From nobody@FreeBSD.org  Mon Mar 31 10:32:52 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C0EC0106567F
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 31 Mar 2008 10:32:52 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id B7F8D8FC2F
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 31 Mar 2008 10:32:52 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m2VAWS0S060814
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 31 Mar 2008 10:32:28 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m2VAWSJS060813;
	Mon, 31 Mar 2008 10:32:28 GMT
	(envelope-from nobody)
Message-Id: <200803311032.m2VAWSJS060813@www.freebsd.org>
Date: Mon, 31 Mar 2008 10:32:28 GMT
From: Matt Burke <freebsd-pr@botchitt.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: mdconfig returning negative unit numbers
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         122288
>Category:       kern
>Synopsis:       [md] [patch] mdconfig(8) returning negative unit numbers
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    jh
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar 31 10:40:04 UTC 2008
>Closed-Date:    Fri Mar 18 08:58:51 UTC 2011
>Last-Modified:  Fri Mar 18 08:58:51 UTC 2011
>Originator:     Matt Burke
>Release:        6.3-RELEASE
>Organization:
>Environment:
FreeBSD xxxxxxxxxxx 6.3-RELEASE FreeBSD 6.3-RELEASE #0: Wed Jan 16 01:43:02 UTC 2008     root@palmer.cse.buffalo.edu:/usr/obj/usr/src/sys/SMP  amd64

>Description:
mdconfig starts reporting negative unit numbers when 2^31 or greater is requested. 

I have had people verify the problem exists on other architectures and on freebsd 7.0
>How-To-Repeat:
# mdconfig -a -t malloc -s 1 -u 2147483647
# mdconfig -a -t malloc -s 1 -u 2147483648
# mdconfig -a -t malloc -s 1 -u 2147483649
# mdconfig -ln
2147483647 -2147483648 -2147483647
# mdconfig -d -u 2147483647
# mdconfig -d -u 2147483648
# mdconfig -d -u 2147483649
# mdconfig -ln
#

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->gavin 
Responsible-Changed-By: gavin 
Responsible-Changed-When: Mon Mar 31 14:33:49 UTC 2008 
Responsible-Changed-Why:  
I'm working on this 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122288 

From: Gavin Atkinson <gavin@FreeBSD.org>
To: Matt Burke <freebsd-pr@botchitt.com>
Cc: bug-followup@FreeBSD.org
Subject: Re: bin/122288: [md] mdconfig returning negative unit numbers
Date: Mon, 31 Mar 2008 16:44:34 +0100

 --=-tl5Ynm6btHIUeTsiKIqx
 Content-Type: text/plain
 Content-Transfer-Encoding: 7bit
 
 Hi,
 
 Could you please test the attached patch?  You'll have to rebuild both
 world and kernel, as both are touched.  The mdconfig(8) command is
 already almost correct with respect to unit numbers above 2147483647,
 the main problems lie within the kernel driver.
 
 Mote that the patch is against 7.0-RELEASE, but I think it should apply
 cleanly against 6.3.
 
 Thanks,
 
 Gavin
 
 --=-tl5Ynm6btHIUeTsiKIqx
 Content-Disposition: attachment; filename=md-unsigned.diff
 Content-Type: text/x-patch; name=md-unsigned.diff; charset=us-ascii
 Content-Transfer-Encoding: base64
 
 SW5kZXg6IHNyYy9zYmluL21kY29uZmlnL21kY29uZmlnLmMNCj09PT09PT09PT09PT09PT09PT09
 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0NClJDUyBmaWxl
 OiAvaG9tZS9uY3ZzL3NyYy9zYmluL21kY29uZmlnL21kY29uZmlnLmMsdg0KcmV0cmlldmluZyBy
 ZXZpc2lvbiAxLjU0LjIuMQ0KZGlmZiAtdSAtcjEuNTQuMi4xIG1kY29uZmlnLmMNCi0tLSBzcmMv
 c2Jpbi9tZGNvbmZpZy9tZGNvbmZpZy5jCTYgRGVjIDIwMDcgMTE6NTQ6MzYgLTAwMDAJMS41NC4y
 LjENCisrKyBzcmMvc2Jpbi9tZGNvbmZpZy9tZGNvbmZpZy5jCTMxIE1hciAyMDA4IDE1OjM0OjI5
 IC0wMDAwDQpAQCAtMjkzLDcgKzI5Myw3IEBADQogCQlpZiAoaSA8IDApDQogCQkJZXJyKDEsICJp
 b2N0bCgvZGV2LyVzKSIsIE1EQ1RMX05BTUUpOw0KIAkJaWYgKG1kaW8ubWRfb3B0aW9ucyAmIE1E
 X0FVVE9VTklUKQ0KLQkJCXByaW50ZigiJXMlZFxuIiwgbmZsYWcgPyAiIiA6IE1EX05BTUUsIG1k
 aW8ubWRfdW5pdCk7DQorCQkJcHJpbnRmKCIlcyV1XG4iLCBuZmxhZyA/ICIiIDogTURfTkFNRSwg
 bWRpby5tZF91bml0KTsNCiAJfSBlbHNlIGlmIChhY3Rpb24gPT0gREVUQUNIKSB7DQogCQlpZiAo
 bWRpby5tZF9vcHRpb25zICYgTURfQVVUT1VOSVQpDQogCQkJdXNhZ2UoKTsNCkluZGV4OiBzcmMv
 c3lzL2Rldi9tZC9tZC5jDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
 PT09PT09PT09PT09PT09PT09PT09PT09PT09DQpSQ1MgZmlsZTogL2hvbWUvbmN2cy9zcmMvc3lz
 L2Rldi9tZC9tZC5jLHYNCnJldHJpZXZpbmcgcmV2aXNpb24gMS4xNjkNCmRpZmYgLXUgLXIxLjE2
 OSBtZC5jDQotLS0gc3JjL3N5cy9kZXYvbWQvbWQuYwk1IEp1biAyMDA3IDAwOjAwOjUxIC0wMDAw
 CTEuMTY5DQorKysgc3JjL3N5cy9kZXYvbWQvbWQuYwkzMSBNYXIgMjAwOCAxNTozNDoyOSAtMDAw
 MA0KQEAgLTEyNSw3ICsxMjUsNyBAQA0KIHN0YXRpYyB2b2lkIGdfbWRfZHVtcGNvbmYoc3RydWN0
 IHNidWYgKnNiLCBjb25zdCBjaGFyICppbmRlbnQsIHN0cnVjdCBnX2dlb20gKmdwLCANCiAgICAg
 c3RydWN0IGdfY29uc3VtZXIgKmNwIF9fdW51c2VkLCBzdHJ1Y3QgZ19wcm92aWRlciAqcHApOw0K
 IA0KLXN0YXRpYyBpbnQJbWR1bml0czsNCitzdGF0aWMgdV9pbnQJbWR1bml0czsNCiBzdGF0aWMg
 c3RydWN0IGNkZXYgKnN0YXR1c19kZXYgPSAwOw0KIHN0YXRpYyBzdHJ1Y3Qgc3ggbWRfc3g7DQog
 DQpAQCAtMTY0LDcgKzE2NCw3IEBADQogfTsNCiANCiBzdHJ1Y3QgbWRfcyB7DQotCWludCB1bml0
 Ow0KKwl1X2ludCB1bml0Ow0KIAlMSVNUX0VOVFJZKG1kX3MpIGxpc3Q7DQogCXN0cnVjdCBiaW9f
 cXVldWVfaGVhZCBiaW9fcXVldWU7DQogCXN0cnVjdCBtdHggcXVldWVfbXR4Ow0KQEAgLTczMCw3
 ICs3MzAsNyBAQA0KIH0NCiANCiBzdGF0aWMgc3RydWN0IG1kX3MgKg0KLW1kZmluZChpbnQgdW5p
 dCkNCittZGZpbmQodV9pbnQgdW5pdCkNCiB7DQogCXN0cnVjdCBtZF9zICpzYzsNCiANCkBAIC03
 NDIsNyArNzQyLDcgQEANCiB9DQogDQogc3RhdGljIHN0cnVjdCBtZF9zICoNCi1tZG5ldyhpbnQg
 dW5pdCwgaW50ICplcnJwLCBlbnVtIG1kX3R5cGVzIHR5cGUpDQorbWRuZXcodV9pbnQgdW5pdCwg
 aW50ICplcnJwLCBlbnVtIG1kX3R5cGVzIHR5cGUsIGludCBhdXRvdW5pdCkNCiB7DQogCXN0cnVj
 dCBtZF9zICpzYywgKnNjMjsNCiAJaW50IGVycm9yLCBtYXggPSAtMTsNCkBAIC03NTMsMTcgKzc1
 MywxNyBAQA0KIAkJCSplcnJwID0gRUJVU1k7DQogCQkJcmV0dXJuIChOVUxMKTsNCiAJCX0NCi0J
 CWlmICh1bml0ID09IC0xICYmIHNjMi0+dW5pdCA+IG1heCkgDQorCQlpZiAoYXV0b3VuaXQgPT0g
 MSAmJiBzYzItPnVuaXQgPiBtYXgpIA0KIAkJCW1heCA9IHNjMi0+dW5pdDsNCiAJfQ0KLQlpZiAo
 dW5pdCA9PSAtMSkNCisJaWYgKGF1dG91bml0ID09IDEpDQogCQl1bml0ID0gbWF4ICsgMTsNCiAJ
 c2MgPSAoc3RydWN0IG1kX3MgKiltYWxsb2Moc2l6ZW9mICpzYywgTV9NRCwgTV9XQUlUT0sgfCBN
 X1pFUk8pOw0KIAlzYy0+dHlwZSA9IHR5cGU7DQogCWJpb3FfaW5pdCgmc2MtPmJpb19xdWV1ZSk7
 DQogCW10eF9pbml0KCZzYy0+cXVldWVfbXR4LCAibWQgYmlvIHF1ZXVlIiwgTlVMTCwgTVRYX0RF
 Rik7DQogCXNjLT51bml0ID0gdW5pdDsNCi0Jc3ByaW50ZihzYy0+bmFtZSwgIm1kJWQiLCB1bml0
 KTsNCisJc3ByaW50ZihzYy0+bmFtZSwgIm1kJXUiLCB1bml0KTsNCiAJTElTVF9JTlNFUlRfSEVB
 RCgmbWRfc29mdGNfbGlzdCwgc2MsIGxpc3QpOw0KIAllcnJvciA9IGt0aHJlYWRfY3JlYXRlKG1k
 X2t0aHJlYWQsIHNjLCAmc2MtPnByb2NwLCAwLCAwLCIlcyIsIHNjLT5uYW1lKTsNCiAJaWYgKGVy
 cm9yID09IDApDQpAQCAtNzgzLDkgKzc4Myw5IEBADQogCXN0cnVjdCBnX3Byb3ZpZGVyICpwcDsN
 CiANCiAJZ190b3BvbG9neV9sb2NrKCk7DQotCWdwID0gZ19uZXdfZ2VvbWYoJmdfbWRfY2xhc3Ms
 ICJtZCVkIiwgc2MtPnVuaXQpOw0KKwlncCA9IGdfbmV3X2dlb21mKCZnX21kX2NsYXNzLCAibWQl
 dSIsIHNjLT51bml0KTsNCiAJZ3AtPnNvZnRjID0gc2M7DQotCXBwID0gZ19uZXdfcHJvdmlkZXJm
 KGdwLCAibWQlZCIsIHNjLT51bml0KTsNCisJcHAgPSBnX25ld19wcm92aWRlcmYoZ3AsICJtZCV1
 Iiwgc2MtPnVuaXQpOw0KIAlwcC0+bWVkaWFzaXplID0gc2MtPm1lZGlhc2l6ZTsNCiAJcHAtPnNl
 Y3RvcnNpemUgPSBzYy0+c2VjdG9yc2l6ZTsNCiAJc2MtPmdwID0gZ3A7DQpAQCAtMTA3Myw5ICsx
 MDczLDkgQEANCiAJCQlyZXR1cm4gKEVJTlZBTCk7DQogCQl9DQogCQlpZiAobWRpby0+bWRfb3B0
 aW9ucyAmIE1EX0FVVE9VTklUKQ0KLQkJCXNjID0gbWRuZXcoLTEsICZlcnJvciwgbWRpby0+bWRf
