da(4): defend against calling sysctl_ctx_free on unininitalized sysctl_ctx

Thomas Quinot thomas at FreeBSD.ORG
Wed Oct 8 00:42:59 PDT 2003


Le 2003-10-07, Nate Lawson écrivait :

> > Index: scsi_da.c

(committed as scsi_da.c rev. 1.160).

> thanks for running it by me.

You are most welcome, as listed maintainer of da(4) :)

> Perhaps there's
> a better way to signal whether the sysctl has been initialized though.
> Perhaps a check for SYSCTL_CHILDREN != NULL or something?  I've fought

I do not think so, the uninitilized field in question is a
sysctl_ctx_list (not a sysctl_oid_list), i.e. a TAILQ.

On the other hand maybe sysctl_ctx_free could simply return if
TAILQ_FIRST of its argument is NULL, and then we could remove the
{CD,DA]_FLAG_SCTX_INIT circuitry from both drivers. However, this
solution is not as satisfactory, as it relies on several implementation
assumptions:
  - the sysctl_ctx_list is initialized to all zeroes;
  - an all-zero tailq head has a NULL TAILQ_FIRST
  - most annoying, it relies on the fact that it is safe and meaningful
    to call TAILQ_FIRST on an uninitialized tailq.

I am especially concerned with the 3rd item, which is a glaring
violation of abstraction, and is outside of the documented specification
for queue.h. The irreductible problem here is that we cannot determine
whether a tailq has been TAILQ_INIT'd just by looking at it, because the
present specification for the tailq mechanism does not specify any
property of uninitialized (zero'd out) tailq heads.

Overall I think the small added complexity of the flag is well worth the
added robustness. Of course this analysis should be revisited if the
specficiation of tailqs is amended to determine some property of zero'd
out tailq heads that could be tested to determine whether one has been
initialized or not.

Thomas.

-- 
    Thomas.Quinot at Cuivre.FR.EU.ORG


More information about the freebsd-scsi mailing list