kern/115371: Device removal leaves resource database such that "devinfo -r" causes panic

Arthur Hartwig arthur.hartwig at nokia.com
Thu Aug 9 23:30:03 PDT 2007 

>Number:         115371
>Category:       kern
>Synopsis:       Device removal leaves resource database such that "devinfo -r" causes panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 10 06:30:02 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Arthur Hartwig
>Release:        7.0
>Organization:
Nokia
>Environment:
>Description:
I have been working on a private implementation of a "PCI hotplug" like device replacement. On device removal and subsequent freeing of resources the kernel resource database is left in a state such that the shell command "devinfo -r" or the ddb command??? can cause a panic.

Analysis:
Resources are allocated by calling rman_reserve_resource_bound() in kern/subr_rman.c which stores a pointer to the "requesting" device in the r_dev field of the device structure and marks the resource as allocated by setting RF_ALLOCATED in the r_flags field. When the resource is freed, int_rman_release_resource() is called which clears the RF_ALLOCATED flag in the resource structure but does not clear the r_dev field in the resource structure.

The devinfo -r command causes sysctl_rman() to be called. sysctl_ramn() walks the resource list and assumes any resource with a non-null r_dev field has a pointer to a valid device structure but if the device structure has been freed the device_get_name(res->r_dev) call may generate a page fault and panic.

There is a similar issue in dump_rman() in the same file.


>How-To-Repeat:
It may be possible to create a panic by removing a cardbus device and then issuing devinfo -r. Use of the kernel debugging mechanism to fill free malloc storage with 0xdeadcode is likely to increase the likelihood of seeing the problem.

>Fix:
Suggested fix: Clear the r_dev field of the resource structure when the RF_ALLOCATED flag is cleared:

in int_rman_release_resource() change:

		r->r_flags &= ~RF_ALLOCATED;
		return 0;
to
                r->r_flags &= ~RF_ALLOCATED;
                r->r_dev = NULL;
                return 0;



>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list