 dHlwZSk7DQorCQkJc2MgPSBtZG5ldygwLCAmZXJyb3IsIG1kaW8tPm1kX3R5cGUsIDEpOw0KIAkJ
 ZWxzZQ0KLQkJCXNjID0gbWRuZXcobWRpby0+bWRfdW5pdCwgJmVycm9yLCBtZGlvLT5tZF90eXBl
 KTsNCisJCQlzYyA9IG1kbmV3KG1kaW8tPm1kX3VuaXQsICZlcnJvciwgbWRpby0+bWRfdHlwZSwg
 MCk7DQogCQlpZiAoc2MgPT0gTlVMTCkNCiAJCQlyZXR1cm4gKGVycm9yKTsNCiAJCWlmIChtZGlv
 LT5tZF9vcHRpb25zICYgTURfQVVUT1VOSVQpDQpAQCAtMTE2OSw3ICsxMTY5LDcgQEANCiAJc3Ry
 dWN0IG1kX3MgKnNjOw0KIAlpbnQgZXJyb3I7DQogDQotCXNjID0gbWRuZXcoLTEsICZlcnJvciwg
 TURfUFJFTE9BRCk7DQorCXNjID0gbWRuZXcoMCwgJmVycm9yLCBNRF9QUkVMT0FELCAxKTsNCiAJ
 aWYgKHNjID09IE5VTEwpDQogCQlyZXR1cm47DQogCXNjLT5tZWRpYXNpemUgPSBsZW5ndGg7DQpA
 QCAtMTIxNSw3ICsxMjE1LDcgQEANCiAJCXB0ciA9ICoodV9jaGFyICoqKWM7DQogCQljID0gcHJl
 bG9hZF9zZWFyY2hfaW5mbyhtb2QsIE1PRElORk9fU0laRSk7DQogCQlsZW4gPSAqKHNpemVfdCAq
 KWM7DQotCQlwcmludGYoIiVzJWQ6IFByZWxvYWRlZCBpbWFnZSA8JXM+ICVkIGJ5dGVzIGF0ICVw
 XG4iLA0KKwkJcHJpbnRmKCIlcyV1OiBQcmVsb2FkZWQgaW1hZ2UgPCVzPiAlZCBieXRlcyBhdCAl
 cFxuIiwNCiAJCSAgICBNRF9OQU1FLCBtZHVuaXRzLCBuYW1lLCBsZW4sIHB0cik7DQogCQlzeF94
 bG9jaygmbWRfc3gpOw0KIAkJbWRfcHJlbG9hZGVkKHB0ciwgbGVuKTsNCkBAIC0xMjU3LDcgKzEy
 NTcsNyBAQA0KIA0KIAlpZiAocHAgIT0gTlVMTCkgew0KIAkJaWYgKGluZGVudCA9PSBOVUxMKSB7
 DQotCQkJc2J1Zl9wcmludGYoc2IsICIgdSAlZCIsIG1wLT51bml0KTsNCisJCQlzYnVmX3ByaW50
 ZihzYiwgIiB1ICV1IiwgbXAtPnVuaXQpOw0KIAkJCXNidWZfcHJpbnRmKHNiLCAiIHMgJWp1Iiwg
 KHVpbnRtYXhfdCkgbXAtPnNlY3RvcnNpemUpOw0KIAkJCXNidWZfcHJpbnRmKHNiLCAiIGYgJWp1
 IiwgKHVpbnRtYXhfdCkgbXAtPmZ3aGVhZHMpOw0KIAkJCXNidWZfcHJpbnRmKHNiLCAiIGZzICVq
 dSIsICh1aW50bWF4X3QpIG1wLT5md3NlY3RvcnMpOw0KQEAgLTEyNjYsNyArMTI2Niw3IEBADQog
 CQkJaWYgKG1wLT50eXBlID09IE1EX1ZOT0RFICYmIG1wLT52bm9kZSAhPSBOVUxMKQ0KIAkJCQlz
 YnVmX3ByaW50ZihzYiwgIiBmaWxlICVzIiwgbXAtPmZpbGUpOw0KIAkJfSBlbHNlIHsNCi0JCQlz
 YnVmX3ByaW50ZihzYiwgIiVzPHVuaXQ+JWQ8L3VuaXQ+XG4iLCBpbmRlbnQsDQorCQkJc2J1Zl9w
 cmludGYoc2IsICIlczx1bml0PiV1PC91bml0PlxuIiwgaW5kZW50LA0KIAkJCSAgICBtcC0+dW5p
 dCk7DQogCQkJc2J1Zl9wcmludGYoc2IsICIlczxzZWN0b3JzaXplPiVqdTwvc2VjdG9yc2l6ZT5c
 biIsDQogCQkJICAgIGluZGVudCwgKHVpbnRtYXhfdCkgbXAtPnNlY3RvcnNpemUpOw0K
 
