From owner-freebsd-bugs  Wed Mar  5 19:50:03 1997
Return-Path: <owner-bugs>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id TAA08211
          for bugs-outgoing; Wed, 5 Mar 1997 19:50:03 -0800 (PST)
Received: (from gnats@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id TAA08205;
          Wed, 5 Mar 1997 19:50:02 -0800 (PST)
Resent-Date: Wed, 5 Mar 1997 19:50:02 -0800 (PST)
Resent-Message-Id: <199703060350.TAA08205@freefall.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-bugs
Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, Tor.Egge@idt.ntnu.no
Received: from pat.idt.unit.no (0@pat.idt.unit.no [129.241.103.5])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA08160
          for <FreeBSD-gnats-submit@freebsd.org>; Wed, 5 Mar 1997 19:49:39 -0800 (PST)
Received: from ikke.idt.unit.no (tegge@ikke.idt.unit.no [129.241.111.65])
	by pat.idt.unit.no (8.8.5/8.8.5) with ESMTP id EAA19990
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 6 Mar 1997 04:49:23 +0100 (MET)
Received: (from tegge@localhost) by ikke.idt.unit.no (8.8.5/8.8.3) id EAA00846; Thu, 6 Mar 1997 04:49:17 +0100 (MET)
Message-Id: <199703060349.EAA00846@ikke.idt.unit.no>
Date: Thu, 6 Mar 1997 04:49:17 +0100 (MET)
From: Tor Egge <Tor.Egge@idt.ntnu.no>
Reply-To: Tor.Egge@idt.ntnu.no
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: kern/2891: cdstart are sometimes called at too low spl level
Sender: owner-bugs@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


>Number:         2891
>Category:       kern
>Synopsis:       cdstart are sometimes called at too low spl level
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar  5 19:50:01 PST 1997
>Last-Modified:
>Originator:     Tor Egge
>Organization:
Norwegian University of Science and Technology, Trondheim, Norway
>Release:        FreeBSD 3.0-CURRENT i386
>Environment:

FreeBSD ikke.idt.unit.no 3.0-CURRENT FreeBSD 3.0-CURRENT #3: Thu Mar  6 02:18:52 MET 1997     root@ikke.idt.unit.no:/usr/src/sys/compile/TEGGE  i386

>Description:

scsi_scsi_cmd calls free_xs without first calling splbio().
free_xs then proceeds to call start routines as, e.g., cdstart.

Many routines that call scsi_scsi_cmd do not call splbio() before calling
scsi_scsi_cmd.

By performing the ioctl function CDIOREADTOCHEADER, the call stack at
one point is

	cdioctl
	scsi_ioctl
	cd_ioctl
	cd_read_toc
	scsi_scsi_cmd
	free_xs
	cdstart

with a too low spl level.

>How-To-Repeat:

Perform an ioctl function that calls scsi_scsi_cmd without first calling
splbio(), e.g. CDIOREADTOCHEADER.

>Fix:

This patch encloses the call to free_xs from scsi_scsi_cmd inside
a splbio()/splx() pair.

Index: scsi_base.c
===================================================================
RCS file: /home/ncvs/src/sys/scsi/scsi_base.c,v
retrieving revision 1.43
diff -c -6 -r1.43 scsi_base.c
*** scsi_base.c	1997/01/30 22:47:55	1.43
--- scsi_base.c	1997/03/06 01:18:32
***************
*** 612,624 ****
--- 612,627 ----
  	}
  	/*
  	 * we have finished with the xfer stuct, free it and
  	 * check if anyone else needs to be started up.
  	 */
  bad:
+ 	/* Need splbio since free_xs might call cdstart */
+ 	s = splbio();
  	free_xs(xs, sc_link, flags);	/* includes the 'start' op */
+ 	splx(s);
  	if (bp && retval) {
  		bp->b_error = retval;
  		bp->b_flags |= B_ERROR;
  		biodone(bp);
  	}
  	return (retval);

>Audit-Trail:
>Unformatted: