From owner-freebsd-drivers@freebsd.org  Sun Jun 18 09:37:32 2017
Return-Path: <owner-freebsd-drivers@freebsd.org>
Delivered-To: freebsd-drivers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3F91AD8D165;
 Sun, 18 Jun 2017 09:37:32 +0000 (UTC)
 (envelope-from baijiaju1990@163.com)
Received: from m12-12.163.com (m12-12.163.com [220.181.12.12])
 by mx1.freebsd.org (Postfix) with ESMTP id 56D8D65B78;
 Sun, 18 Jun 2017 09:37:30 +0000 (UTC)
 (envelope-from baijiaju1990@163.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
 s=s110527; h=From:Subject:Date:Message-Id; bh=fknIQq1ayyu391lElL
 PIhlsvvS60FUnVNZuVw2T5lzk=; b=BUe9nejL98ia7565+T158cD7tpIXgza3kI
 bTJELYPhGPVcbeCx5LZRXHNVBQtD/IkuoQn8vDNQ2PiKSA7L/vQdsdTJlSWaIEwr
 TYCfoxAmv51YgJ2ybjs/++Hgw1zQTsLM/XR2zFwP8WYmTfW0FurI9QV0TPi0Iwgd
 6SUHhTue0=
Received: from bai.tsinghua.edu.cn (unknown [166.111.70.9])
 by smtp8 (Coremail) with SMTP id DMCowAB3oqbPSUZZjNv3Cw--.35153S2;
 Sun, 18 Jun 2017 17:37:24 +0800 (CST)
From: Jia-Ju Bai <baijiaju1990@163.com>
To: 
Cc: freebsd-drivers@freebsd.org, freebsd-scsi@freebsd.org,
 Jia-Ju Bai <baijiaju1990@163.com>
Subject: [Bug 220094][PATCH] scsi_sa: Fix a possible sleep-under-mutex bug in
 saioctl
Date: Sun, 18 Jun 2017 17:37:15 +0800
Message-Id: <20170618093715.40555-1-baijiaju1990@163.com>
X-Mailer: git-send-email 2.13.0
X-CM-TRANSID: DMCowAB3oqbPSUZZjNv3Cw--.35153S2
X-Coremail-Antispam: 1Uf129KBjvdXoW7GF45Xw4rJr43Kw18KF4kZwb_yoWDArc_WF
 yv9r1DtrWUKr4xtFn3AFWfuF9Fgw4rWrnYyF1YyFWfZryDXFnYka4xWrn3ZrWfX34j9345
 G3s8try5Ar17AjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT
 9fnUUvcSsGvfC2KfnxnUUI43ZEXa7IUUAwIPUUUUU==
X-Originating-IP: [166.111.70.9]
X-CM-SenderInfo: xedlyx5dmximizq6il2tof0z/1tbiYxT6elaDtdVKGwAAsT
X-BeenThere: freebsd-drivers@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Writing device drivers for FreeBSD <freebsd-drivers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-drivers>, 
 <mailto:freebsd-drivers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-drivers/>
List-Post: <mailto:freebsd-drivers@freebsd.org>
List-Help: <mailto:freebsd-drivers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-drivers>, 
 <mailto:freebsd-drivers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Jun 2017 09:37:32 -0000

The driver may sleep under a mutex, and the function call path is:
saioctl [acquire the mutex]
   saextget
     malloc(M_WAITOK) --> may sleep

The possible fix of this bug is to replace "M_WAITOK" in malloc with 
"M_NOWAIT".

This bug is found by a static analysis tool written by myself, and it is 
checked by my review of the FreeBSD code.

Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
---
 sys/cam/scsi/scsi_sa.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/cam/scsi/scsi_sa.c b/sys/cam/scsi/scsi_sa.c
index 8a8451c3bce..b884bd3d65f 100644
--- a/sys/cam/scsi/scsi_sa.c
+++ b/sys/cam/scsi/scsi_sa.c
@@ -4465,7 +4465,7 @@ saextget(struct cdev *dev, struct cam_periph *periph, struct sbuf *sb,
 		if (cgd.serial_num_len > sizeof(tmpstr)) {
 			ts2_len = cgd.serial_num_len + 1;
 			ts2_malloc = 1;
-			tmpstr2 = malloc(ts2_len, M_SCSISA, M_WAITOK | M_ZERO);
+			tmpstr2 = malloc(ts2_len, M_SCSISA, M_NOWAIT | M_ZERO);
 		} else {
 			ts2_len = sizeof(tmpstr);
 			ts2_malloc = 0;
-- 
2.13.0