Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 12 Jun 2012 01:53:04 +0300
From:      Konstantin Belousov <kostikbel@gmail.com>
To:        Steven Haber <steven.haber@isilon.com>
Cc:        freebsd-geom@freebsd.org
Subject:   Re: Geom / destroy_dev() deadlock
Message-ID:  <20120611225304.GK2337@deviant.kiev.zoral.com.ua>
In-Reply-To: <56CE86D6660FF84498426FA7A33170B403429115@seaxch01.desktop.isilon.com>
References:  <56CE86D6660FF84498426FA7A33170B4033672EF@seaxch01.desktop.isilon.com> <20120611204334.GH2337@deviant.kiev.zoral.com.ua> <56CE86D6660FF84498426FA7A33170B403367535@seaxch01.desktop.isilon.com> <20120611215610.GJ2337@deviant.kiev.zoral.com.ua> <56CE86D6660FF84498426FA7A33170B403429115@seaxch01.desktop.isilon.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

--EMQjp+MvU6EBGjHc
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Jun 11, 2012 at 03:27:39PM -0700, Steven Haber wrote:
> > I do not understand what you are proposing. Could you, please, show
> > the patch ?
>=20
> ---
>  src/sys/geom/geom_dev.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>=20
> diff --git a/src/sys/geom/geom_dev.c b/src/sys/geom/geom_dev.c
> index 38251e1..787235a 100644
> --- a/src/sys/geom/geom_dev.c
> +++ b/src/sys/geom/geom_dev.c
> @@ -497,7 +497,7 @@ g_dev_orphan(struct g_consumer *cp)
> =20
>         /* Destroy the struct cdev *so we get no more requests */
>         unit =3D dev2unit(dev);
> -       destroy_dev(dev);
> +       destroy_dev_sched(dev);
>         free_unr(unithdr, unit);
> =20
>         /* Wait for the cows to come home */

Did you noted the comment above the block you changing ?
The patch would cause races allowing arbitrary kernel memory corruption.

The moment when the cdev is destroyed is somewhere in future, while
structures that the cdev reference are freed synchronously.

I tried to put some safety measures into destroy_dev_sched(9), namely
CDP_SCHED_DTR flag that somewhat reduces the possibility of usermode
accessing cdev after destroy_dev_sched(), but this cannot be eliminated
entirely.

--EMQjp+MvU6EBGjHc
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (FreeBSD)

iEYEARECAAYFAk/WdtAACgkQC3+MBN1Mb4jpDQCgiBoVnAOan9YOILDSohRzV8HC
uFIAn1QA/tyJRtL/xtZm7chlsJtltTcE
=8EDz
-----END PGP SIGNATURE-----

--EMQjp+MvU6EBGjHc--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120611225304.GK2337>