 
 --=-tl5Ynm6btHIUeTsiKIqx--
State-Changed-From-To: open->feedback 
State-Changed-By: gavin 
State-Changed-When: Mon Mar 31 15:55:00 UTC 2008 
State-Changed-Why:  
Have asked for feedback 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122288 

From: Jaakko Heinonen <jh@saunalahti.fi>
To: gavin@FreeBSD.org
Cc: bug-followup@FreeBSD.org
Subject: Re: bin/122288: [md] mdconfig(8) returning negative unit numbers
Date: Tue, 1 Apr 2008 09:55:36 +0300

 Hi Gavin,
 
 > The mdconfig(8) command is already almost correct with respect to unit
 > numbers above 2147483647, the main problems lie within the kernel
 > driver.
 
 I didn't test your patch but I think you missed few places in md.c.
 (line numbers from revision 1.173)
 
 mdnew():
 - max at line 754
 - what happens if the calculation unit = max + 1 overflows (line 766)?
 
 mdinit():
 - devstat_new_entry() takes the unit number as int (line 801)
 
 -- 
 Jaakko
State-Changed-From-To: feedback->open 
State-Changed-By: gavin 
State-Changed-When: Sun Jun 1 19:29:31 UTC 2008 
State-Changed-Why:  
I'll provide a better patch in a couple of days. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122288 
State-Changed-From-To: open->feedback 
State-Changed-By: gavin 
State-Changed-When: Fri Jul 4 09:04:25 UTC 2008 
State-Changed-Why:  
To submitter: could you please try the following patch?  It fixes 
things for me.  It should apply cleanly to 7.0-RELEASE and -STABLE. 

Index: src/sys/dev/md/md.c 
=================================================================== 
RCS file: /home/ncvs/src/sys/dev/md/md.c,v 
retrieving revision 1.174 
diff -u -r1.174 md.c 
--- src/sys/dev/md/md.c	28 Feb 2008 18:31:54 -0000	1.174 
+++ src/sys/dev/md/md.c	4 Jul 2008 09:03:30 -0000 
@@ -64,6 +64,7 @@ 
#include <sys/fcntl.h> 
#include <sys/kernel.h> 
#include <sys/kthread.h> 
+#include <sys/limits.h> 
#include <sys/linker.h> 
#include <sys/lock.h> 
#include <sys/malloc.h> 
@@ -762,8 +763,13 @@ 
if (unit == -1 && sc2->unit > max)  
max = sc2->unit; 
} 
-	if (unit == -1) 
+	if (unit == -1) { 
+		if (max >= INT_MAX) { 
+			*errp = EINVAL; 
+			return (NULL); 
+		} 
unit = max + 1; 
+	} 
sc = (struct md_s *)malloc(sizeof *sc, M_MD, M_WAITOK | M_ZERO); 
sc->type = type; 
bioq_init(&sc->bio_queue); 
@@ -1065,6 +1071,8 @@ 
mdio = (struct md_ioctl *)addr; 
if (mdio->md_version != MDIOVERSION) 
return (EINVAL); 
+	if (mdio->md_unit > INT_MAX) 
+		return (EINVAL); 

/* 
* We assert the version number in the individual ioctl 


Thanks! 

Gavin 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122288 
State-Changed-From-To: feedback->open 
State-Changed-By: gavin 
State-Changed-When: Tue Sep 16 10:08:51 UTC 2008 
State-Changed-Why:  
Feedback received from third party, patch works 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122288 

From: Gavin Atkinson <gavin@FreeBSD.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/122288: [md] [patch] mdconfig(8) returning negative unit
	numbers
Date: Tue, 16 Sep 2008 11:08:25 +0100

 --=-Mkl4bQN8hV858bDR7YNp
 Content-Type: text/plain
 Content-Transfer-Encoding: 7bit
 
 A private report from Florian Smeets <flo at kasimir dot com> reoprts
 that this patch appears to work for him (HEAD/sparc64).  I've reattached
 it for convenience as the previous patch has whitespace screwed up.
 
 --=-Mkl4bQN8hV858bDR7YNp
 Content-Disposition: attachment; filename=122288.diff
 Content-Type: text/x-patch; name=122288.diff; charset=ASCII
 Content-Transfer-Encoding: base64
 
