From tijl@kalimero.kotnet.org  Mon Jul 16 17:48:35 2007
Return-Path: <tijl@kalimero.kotnet.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 1720916A403
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 16 Jul 2007 17:48:35 +0000 (UTC)
	(envelope-from tijl@kalimero.kotnet.org)
Received: from mailrelay002.isp.belgacom.be (mailrelay002.isp.belgacom.be [195.238.6.175])
	by mx1.freebsd.org (Postfix) with ESMTP id 9B5CF13C467
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 16 Jul 2007 17:48:34 +0000 (UTC)
	(envelope-from tijl@kalimero.kotnet.org)
Received: from 251.215-244-81.adsl-dyn.isp.belgacom.be (HELO kalimero.kotnet.org) ([81.244.215.251])
  by relay.skynet.be with ESMTP; 16 Jul 2007 19:18:53 +0200
Received: from kalimero.kotnet.org (kalimero.kotnet.org [127.0.0.1])
	by kalimero.kotnet.org (8.14.1/8.14.1) with ESMTP id l6GHHblo001587
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 16 Jul 2007 19:17:38 +0200 (CEST)
	(envelope-from tijl@kalimero.kotnet.org)
Received: (from tijl@localhost)
	by kalimero.kotnet.org (8.14.1/8.14.1/Submit) id l6GHHbwp001586;
	Mon, 16 Jul 2007 19:17:37 +0200 (CEST)
	(envelope-from tijl)
Message-Id: <200707161717.l6GHHbwp001586@kalimero.kotnet.org>
Date: Mon, 16 Jul 2007 19:17:37 +0200 (CEST)
From: Tijl Coosemans <tijl@ulyssis.org>
Reply-To: Tijl Coosemans <tijl@ulyssis.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [patch] ioctl on empty scsi/atapicam cdrom drive locks up entire system
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         114636
>Category:       kern
>Synopsis:       [cam] [patch] ioctl on empty scsi/atapicam cdrom drive locks up entire system
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kan
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 16 17:50:01 GMT 2007
>Closed-Date:    Sat Jul 21 18:09:59 GMT 2007
>Last-Modified:  Sat Jul 21 18:10:03 GMT 2007
>Originator:     Tijl Coosemans
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
>Environment:
cd0 at ata1 bus 0 target 0 lun 0
cd0: <MATSHITA UJ-831D 1.00> Removable CD-ROM SCSI-0 device
cd0: 3.300MB/s transfers
cd0: Attempt to query device size failed: NOT READY, Medium not present

>Description:
An ioctl call on an empty scsi/atapicam cdrom drive causes
the system to semi-hang when the file descriptor is later
closed. Semi meaning the system is responsive to mouse and
keyboard, but (most) processes hang and no new processes can
be started. Pressing ctrl+alt+delete responds by disabling
terminals but doesn't reset the system. A hard reset is
needed to recover.

>How-To-Repeat:
The following program opens /dev/cd0 and does CDIOCSTART
to spin up the drive. When the drive is empty the close(2)
call causes the entire system to (semi-)hang.

BE WARNED because a hard reset is required to recover.
So don't try if you don't like fsck.

--- cdrom.c begins here ---
#include <sys/cdio.h>
#include <sys/ioctl.h>
#include <errno.h>
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>

int main(void) {
	int fd;
	int ret;

	fd = open( "/dev/cd0", O_RDONLY );
	ret = ioctl( fd, CDIOCSTART );
	printf( "ret = %d, errno = %d\n", ret, errno );

	close( fd );	
	return 0;
}
--- cdrom.c ends here ---

>Fix:
The problem is caused by a forgotten cam_periph_unhold()
when there's no media in the drive.

--- patch-sys-cam-scsi-scsi_cd.c begins here ---
--- sys/cam/scsi/scsi_cd.c.orig	2007-07-12 15:32:30.000000000 +0200
+++ sys/cam/scsi/scsi_cd.c	2007-07-12 15:39:15.000000000 +0200
@@ -1859,16 +1859,18 @@
 	 && ((cmd != CDIOCCLOSE)
 	  && (cmd != CDIOCEJECT))
 	 && (IOCGROUP(cmd) == 'c')) {
-		error = cdcheckmedia(periph);
+		if ((error = cdcheckmedia(periph)) != 0) {
+			cam_periph_unhold(periph);
+			cam_periph_unlock(periph);
+			return (error);
+		}
 	}
+
 	/*
 	 * Drop the lock here so later mallocs can use WAITOK.  The periph
 	 * is essentially locked still with the cam_periph_hold call above.
 	 */
 	cam_periph_unlock(periph);
-	if (error != 0)
-		return (error);
-
 	nocopyout = 0;
 	switch (cmd) {
 
--- patch-sys-cam-scsi-scsi_cd.c ends here ---
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-scsi 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon Jul 16 23:35:36 UTC 2007 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=114636 
State-Changed-From-To: open->closed 
State-Changed-By: kan 
State-Changed-When: Sat Jul 21 18:08:32 UTC 2007 
State-Changed-Why:  
Committed, thanks. 


Responsible-Changed-From-To: freebsd-scsi->kan 
Responsible-Changed-By: kan 
Responsible-Changed-When: Sat Jul 21 18:08:32 UTC 2007 
Responsible-Changed-Why:  
Take it as I will be the one committing the fix. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=114636 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/114636: commit references a PR
Date: Sat, 21 Jul 2007 18:07:51 +0000 (UTC)

 kan         2007-07-21 18:07:45 UTC
 
   FreeBSD src repository
 
   Modified files:
     sys/cam/scsi         scsi_cd.c 
   Log:
   Do not forget to cam_periph_unhold the peripheral before exiting
   due to error.
   
   PR:             kern/114636
   Submitted by:   Tijl Coosemans
   Approved by:    re (hrs)
   
   Revision  Changes    Path
   1.102     +5 -2      src/sys/cam/scsi/scsi_cd.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
