Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 6 Mar 1997 04:49:17 +0100 (MET)
From:      Tor Egge <Tor.Egge@idt.ntnu.no>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   kern/2891: cdstart are sometimes called at too low spl level
Message-ID:  <199703060349.EAA00846@ikke.idt.unit.no>
Resent-Message-ID: <199703060350.TAA08205@freefall.freebsd.org>
index | next in thread | raw e-mail 


>Number:         2891
>Category:       kern
>Synopsis:       cdstart are sometimes called at too low spl level
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar  5 19:50:01 PST 1997
>Last-Modified:
>Originator:     Tor Egge
>Organization:
Norwegian University of Science and Technology, Trondheim, Norway
>Release:        FreeBSD 3.0-CURRENT i386
>Environment:

FreeBSD ikke.idt.unit.no 3.0-CURRENT FreeBSD 3.0-CURRENT #3: Thu Mar  6 02:18:52 MET 1997     root@ikke.idt.unit.no:/usr/src/sys/compile/TEGGE  i386

>Description:

scsi_scsi_cmd calls free_xs without first calling splbio().
free_xs then proceeds to call start routines as, e.g., cdstart.

Many routines that call scsi_scsi_cmd do not call splbio() before calling
scsi_scsi_cmd.

By performing the ioctl function CDIOREADTOCHEADER, the call stack at
one point is

	cdioctl
	scsi_ioctl
	cd_ioctl
	cd_read_toc
	scsi_scsi_cmd
	free_xs
	cdstart

with a too low spl level.

>How-To-Repeat:

Perform an ioctl function that calls scsi_scsi_cmd without first calling
splbio(), e.g. CDIOREADTOCHEADER.

>Fix:

This patch encloses the call to free_xs from scsi_scsi_cmd inside
a splbio()/splx() pair.

Index: scsi_base.c
===================================================================
RCS file: /home/ncvs/src/sys/scsi/scsi_base.c,v
retrieving revision 1.43
diff -c -6 -r1.43 scsi_base.c
*** scsi_base.c	1997/01/30 22:47:55	1.43
--- scsi_base.c	1997/03/06 01:18:32
***************
*** 612,624 ****
--- 612,627 ----
  	}
  	/*
  	 * we have finished with the xfer stuct, free it and
  	 * check if anyone else needs to be started up.
  	 */
  bad:
+ 	/* Need splbio since free_xs might call cdstart */
+ 	s = splbio();
  	free_xs(xs, sc_link, flags);	/* includes the 'start' op */
+ 	splx(s);
  	if (bp && retval) {
  		bp->b_error = retval;
  		bp->b_flags |= B_ERROR;
  		biodone(bp);
  	}
  	return (retval);

>Audit-Trail:
>Unformatted:
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199703060349.EAA00846>