 SW5kZXg6IHNyYy9zeXMvZGV2L21kL21kLmMNCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09
 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0NClJDUyBmaWxlOiAvaG9tZS9u
 Y3ZzL3NyYy9zeXMvZGV2L21kL21kLmMsdg0KcmV0cmlldmluZyByZXZpc2lvbiAxLjE3NA0KZGlm
 ZiAtdSAtcjEuMTc0IG1kLmMNCi0tLSBzcmMvc3lzL2Rldi9tZC9tZC5jCTI4IEZlYiAyMDA4IDE4
 OjMxOjU0IC0wMDAwCTEuMTc0DQorKysgc3JjL3N5cy9kZXYvbWQvbWQuYwk0IEp1bCAyMDA4IDA5
 OjAzOjMwIC0wMDAwDQpAQCAtNjQsNiArNjQsNyBAQA0KICNpbmNsdWRlIDxzeXMvZmNudGwuaD4N
 CiAjaW5jbHVkZSA8c3lzL2tlcm5lbC5oPg0KICNpbmNsdWRlIDxzeXMva3RocmVhZC5oPg0KKyNp
 bmNsdWRlIDxzeXMvbGltaXRzLmg+DQogI2luY2x1ZGUgPHN5cy9saW5rZXIuaD4NCiAjaW5jbHVk
 ZSA8c3lzL2xvY2suaD4NCiAjaW5jbHVkZSA8c3lzL21hbGxvYy5oPg0KQEAgLTc2Miw4ICs3NjMs
 MTMgQEANCiAJCWlmICh1bml0ID09IC0xICYmIHNjMi0+dW5pdCA+IG1heCkgDQogCQkJbWF4ID0g
 c2MyLT51bml0Ow0KIAl9DQotCWlmICh1bml0ID09IC0xKQ0KKwlpZiAodW5pdCA9PSAtMSkgew0K
 KwkJaWYgKG1heCA+PSBJTlRfTUFYKSB7DQorCQkJKmVycnAgPSBFSU5WQUw7DQorCQkJcmV0dXJu
 IChOVUxMKTsNCisJCX0NCiAJCXVuaXQgPSBtYXggKyAxOw0KKwl9DQogCXNjID0gKHN0cnVjdCBt
 ZF9zICopbWFsbG9jKHNpemVvZiAqc2MsIE1fTUQsIE1fV0FJVE9LIHwgTV9aRVJPKTsNCiAJc2Mt
 PnR5cGUgPSB0eXBlOw0KIAliaW9xX2luaXQoJnNjLT5iaW9fcXVldWUpOw0KQEAgLTEwNjUsNiAr
 MTA3MSw4IEBADQogCW1kaW8gPSAoc3RydWN0IG1kX2lvY3RsICopYWRkcjsNCiAJaWYgKG1kaW8t
 Pm1kX3ZlcnNpb24gIT0gTURJT1ZFUlNJT04pDQogCQlyZXR1cm4gKEVJTlZBTCk7DQorCWlmICht
 ZGlvLT5tZF91bml0ID4gSU5UX01BWCkNCisJCXJldHVybiAoRUlOVkFMKTsNCiANCiAJLyoNCiAJ
 ICogV2UgYXNzZXJ0IHRoZSB2ZXJzaW9uIG51bWJlciBpbiB0aGUgaW5kaXZpZHVhbCBpb2N0bA0K
 
 
 
 --=-Mkl4bQN8hV858bDR7YNp--

From: Brooks Davis <brooks@FreeBSD.org>
To: bug-followup@FreeBSD.org, freebsd-pr@botchitt.com
Cc:  
Subject: kern/122288: [md] [patch] mdconfig(8) returning negative unit
	numbers
Date: Fri, 17 Oct 2008 10:02:39 -0500

 --17pEHd4RhPHOinZp
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 I looked over the patch and while it addresses the issue at hand I found
 that the unit allocator has other issues.  For instance, allocating two
 mds, and then repeatidly removing the oldest one and adding a new one
 will run the system out of units because max will never decrease.
 
 The ideal solution is probably to switch to using the alloc_unr(9)
 framework which will restrict units to the appropriate range and avoid
 unbounded unit growth.
 
 -- Brooks
 
 --17pEHd4RhPHOinZp
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.8 (FreeBSD)
 
 iD8DBQFI+KkOXY6L6fI4GtQRAq+IAJ419ZGZfnXvWT39obmKngvkC2oP3gCg2u5/
 sw3nZ77rv44LyTgFM/eMl2E=
 =+d7Q
 -----END PGP SIGNATURE-----
 
 --17pEHd4RhPHOinZp--
Responsible-Changed-From-To: gavin->freebsd-bugs 
Responsible-Changed-By: gavin 
Responsible-Changed-When: Fri Jan 16 12:17:23 UTC 2009 
Responsible-Changed-Why:  
Back into the pool now there's a working patch. 
FWIW, I don't think the alloc_unr(9) API is suitable for this 
at the moment, as that provides no way to allocate specific unit 
numbers (which md(4) needs) and there doesn't appear to be an easy 
way to extend it to provide that. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122288 
Responsible-Changed-From-To: freebsd-bugs->jh 
Responsible-Changed-By: jh 
Responsible-Changed-When: Thu Jun 17 15:24:54 UTC 2010 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122288 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/122288: commit references a PR
Date: Thu, 22 Jul 2010 10:24:37 +0000 (UTC)

 Author: jh
 Date: Thu Jul 22 10:24:28 2010
 New Revision: 210371
 URL: http://svn.freebsd.org/changeset/base/210371
 
 Log:
   Convert md(4) to use alloc_unr(9) and alloc_unr_specific(9) for unit
   number allocation. The old approach had some problems such as it allowed
   an overflow to occur in the unit number calculation.
   
