Page MenuHomeFreeBSD

cam: In scsi_scan_bus, fix an error case
ClosedPublic

Authored by imp on Jul 5 2025, 6:15 PM.
Tags
None
Referenced Files
F132083144: D51169.id158135.diff
Mon, Oct 13, 12:33 PM
F132083137: D51169.id.diff
Mon, Oct 13, 12:33 PM
F132083136: D51169.id158025.diff
Mon, Oct 13, 12:33 PM
F132083133: D51169.diff
Mon, Oct 13, 12:33 PM
Unknown Object (File)
Tue, Sep 16, 5:24 AM
Unknown Object (File)
Sat, Sep 13, 11:22 PM
Unknown Object (File)
Sep 13 2025, 12:14 PM
Unknown Object (File)
Sep 13 2025, 8:14 AM
Subscribers
None

Details

Summary

If we can't allocate the new path when loopoing over the target range,
then we have to free the scan_info->cpi CCB, not the work_ccb. This was
accidentally correct for the first iteration (because work_ccb ==
scan_info->cpi), but incorrect after that since we'll be freeing the CCB
for XPT_SCAN_LUN for the prior LUN we kicked off. Reorder the free so we
free it before we free scan_info so the pointer is still valid.

I do not have a test case for this since it requires that we fail in the
second or later iteration of the loop due to low memory, and only
fuzzing would catch that.

Sponsored by: Netflix

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

imp requested review of this revision.Jul 5 2025, 6:15 PM
jhb added inline comments.
sys/cam/scsi/scsi_xpt.c
2041

I think the "it" here is confusing as on my first reading I mapped it back to "work_ccb" since that was mentioned first. But also, I wonder if you can just drop this comment entirely. The next block below that handle allocation failure for work_ccb is identical to the new code, so your fix is making the code more consistent and thus probably obvious to the reader.

This revision is now accepted and ready to land.Jul 7 2025, 5:05 PM
sys/cam/scsi/scsi_xpt.c
2041

OK. Maybe you're right, so I'll just drop this comment.

This revision was automatically updated to reflect the committed changes.