[Bug 206699] [Hyper-V]FreeBSD potential NULL pointer dereference in storage bounce buffer
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu Jan 28 01:33:25 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206699
Bug ID: 206699
Summary: [Hyper-V]FreeBSD potential NULL pointer dereference in
storage bounce buffer
Product: Base System
Version: 10.2-STABLE
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: honzhan at microsoft.com
Created attachment 166215
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=166215&action=edit
Patch to fix the NULL pointer dereference
This bug is reported from NetApp:
--------------
We found, what we believe to be, a bug in storvsc_create_bounce_buffer and
storvsc_destroy_bounce_buffer.
http://fxr.watson.org/fxr/source/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c?v=FREEBSD10#L1529
A panic was hit when the g_hv_sgl_page_pool.in_use_sgl_list list is empty. The
remove of a NULL sgl_node causes a page fault.
To address this (and the same code in create_bounce_buffer), we added a
LIST_EMPTY check prior to calling LIST_FIRST and LIST_REMOVE.
--------------
This bug cannot be easily reproduced. It may be triggered in some corner case.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list