From owner-svn-src-stable-11@freebsd.org Tue Jun 27 12:56:38 2017 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0A75FDA9FC8; Tue, 27 Jun 2017 12:56:38 +0000 (UTC) (envelope-from ken@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C4327651EF; Tue, 27 Jun 2017 12:56:37 +0000 (UTC) (envelope-from ken@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v5RCuaBP002746; Tue, 27 Jun 2017 12:56:36 GMT (envelope-from ken@FreeBSD.org) Received: (from ken@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v5RCuaBj002745; Tue, 27 Jun 2017 12:56:36 GMT (envelope-from ken@FreeBSD.org) Message-Id: <201706271256.v5RCuaBj002745@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ken set sender to ken@FreeBSD.org using -f From: "Kenneth D. Merry" Date: Tue, 27 Jun 2017 12:56:36 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r320405 - stable/11/sys/cam/scsi X-SVN-Group: stable-11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jun 2017 12:56:38 -0000 Author: ken Date: Tue Jun 27 12:56:36 2017 New Revision: 320405 URL: https://svnweb.freebsd.org/changeset/base/320405 Log: MFC r320123: Fix a potential sleep while holding a mutex in the sa(4) driver. If the user issues a MTIOCEXTGET ioctl, and the tape drive in question has a serial number that is longer than 80 characters, we malloc a buffer in saextget() to hold the output of cam_strvis(). Since a mutex is held in that codepath, doing a M_WAITOK malloc could lead to sleeping while holding a mutex. Change it to a M_NOWAIT malloc and bail out if we fail to allocate the memory. Devices with serial numbers longer than 80 bytes are very rare (I don't recall seeing one), so this should be a very unusual case to hit. But it is a bug that should be fixed. sys/cam/scsi/scsi_sa.c: In saextget(), if we need to malloc a buffer to hold the output of cam_strvis(), don't wait for the memory. Fail and return an error if we can't allocate the memory immediately. PR: kern/220094 Submitted by: Jia-Ju Bai Sponsored by: Spectra Logic Approved by: re (gjb) Modified: stable/11/sys/cam/scsi/scsi_sa.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/cam/scsi/scsi_sa.c ============================================================================== --- stable/11/sys/cam/scsi/scsi_sa.c Tue Jun 27 10:50:48 2017 (r320404) +++ stable/11/sys/cam/scsi/scsi_sa.c Tue Jun 27 12:56:36 2017 (r320405) @@ -4465,7 +4465,18 @@ saextget(struct cdev *dev, struct cam_periph *periph, if (cgd.serial_num_len > sizeof(tmpstr)) { ts2_len = cgd.serial_num_len + 1; ts2_malloc = 1; - tmpstr2 = malloc(ts2_len, M_SCSISA, M_WAITOK | M_ZERO); + tmpstr2 = malloc(ts2_len, M_SCSISA, M_NOWAIT | M_ZERO); + /* + * The 80 characters allocated on the stack above + * will handle the vast majority of serial numbers. + * If we run into one that is larger than that, and + * we can't malloc the length without blocking, + * bail out with an out of memory error. + */ + if (tmpstr2 == NULL) { + error = ENOMEM; + goto extget_bailout; + } } else { ts2_len = sizeof(tmpstr); ts2_malloc = 0;