From Tor.Egge@idt.ntnu.no  Wed Mar  5 19:49:47 1997
Received: from pat.idt.unit.no (0@pat.idt.unit.no [129.241.103.5])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA08160
          for <FreeBSD-gnats-submit@freebsd.org>; Wed, 5 Mar 1997 19:49:39 -0800 (PST)
Received: from ikke.idt.unit.no (tegge@ikke.idt.unit.no [129.241.111.65])
	by pat.idt.unit.no (8.8.5/8.8.5) with ESMTP id EAA19990
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 6 Mar 1997 04:49:23 +0100 (MET)
Received: (from tegge@localhost) by ikke.idt.unit.no (8.8.5/8.8.3) id EAA00846; Thu, 6 Mar 1997 04:49:17 +0100 (MET)
Message-Id: <199703060349.EAA00846@ikke.idt.unit.no>
Date: Thu, 6 Mar 1997 04:49:17 +0100 (MET)
From: Tor Egge <Tor.Egge@idt.ntnu.no>
Reply-To: Tor.Egge@idt.ntnu.no
To: FreeBSD-gnats-submit@freebsd.org
Subject: cdstart are sometimes called at too low spl level
X-Send-Pr-Version: 3.2

>Number:         2891
>Category:       kern
>Synopsis:       cdstart are sometimes called at too low spl level
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar  5 19:50:01 PST 1997
>Closed-Date:    Sun Mar 23 17:37:57 PST 1997
>Last-Modified:  Sun Mar 23 17:46:51 PST 1997
>Originator:     Tor Egge
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
Norwegian University of Science and Technology, Trondheim, Norway
>Environment:

FreeBSD ikke.idt.unit.no 3.0-CURRENT FreeBSD 3.0-CURRENT #3: Thu Mar  6 02:18:52 MET 1997     root@ikke.idt.unit.no:/usr/src/sys/compile/TEGGE  i386

>Description:

scsi_scsi_cmd calls free_xs without first calling splbio().
free_xs then proceeds to call start routines as, e.g., cdstart.

Many routines that call scsi_scsi_cmd do not call splbio() before calling
scsi_scsi_cmd.

By performing the ioctl function CDIOREADTOCHEADER, the call stack at
one point is

	cdioctl
	scsi_ioctl
	cd_ioctl
	cd_read_toc
	scsi_scsi_cmd
	free_xs
	cdstart

with a too low spl level.

>How-To-Repeat:

Perform an ioctl function that calls scsi_scsi_cmd without first calling
splbio(), e.g. CDIOREADTOCHEADER.

>Fix:

This patch encloses the call to free_xs from scsi_scsi_cmd inside
a splbio()/splx() pair.

Index: scsi_base.c
===================================================================
RCS file: /home/ncvs/src/sys/scsi/scsi_base.c,v
retrieving revision 1.43
diff -c -6 -r1.43 scsi_base.c
*** scsi_base.c	1997/01/30 22:47:55	1.43
--- scsi_base.c	1997/03/06 01:18:32
***************
*** 612,624 ****
--- 612,627 ----
  	}
  	/*
  	 * we have finished with the xfer stuct, free it and
  	 * check if anyone else needs to be started up.
  	 */
  bad:
+ 	/* Need splbio since free_xs might call cdstart */
+ 	s = splbio();
  	free_xs(xs, sc_link, flags);	/* includes the 'start' op */
+ 	splx(s);
  	if (bp && retval) {
  		bp->b_error = retval;
  		bp->b_flags |= B_ERROR;
  		biodone(bp);
  	}
  	return (retval);

>Release-Note:
>Audit-Trail:

From: Tor Egge <Tor.Egge@idt.ntnu.no>
To: Tor.Egge@idt.ntnu.no
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: kern/2891: cdstart are sometimes called at too low spl level
Date: Tue, 11 Mar 1997 17:28:24 +0100

 New synopsis: cdstart and sdstart are sometimes called at too low spl level
 	
 sdopen causes sdstart to be called with low spl level:
 
 		sdopen
 	        scsi_open
 		sd_open
 		scsi_test_unit_ready
 		scsi_scsi_cmd
 		free_xs
 		sdstart
 
 (None of those calls are protected against scsi device interrupts by use of
  splbio())
 
 - Tor Egge
State-Changed-From-To: open->closed 
State-Changed-By: gibbs 
State-Changed-When: Sun Mar 23 17:37:57 PST 1997 
State-Changed-Why:  
Suggested patch applied in rev 1.47 of sys/scsi/scsi_base.c 
>Unformatted:
Suggested patch, sans comment, applied.  In general free_xs() must be called
at splbio() in order for it to not corrupt the pool of free xs data structures.
This would be a danger even if there wasn't any pending I/O to for a start
routine to begin.  Luckily this bug can only manifest itself for non-buffer
based SCSI transactions, so it might be hard to create a condition where the
bug would bite.
