Date: Tue, 27 Aug 2019 14:23:54 -0600 From: Scott Long <scottl@samsco.org> To: Alexander Motin <mav@FreeBSD.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r351550 - head/sys/cam/scsi Message-ID: <99271565-F168-48C8-90E0-749417C7C974@samsco.org> In-Reply-To: <201908271641.x7RGf6LC075849@repo.freebsd.org> References: <201908271641.x7RGf6LC075849@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is very concerning, and I wonder if it=E2=80=99s the cause of the = mystery use-after-free / double-complete that I=E2=80=99ve seen for = years and have never been able to catch. Can you say more about how you = found it? Scott > On Aug 27, 2019, at 10:41 AM, Alexander Motin <mav@FreeBSD.org> wrote: >=20 > Author: mav > Date: Tue Aug 27 16:41:06 2019 > New Revision: 351550 > URL: https://svnweb.freebsd.org/changeset/base/351550 >=20 > Log: > Always check cam_periph_error() status for ERESTART. >=20 > Even if we do not expect retries, we better be sure, since otherwise = it > may result in use after free kernel panic. I've noticed that it = retries > SCSI_STATUS_BUSY even with SF_NO_RECOVERY | SF_NO_RETRY. >=20 > MFC after: 1 week > Sponsored by: iXsystems, Inc. >=20 > Modified: > head/sys/cam/scsi/scsi_xpt.c >=20 > Modified: head/sys/cam/scsi/scsi_xpt.c > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > --- head/sys/cam/scsi/scsi_xpt.c Tue Aug 27 15:42:08 2019 = (r351549) > +++ head/sys/cam/scsi/scsi_xpt.c Tue Aug 27 16:41:06 2019 = (r351550) > @@ -1684,8 +1684,9 @@ probe_device_check: > case PROBE_TUR_FOR_NEGOTIATION: > case PROBE_DV_EXIT: > if (cam_ccb_status(done_ccb) !=3D CAM_REQ_CMP) { > - cam_periph_error(done_ccb, 0, > - SF_NO_PRINT | SF_NO_RECOVERY | SF_NO_RETRY); > + if (cam_periph_error(done_ccb, 0, SF_NO_PRINT | > + SF_NO_RECOVERY | SF_NO_RETRY) =3D=3D = ERESTART) > + goto outr; > } > if ((done_ccb->ccb_h.status & CAM_DEV_QFRZN) !=3D 0) { > /* Don't wedge the queue */ > @@ -1735,8 +1736,9 @@ probe_device_check: > struct ccb_scsiio *csio; >=20 > if (cam_ccb_status(done_ccb) !=3D CAM_REQ_CMP) { > - cam_periph_error(done_ccb, 0, > - SF_NO_PRINT | SF_NO_RECOVERY | SF_NO_RETRY); > + if (cam_periph_error(done_ccb, 0, SF_NO_PRINT | > + SF_NO_RECOVERY | SF_NO_RETRY) =3D=3D = ERESTART) > + goto outr; > } > if ((done_ccb->ccb_h.status & CAM_DEV_QFRZN) !=3D 0) { > /* Don't wedge the queue */ >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?99271565-F168-48C8-90E0-749417C7C974>