   PR:		kern/122288
 
 Modified:
   head/sys/dev/md/md.c
 
 Modified: head/sys/dev/md/md.c
 ==============================================================================
 --- head/sys/dev/md/md.c	Thu Jul 22 09:14:18 2010	(r210370)
 +++ head/sys/dev/md/md.c	Thu Jul 22 10:24:28 2010	(r210371)
 @@ -130,6 +130,7 @@ static void g_md_dumpconf(struct sbuf *s
  static int	mdunits;
  static struct cdev *status_dev = 0;
  static struct sx md_sx;
 +static struct unrhdr *md_uh;
  
  static d_ioctl_t mdctlioctl;
  
 @@ -748,20 +749,20 @@ mdfind(int unit)
  static struct md_s *
  mdnew(int unit, int *errp, enum md_types type)
  {
 -	struct md_s *sc, *sc2;
 -	int error, max = -1;
 +	struct md_s *sc;
 +	int error;
  
  	*errp = 0;
 -	LIST_FOREACH(sc2, &md_softc_list, list) {
 -		if (unit == sc2->unit) {
 -			*errp = EBUSY;
 -			return (NULL);
 -		}
 -		if (unit == -1 && sc2->unit > max) 
 -			max = sc2->unit;
 -	}
  	if (unit == -1)
 -		unit = max + 1;
 +		unit = alloc_unr(md_uh);
 +	else
 +		unit = alloc_unr_specific(md_uh, unit);
 +
 +	if (unit == -1) {
 +		*errp = EBUSY;
 +		return (NULL);
 +	}
 +
  	sc = (struct md_s *)malloc(sizeof *sc, M_MD, M_WAITOK | M_ZERO);
  	sc->type = type;
  	bioq_init(&sc->bio_queue);
 @@ -774,6 +775,7 @@ mdnew(int unit, int *errp, enum md_types
  		return (sc);
  	LIST_REMOVE(sc, list);
  	mtx_destroy(&sc->queue_mtx);
 +	free_unr(md_uh, sc->unit);
  	free(sc, M_MD);
  	*errp = error;
  	return (NULL);
 @@ -1012,6 +1014,7 @@ mddestroy(struct md_s *sc, struct thread
  		uma_zdestroy(sc->uma);
  
  	LIST_REMOVE(sc, list);
 +	free_unr(md_uh, sc->unit);
  	free(sc, M_MD);
  	return (0);
  }
 @@ -1097,8 +1100,11 @@ xmdctlioctl(struct cdev *dev, u_long cmd
  		}
  		if (mdio->md_options & MD_AUTOUNIT)
  			sc = mdnew(-1, &error, mdio->md_type);
 -		else
 +		else {
 +			if (mdio->md_unit > INT_MAX)
 +				return (EINVAL);
  			sc = mdnew(mdio->md_unit, &error, mdio->md_type);
 +		}
  		if (sc == NULL)
  			return (error);
  		if (mdio->md_options & MD_AUTOUNIT)
 @@ -1226,6 +1232,7 @@ g_md_init(struct g_class *mp __unused)
  	mod = NULL;
  	sx_init(&md_sx, "MD config lock");
  	g_topology_unlock();
 +	md_uh = new_unrhdr(0, INT_MAX, NULL);
  #ifdef MD_ROOT_SIZE
  	sx_xlock(&md_sx);
  	md_preloaded(mfs_root.start, sizeof(mfs_root.start));
 @@ -1322,4 +1329,5 @@ g_md_fini(struct g_class *mp __unused)
  	sx_destroy(&md_sx);
  	if (status_dev != NULL)
  		destroy_dev(status_dev);
 +	delete_unrhdr(md_uh);
  }
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: jh 
State-Changed-When: Thu Jul 22 10:53:31 UTC 2010 
State-Changed-Why:  
Patched in head (r210371). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122288 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/122288: commit references a PR
Date: Fri, 18 Mar 2011 08:48:21 +0000 (UTC)

 Author: jh
 Date: Fri Mar 18 08:48:06 2011
 New Revision: 219728
 URL: http://svn.freebsd.org/changeset/base/219728
 
 Log:
   MFC r210371:
   
   Convert md(4) to use alloc_unr(9) and alloc_unr_specific(9) for unit
   number allocation. The old approach had some problems such as it allowed
   an overflow to occur in the unit number calculation.
   
