diskstorage_tbl.c Modified: head/usr.sbin/bsnmpd/modules/snmp_hostres/hostres_diskstorage_tbl.c ============================================================================== --- head/usr.sbin/bsnmpd/modules/snmp_hostres/hostres_diskstorage_tbl.c Mon Sep 17 07:14:07 2012 (r240594) +++ head/usr.sbin/bsnmpd/modules/snmp_hostres/hostres_diskstorage_tbl.c Mon Sep 17 07:32:53 2012 (r240595) @@ -287,6 +287,9 @@ disk_OS_get_ATA_disks(void) /* Walk over the device table looking for ata disks */ STAILQ_FOREACH(map, &device_map, link) { + /* Skip deleted entries. */ + if (map->entry_p == NULL) + continue; for (found = lookup; found->media != DSM_UNKNOWN; found++) { if (strncmp(map->name_key, found->dev_name, strlen(found->dev_name)) != 0) @@ -345,6 +348,9 @@ disk_OS_get_MD_disks(void) /* Look for md devices */ STAILQ_FOREACH(map, &device_map, link) { + /* Skip deleted entries. */ + if (map->entry_p == NULL) + continue; if (sscanf(map->name_key, "md%d", &unit) != 1) continue;