Page MenuHomeFreeBSD
Differential D5413

Fix rare double free in vdev_geom_attrchanged
ClosedPublic
Actions

Authored by asomers on Feb 23 2016, 11:35 PM.
Tags
None
Referenced Files
Unknown Object (File)
Feb 28 2024, 10:50 AM
Unknown Object (File)
Feb 28 2024, 9:02 AM
Unknown Object (File)
Feb 8 2024, 11:01 AM
Unknown Object (File)
Jan 23 2024, 4:39 AM
Unknown Object (File)
Jan 8 2024, 10:56 AM
Unknown Object (File)
Dec 20 2023, 12:45 AM
Unknown Object (File)
Dec 14 2023, 8:59 AM
Unknown Object (File)
Nov 6 2023, 11:56 PM
View All 33 Files
Subscribers
delphij
imp
smh

Details

Reviewers
gibbs
delphij
Commits
rS297868: Fix rare double free in vdev_geom_attrchanged
Summary

Don't drop the g_topology_lock before freeing old_physpath. That opens up a
race where one thread can call vdev_geom_attrchanged, set old_physpath, drop
the g_topology_lock, then block trying to acquire the SCL_STATE lock. Then
another thread can come into vdev_geom_attrchanged, set old_physpath to the
same value, and proceed to free it. When the first thread resumes, it will
free the same location.

It turns out that the SCL_STATE lock isn't needed. It was originally added by
gibbs to protect vd->vdev_physpath while updating the same. However, the
update process subsequently was switched to an atomic operation (a pointer
swap). Now, there is no need for the SCL_STATE lock, and hence no need to drop
the g_topology_lock.

Test Plan

2 runs through the ZFS test suite on HEAD. 10 runs on SpectraBSD, which has
some additional changes that increase the probability of the race.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

asomers updated this revision to Diff 13663.Feb 23 2016, 11:35 PM
asomers retitled this revision from to Fix rare double free in vdev_geom_attrchanged.
asomers updated this object.
asomers edited the test plan for this revision. (Show Details)
asomers added a reviewer: gibbs.
Herald added subscribers: delphij, imp. · View Herald TranscriptFeb 23 2016, 11:35 PM
smh added a subscriber: smh.Apr 8 2016, 3:23 PM

This looks like it might leave old data in the zpool.cache?

asomers added a comment.Apr 8 2016, 3:42 PM
In D5413#125618, @smh wrote:

This looks like it might leave old data in the zpool.cache?

Please explain?

delphij accepted this revision.Apr 11 2016, 5:40 AM
delphij added a reviewer: delphij.

Looks good to me.

This revision is now accepted and ready to land.Apr 11 2016, 5:40 AM
Closed by commit rS297868: Fix rare double free in vdev_geom_attrchanged (authored by asomers). · Explain WhyApr 12 2016, 7:11 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
head/
sys/
cddl/
contrib/
opensolaris/
uts/
common/
fs/
zfs/
19 lines

Diff 15119

View Options

head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/vdev_geom.c

Loading...