From owner-freebsd-scsi@freebsd.org  Mon Jul  3 18:21:39 2017
Return-Path: <owner-freebsd-scsi@freebsd.org>
Delivered-To: freebsd-scsi@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C76FB9EC9CD
 for <freebsd-scsi@mailman.ysv.freebsd.org>;
 Mon,  3 Jul 2017 18:21:39 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id B57F57ADE3
 for <freebsd-scsi@FreeBSD.org>; Mon,  3 Jul 2017 18:21:39 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v63ILd8l089276
 for <freebsd-scsi@FreeBSD.org>; Mon, 3 Jul 2017 18:21:39 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-scsi@FreeBSD.org
Subject: [Bug 219701] crash in camperiphfree()
Date: Mon, 03 Jul 2017 18:21:39 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: commit-hook@freebsd.org
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: ken@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-219701-5312-gmg6X74mCn@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-219701-5312@https.bugs.freebsd.org/bugzilla/>
References: <bug-219701-5312@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-scsi@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SCSI subsystem <freebsd-scsi.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-scsi>,
 <mailto:freebsd-scsi-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-scsi/>
List-Post: <mailto:freebsd-scsi@freebsd.org>
List-Help: <mailto:freebsd-scsi-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-scsi>,
 <mailto:freebsd-scsi-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jul 2017 18:21:39 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219701

--- Comment #9 from commit-hook@freebsd.org ---
A commit references this bug:

Author: ken
Date: Mon Jul  3 18:20:45 UTC 2017
New revision: 320608
URL: https://svnweb.freebsd.org/changeset/base/320608

Log:
  Merge r320602 from stable/11 into releng/11.1:
    ------------------------------------------------------------------------
    r320602 | ken | 2017-07-03 09:34:21 -0600 (Mon, 03 Jul 2017) | 45 lines

    MFC r320421:

      ---------------------------------------------------------------------=
---
      r320421 | ken | 2017-06-27 13:26:02 -0600 (Tue, 27 Jun 2017) | 37 lin=
es

      Fix a panic in camperiphfree().

      If a peripheral driver (e.g. da, sa, cd) is added or removed from the
      peripheral driver list while an unrelated peripheral driver instance
(e.g.
      da0, sa5, cd2) is going away and is inside camperiphfree(), we could
      dereference an invalid pointer.

      When peripheral drivers are added or removed (see periphdriver_regist=
er()
      and periphdriver_unregister()), the peripheral driver array is resized
      and existing entries are moved.

      Although we hold the topology lock while we traverse the peripheral
driver
      list, we retain a pointer to the location of the peripheral driver
pointer
      and then drop the topology lock.  So we are still vulnerable to the l=
ist
      getting moved around while the lock is dropped.

      To solve the problem, cache a copy of the peripheral driver pointer. =
 If
      its storage location in the list changes while we have the lock dropp=
ed,
it
      won't have any effect.

      This doesn't solve the issue that peripheral drivers ("da", "cd", as
opposed
      to individual instances like "da0", "cd0") are not generally part of a
      reference counting scheme to guard against deregistering them while t=
here
      are instances active.  The caller (generally the person unloading a
module)
      has to be aware of active drivers and not unload something that is in
use.

      sys/cam/cam_periph.c:
        In camperiphfree(), cache a pointer to the peripheral driver
        instance to avoid holding a pointer to an invalid memory location
        in the event that the peripheral driver list changes while we have
        the topology lock dropped.

      PR:               kern/219701
      Submitted by:     avg
      Sponsored by:     Spectra Logic

      ---------------------------------------------------------------------=
---
    ------------------------------------------------------------------------

  Approved by:  re (gjb)

Changes:
_U  releng/11.1/
  releng/11.1/sys/cam/cam_periph.c

--=20
You are receiving this mail because:
You are on the CC list for the bug.=