   PR:		kern/122288
 
 Modified:
   stable/8/sys/dev/md/md.c
 Directory Properties:
   stable/8/sys/   (props changed)
   stable/8/sys/amd64/include/xen/   (props changed)
   stable/8/sys/cddl/contrib/opensolaris/   (props changed)
   stable/8/sys/contrib/dev/acpica/   (props changed)
   stable/8/sys/contrib/pf/   (props changed)
 
 Modified: stable/8/sys/dev/md/md.c
 ==============================================================================
 --- stable/8/sys/dev/md/md.c	Fri Mar 18 06:47:23 2011	(r219727)
 +++ stable/8/sys/dev/md/md.c	Fri Mar 18 08:48:06 2011	(r219728)
 @@ -132,6 +132,7 @@ static void g_md_dumpconf(struct sbuf *s
  static int	mdunits;
  static struct cdev *status_dev = 0;
  static struct sx md_sx;
 +static struct unrhdr *md_uh;
  
  static d_ioctl_t mdctlioctl;
  
 @@ -757,20 +758,20 @@ mdfind(int unit)
  static struct md_s *
  mdnew(int unit, int *errp, enum md_types type)
  {
 -	struct md_s *sc, *sc2;
 -	int error, max = -1;
 +	struct md_s *sc;
 +	int error;
  
  	*errp = 0;
 -	LIST_FOREACH(sc2, &md_softc_list, list) {
 -		if (unit == sc2->unit) {
 -			*errp = EBUSY;
 -			return (NULL);
 -		}
 -		if (unit == -1 && sc2->unit > max) 
 -			max = sc2->unit;
 -	}
  	if (unit == -1)
 -		unit = max + 1;
 +		unit = alloc_unr(md_uh);
 +	else
 +		unit = alloc_unr_specific(md_uh, unit);
 +
 +	if (unit == -1) {
 +		*errp = EBUSY;
 +		return (NULL);
 +	}
 +
  	sc = (struct md_s *)malloc(sizeof *sc, M_MD, M_WAITOK | M_ZERO);
  	sc->type = type;
  	bioq_init(&sc->bio_queue);
 @@ -783,6 +784,7 @@ mdnew(int unit, int *errp, enum md_types
  		return (sc);
  	LIST_REMOVE(sc, list);
  	mtx_destroy(&sc->queue_mtx);
 +	free_unr(md_uh, sc->unit);
  	free(sc, M_MD);
  	*errp = error;
  	return (NULL);
 @@ -1022,6 +1024,7 @@ mddestroy(struct md_s *sc, struct thread
  		uma_zdestroy(sc->uma);
  
  	LIST_REMOVE(sc, list);
 +	free_unr(md_uh, sc->unit);
  	free(sc, M_MD);
  	return (0);
  }
 @@ -1107,8 +1110,11 @@ xmdctlioctl(struct cdev *dev, u_long cmd
  		}
  		if (mdio->md_options & MD_AUTOUNIT)
  			sc = mdnew(-1, &error, mdio->md_type);
 -		else
 +		else {
 +			if (mdio->md_unit > INT_MAX)
 +				return (EINVAL);
  			sc = mdnew(mdio->md_unit, &error, mdio->md_type);
 +		}
  		if (sc == NULL)
  			return (error);
  		if (mdio->md_options & MD_AUTOUNIT)
 @@ -1236,6 +1242,7 @@ g_md_init(struct g_class *mp __unused)
  	mod = NULL;
  	sx_init(&md_sx, "MD config lock");
  	g_topology_unlock();
 +	md_uh = new_unrhdr(0, INT_MAX, NULL);
  #ifdef MD_ROOT_SIZE
  	sx_xlock(&md_sx);
  	md_preloaded(mfs_root.start, sizeof(mfs_root.start));
 @@ -1332,4 +1339,5 @@ g_md_fini(struct g_class *mp __unused)
  	sx_destroy(&md_sx);
  	if (status_dev != NULL)
  		destroy_dev(status_dev);
 +	delete_unrhdr(md_uh);
  }
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: jh 
State-Changed-When: Fri Mar 18 08:58:50 UTC 2011 
State-Changed-Why:  
Fixed in head and stable/8. No MFC to stable/7 is planned. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122288 
>Unformatted:
