Geom / destroy_dev() deadlock
Konstantin Belousov
kostikbel at gmail.com
Mon Jun 11 22:53:09 UTC 2012
On Mon, Jun 11, 2012 at 03:27:39PM -0700, Steven Haber wrote:
> > I do not understand what you are proposing. Could you, please, show
> > the patch ?
>
> ---
> src/sys/geom/geom_dev.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/sys/geom/geom_dev.c b/src/sys/geom/geom_dev.c
> index 38251e1..787235a 100644
> --- a/src/sys/geom/geom_dev.c
> +++ b/src/sys/geom/geom_dev.c
> @@ -497,7 +497,7 @@ g_dev_orphan(struct g_consumer *cp)
>
> /* Destroy the struct cdev *so we get no more requests */
> unit = dev2unit(dev);
> - destroy_dev(dev);
> + destroy_dev_sched(dev);
> free_unr(unithdr, unit);
>
> /* Wait for the cows to come home */
Did you noted the comment above the block you changing ?
The patch would cause races allowing arbitrary kernel memory corruption.
The moment when the cdev is destroyed is somewhere in future, while
structures that the cdev reference are freed synchronously.
I tried to put some safety measures into destroy_dev_sched(9), namely
CDP_SCHED_DTR flag that somewhat reduces the possibility of usermode
accessing cdev after destroy_dev_sched(), but this cannot be eliminated
entirely.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-geom/attachments/20120611/4aaf8e92/attachment.pgp
More information about the freebsd-geom
mailing list