From nobody@FreeBSD.org  Fri Aug 10 06:21:46 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2E2F216A41B
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 10 Aug 2007 06:21:46 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 1D78713C442
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 10 Aug 2007 06:21:46 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.1/8.14.1) with ESMTP id l7A6LjOu078623
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 10 Aug 2007 06:21:45 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.1/8.14.1/Submit) id l7A6Ljps078622;
	Fri, 10 Aug 2007 06:21:45 GMT
	(envelope-from nobody)
Message-Id: <200708100621.l7A6Ljps078622@www.freebsd.org>
Date: Fri, 10 Aug 2007 06:21:45 GMT
From: Arthur Hartwig <arthur.hartwig@nokia.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Device removal leaves resource database such that "devinfo -r" causes panic
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         115371
>Category:       kern
>Synopsis:       [cardbus] [patch] Device removal leaves resource database such that "devinfo -r" causes panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    jhb
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 10 06:30:02 GMT 2007
>Closed-Date:    Thu Jul 07 18:53:52 UTC 2011
>Last-Modified:  Thu Jul 07 18:53:52 UTC 2011
>Originator:     Arthur Hartwig
>Release:        7.0
>Organization:
Nokia
>Environment:
>Description:
I have been working on a private implementation of a "PCI hotplug" like
device replacement. On device removal and subsequent freeing of resources
the kernel resource database is left in a state such that the shell
command "devinfo -r" or the ddb command??? can cause a panic.

Analysis:
Resources are allocated by calling rman_reserve_resource_bound() in
kern/subr_rman.c which stores a pointer to the "requesting" device in the
r_dev field of the device structure and marks the resource as allocated
by setting RF_ALLOCATED in the r_flags field. When the resource is freed,
int_rman_release_resource() is called which clears the RF_ALLOCATED flag
in the resource structure but does not clear the r_dev field in the
resource structure.

The devinfo -r command causes sysctl_rman() to be called. sysctl_ramn()
walks the resource list and assumes any resource with a non-null r_dev
field has a pointer to a valid device structure but if the device
structure has been freed the device_get_name(res->r_dev) call may
generate a page fault and panic.

There is a similar issue in dump_rman() in the same file.


>How-To-Repeat:
It may be possible to create a panic by removing a cardbus device and
then issuing devinfo -r. Use of the kernel debugging mechanism to fill
free malloc storage with 0xdeadcode is likely to increase the likelihood
of seeing the problem.

>Fix:
Suggested fix: Clear the r_dev field of the resource structure when the
RF_ALLOCATED flag is cleared:

in int_rman_release_resource() change:

		r->r_flags &= ~RF_ALLOCATED;
		return 0;
to
                r->r_flags &= ~RF_ALLOCATED;
                r->r_dev = NULL;
                return 0;



>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->imp 
Responsible-Changed-By: remko 
Responsible-Changed-When: Fri Aug 10 07:22:24 UTC 2007 
Responsible-Changed-Why:  
Hey Warner, 

This talks about cardbus within the text and I think that you know 
a lot more about that then me, the suggested change looks good to 
me and seems to make sense, but I dont know enough about this to 
properly judge, can you assist please? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=115371 

From: John Baldwin <john@baldwin.cx>
To: bug-followup@freebsd.org,
 arthur.hartwig@nokia.com
Cc:  
Subject: Re: kern/115371: [cardbus] [patch] Device removal leaves resource database such that "devinfo -r" causes panic
Date: Mon, 6 Jun 2011 09:08:49 -0400

 Ah, the suggested fix is correct.
 
 -- 
 John Baldwin
State-Changed-From-To: open->patched 
State-Changed-By: jhb 
State-Changed-When: Mon Jun 6 13:15:29 UTC 2011 
State-Changed-Why:  
Take this, fix committed to HEAD. 


Responsible-Changed-From-To: imp->jhb 
Responsible-Changed-By: jhb 
Responsible-Changed-When: Mon Jun 6 13:15:29 UTC 2011 
Responsible-Changed-Why:  
Take this, fix committed to HEAD. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=115371 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/115371: commit references a PR
Date: Mon,  6 Jun 2011 13:13:13 +0000 (UTC)

 Author: jhb
 Date: Mon Jun  6 13:12:56 2011
 New Revision: 222750
 URL: http://svn.freebsd.org/changeset/base/222750
 
 Log:
   Clear the device_t pointer in 'struct resource' when releasing a device
   as otherwise the sysctl to export rman info can dereference a stale
   pointer.
   
   PR:		kern/115371
   Submitted by:	Arthur Hartwig
   MFC after:	1 week
 
 Modified:
   head/sys/kern/subr_rman.c
 
 Modified: head/sys/kern/subr_rman.c
 ==============================================================================
 --- head/sys/kern/subr_rman.c	Mon Jun  6 12:55:19 2011	(r222749)
 +++ head/sys/kern/subr_rman.c	Mon Jun  6 13:12:56 2011	(r222750)
 @@ -839,6 +839,7 @@ int_rman_release_resource(struct rman *r
  		 * without freeing anything.
  		 */
  		r->r_flags &= ~RF_ALLOCATED;
 +		r->r_dev = NULL;
  		return 0;
  	}
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: jhb 
State-Changed-When: Thu Jul 7 18:53:30 UTC 2011 
State-Changed-Why:  
Fix merged to 7 and 8. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=115371 
>Unformatted:
