Date: Mon, 13 Dec 2021 11:51:00 GMT From: Andriy Gapon <avg@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: df472af034e7 - main - mmc_sim: fix setting of the mutex name Message-ID: <202112131151.1BDBp0jV078736@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by avg: URL: https://cgit.FreeBSD.org/src/commit/?id=df472af034e7726dea533ac7f44440dad4ba6a34 commit df472af034e7726dea533ac7f44440dad4ba6a34 Author: Andriy Gapon <avg@FreeBSD.org> AuthorDate: 2021-11-26 14:00:45 +0000 Commit: Andriy Gapon <avg@FreeBSD.org> CommitDate: 2021-12-13 11:40:47 +0000 mmc_sim: fix setting of the mutex name To quote the manual: The pointer passed in as name and type is saved rather than the data it points to. The data pointed to must remain stable until the mutex is destroyed. It seems that the type is actually copied, but the name is stored as a pointer indeed. mmc_cam_sim_alloc used a name stored on stack. So, a corrupt mutex name would be reported. For example: lock order reversal: (sleepable after non-sleepable) 1st 0xd7285b20 <8A><C0><C0>P@<C1><D0>P@<C1>^D^A (aw_mmc_sim, sleep mutex) @ /usr/devel/git/orange/sys/cam/cam_xpt.c:2804 This change moves the name to struct mmc_sim. Also, that name is used as the sim name as well. Unused mtx_name variable is removed too. --- sys/cam/mmc/mmc_sim.c | 9 +++------ sys/cam/mmc/mmc_sim.h | 1 + 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/sys/cam/mmc/mmc_sim.c b/sys/cam/mmc/mmc_sim.c index 45d706f61d0a..792551a93511 100644 --- a/sys/cam/mmc/mmc_sim.c +++ b/sys/cam/mmc/mmc_sim.c @@ -191,7 +191,6 @@ mmc_cam_sim_default_action(struct cam_sim *sim, union ccb *ccb) int mmc_cam_sim_alloc(device_t dev, const char *name, struct mmc_sim *mmc_sim) { - char sim_name[64], mtx_name[64]; mmc_sim->dev = dev; @@ -199,13 +198,11 @@ mmc_cam_sim_alloc(device_t dev, const char *name, struct mmc_sim *mmc_sim) goto fail; } - snprintf(sim_name, sizeof(sim_name), "%s_sim", name); - snprintf(mtx_name, sizeof(mtx_name), "%s_mtx", name); - - mtx_init(&mmc_sim->mtx, sim_name, NULL, MTX_DEF); + snprintf(mmc_sim->name, sizeof(mmc_sim->name), "%s_sim", name); + mtx_init(&mmc_sim->mtx, mmc_sim->name, NULL, MTX_DEF); mmc_sim->sim = cam_sim_alloc(mmc_cam_sim_default_action, mmc_cam_default_poll, - name, mmc_sim, device_get_unit(dev), + mmc_sim->name, mmc_sim, device_get_unit(dev), &mmc_sim->mtx, 1, 1, mmc_sim->devq); if (mmc_sim->sim == NULL) { diff --git a/sys/cam/mmc/mmc_sim.h b/sys/cam/mmc/mmc_sim.h index 2b1159a9758e..10bd183c307d 100644 --- a/sys/cam/mmc/mmc_sim.h +++ b/sys/cam/mmc/mmc_sim.h @@ -33,6 +33,7 @@ struct mmc_sim { struct mmc_cam_sim_softc *sc; struct mtx mtx; + char name[64]; struct cam_devq *devq; struct cam_sim *sim; device_t dev;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202112131151.1BDBp0jV078736>