Date: Sun, 18 Jan 2004 17:44:48 +0200 From: Ruslan Ermilov <ru@freebsd.org> To: Paul Twohey <twohey@CS.Stanford.EDU> Cc: scsi@freebsd.org Subject: Re: [CHECKER] bugs in FreeBSD Message-ID: <20040118154447.GA32115@FreeBSD.org.ua> In-Reply-To: <Pine.LNX.4.44.0401161607260.26554-100000@Xenon.Stanford.EDU> References: <Pine.LNX.4.44.0401161607260.26554-100000@Xenon.Stanford.EDU>
next in thread | previous in thread | raw e-mail | index | archive | help
--lrZ03NoBR/3+SXJZ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Jan 16, 2004 at 04:09:34PM -0800, Paul Twohey wrote:
[...]
> ---------------------------------------------------------
> [BUG]
> /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/dpt/dpt_scsi.=
c:1542:dpt_attach:ERROR:LEAK:1542:1571: pointer=3Ddevq from RO=3Dcam_simq_a=
lloc(-1) [s=3D21,pop=3D21,pr=3D0.99] [rank=3Dmed] leaked! [z=3D1.0] [succes=
s=3D3]
>=20
> int i;
>=20
> /*
> * Create the device queue for our SIM.
> */
> Start --->
> devq =3D cam_simq_alloc(dpt->max_dccbs);
>=20
> ... DELETED 23 lines ...
>=20
>=20
> }
> if (i > 0)
> EVENTHANDLER_REGISTER(shutdown_final, dptshutdown,
> dpt, SHUTDOWN_PRI_DEFAULT);
> Error --->
> return (i);
> }
>=20
> int
> ---------------------------------------------------------
We aren't leaking "devq" here, it's freed (if necessary) by setting
the second cam_sim_free() argument to true:
if (xpt_bus_register(dpt->sims[i], i) !=3D CAM_SUCCESS) {
cam_sim_free(dpt->sims[i], /*free_devq*/i =3D=3D 0);
break;
}
But we're missing the proper NULL checking, here's the fix:
%%%
Index: dpt_scsi.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/sys/dev/dpt/dpt_scsi.c,v
retrieving revision 1.45
diff -u -p -r1.45 dpt_scsi.c
--- dpt_scsi.c 24 Aug 2003 17:46:04 -0000 1.45
+++ dpt_scsi.c 18 Jan 2004 15:39:13 -0000
@@ -1553,6 +1553,8 @@ dpt_attach(dpt_softc_t *dpt)
dpt->sims[i] =3D cam_sim_alloc(dpt_action, dpt_poll, "dpt",
dpt, dpt->unit, /*untagged*/2,
/*tagged*/dpt->max_dccbs, devq);
+ if (dpt->sims[i] =3D=3D NULL)
+ break;
if (xpt_bus_register(dpt->sims[i], i) !=3D CAM_SUCCESS) {
cam_sim_free(dpt->sims[i], /*free_devq*/i =3D=3D 0);
break;
%%%
--=20
Ruslan Ermilov
FreeBSD committer
ru@FreeBSD.org
--lrZ03NoBR/3+SXJZ
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQFACqnvUkv4P6juNwoRAmc2AJ4yZOY/4fv1WzHuGBEtrFzVYHmRiACeMSY6
/ucH2Zb2vN73gaOViebu77U=
=g3Hd
-----END PGP SIGNATURE-----
--lrZ03NoBR/3+SXJZ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040118154447.GA32115>