cam: In scsi_scan_bus, fix an error case
ClosedPublic
Actions

Authored by imp on Jul 5 2025, 6:15 PM.

Details

Reviewers

jhb
ken
mav

Group Reviewers

cam

Commits

rG3b3591d3e1ac: cam: In scsi_scan_bus, fix an error case

Summary

If we can't allocate the new path when loopoing over the target range,
then we have to free the scan_info->cpi CCB, not the work_ccb. This was
accidentally correct for the first iteration (because work_ccb ==
scan_info->cpi), but incorrect after that since we'll be freeing the CCB
for XPT_SCAN_LUN for the prior LUN we kicked off. Reorder the free so we
free it before we free scan_info so the pointer is still valid.

I do not have a test case for this since it requires that we fail in the
second or later iteration of the loop due to low memory, and only
fuzzing would catch that.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

imp created this revision.Jul 5 2025, 6:15 PM

Herald added a reviewer: cam. · View Herald TranscriptJul 5 2025, 6:15 PM

imp requested review of this revision.Jul 5 2025, 6:15 PM

Harbormaster completed remote builds in B65230: Diff 158025.Jul 5 2025, 6:15 PM

imp added a parent revision: D51168: cam/mmc: Use xpt_path_inq instead of hand-rollded equivalent.Jul 5 2025, 6:15 PM

imp added a child revision: D51170: cam: Create free_scan_info helper function.

jhb accepted this revision.Jul 7 2025, 5:05 PM

jhb added inline comments.

sys/cam/scsi/scsi_xpt.c
2041	I think the "it" here is confusing as on my first reading I mapped it back to "work_ccb" since that was mentioned first. But also, I wonder if you can just drop this comment entirely. The next block below that handle allocation failure for `work_ccb` is identical to the new code, so your fix is making the code more consistent and thus probably obvious to the reader.