From owner-freebsd-bugs@FreeBSD.ORG Mon Jul 16 17:50:02 2007 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8D7F016A403 for ; Mon, 16 Jul 2007 17:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 6A53F13C4BA for ; Mon, 16 Jul 2007 17:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l6GHo2jV065247 for ; Mon, 16 Jul 2007 17:50:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l6GHo2qY065242; Mon, 16 Jul 2007 17:50:02 GMT (envelope-from gnats) Resent-Date: Mon, 16 Jul 2007 17:50:02 GMT Resent-Message-Id: <200707161750.l6GHo2qY065242@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Tijl Coosemans Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1720916A403 for ; Mon, 16 Jul 2007 17:48:35 +0000 (UTC) (envelope-from tijl@kalimero.kotnet.org) Received: from mailrelay002.isp.belgacom.be (mailrelay002.isp.belgacom.be [195.238.6.175]) by mx1.freebsd.org (Postfix) with ESMTP id 9B5CF13C467 for ; Mon, 16 Jul 2007 17:48:34 +0000 (UTC) (envelope-from tijl@kalimero.kotnet.org) Received: from 251.215-244-81.adsl-dyn.isp.belgacom.be (HELO kalimero.kotnet.org) ([81.244.215.251]) by relay.skynet.be with ESMTP; 16 Jul 2007 19:18:53 +0200 Received: from kalimero.kotnet.org (kalimero.kotnet.org [127.0.0.1]) by kalimero.kotnet.org (8.14.1/8.14.1) with ESMTP id l6GHHblo001587 for ; Mon, 16 Jul 2007 19:17:38 +0200 (CEST) (envelope-from tijl@kalimero.kotnet.org) Received: (from tijl@localhost) by kalimero.kotnet.org (8.14.1/8.14.1/Submit) id l6GHHbwp001586; Mon, 16 Jul 2007 19:17:37 +0200 (CEST) (envelope-from tijl) Message-Id: <200707161717.l6GHHbwp001586@kalimero.kotnet.org> Date: Mon, 16 Jul 2007 19:17:37 +0200 (CEST) From: Tijl Coosemans To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/114636: [patch] ioctl on empty scsi/atapicam cdrom drive locks up entire system X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Tijl Coosemans List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jul 2007 17:50:02 -0000 >Number: 114636 >Category: kern >Synopsis: [patch] ioctl on empty scsi/atapicam cdrom drive locks up entire system >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jul 16 17:50:01 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Tijl Coosemans >Release: FreeBSD 7.0-CURRENT i386 >Organization: >Environment: cd0 at ata1 bus 0 target 0 lun 0 cd0: Removable CD-ROM SCSI-0 device cd0: 3.300MB/s transfers cd0: Attempt to query device size failed: NOT READY, Medium not present >Description: An ioctl call on an empty scsi/atapicam cdrom drive causes the system to semi-hang when the file descriptor is later closed. Semi meaning the system is responsive to mouse and keyboard, but (most) processes hang and no new processes can be started. Pressing ctrl+alt+delete responds by disabling terminals but doesn't reset the system. A hard reset is needed to recover. >How-To-Repeat: The following program opens /dev/cd0 and does CDIOCSTART to spin up the drive. When the drive is empty the close(2) call causes the entire system to (semi-)hang. BE WARNED because a hard reset is required to recover. So don't try if you don't like fsck. --- cdrom.c begins here --- #include #include #include #include #include #include int main(void) { int fd; int ret; fd = open( "/dev/cd0", O_RDONLY ); ret = ioctl( fd, CDIOCSTART ); printf( "ret = %d, errno = %d\n", ret, errno ); close( fd ); return 0; } --- cdrom.c ends here --- >Fix: The problem is caused by a forgotten cam_periph_unhold() when there's no media in the drive. --- patch-sys-cam-scsi-scsi_cd.c begins here --- --- sys/cam/scsi/scsi_cd.c.orig 2007-07-12 15:32:30.000000000 +0200 +++ sys/cam/scsi/scsi_cd.c 2007-07-12 15:39:15.000000000 +0200 @@ -1859,16 +1859,18 @@ && ((cmd != CDIOCCLOSE) && (cmd != CDIOCEJECT)) && (IOCGROUP(cmd) == 'c')) { - error = cdcheckmedia(periph); + if ((error = cdcheckmedia(periph)) != 0) { + cam_periph_unhold(periph); + cam_periph_unlock(periph); + return (error); + } } + /* * Drop the lock here so later mallocs can use WAITOK. The periph * is essentially locked still with the cam_periph_hold call above. */ cam_periph_unlock(periph); - if (error != 0) - return (error); - nocopyout = 0; switch (cmd) { --- patch-sys-cam-scsi-scsi_cd.c ends here --- >Release-Note: >Audit-Trail: >Unformatted: