Bug 206699

Summary:

[Hyper-V]FreeBSD potential NULL pointer dereference in storage bounce buffer

Product:

Base System

Reporter:

Hongjiang <honzhan>

Component:

kern

Assignee:

freebsd-virtualization (Nobody) <virtualization>

Status:

Closed FIXED

Severity:

Affects Many People

CC:

gonzo, kyliel, royger, virtualization

Priority:

---

Keywords:

patch

Version:

10.2-STABLE

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
Patch to fix the NULL pointer dereference	none

Description Hongjiang 2016-01-28 01:33:25 UTC

Created attachment 166215 [details]
Patch to fix the NULL pointer dereference

This bug is reported from NetApp:
--------------
We found, what we believe to be, a bug in storvsc_create_bounce_buffer and storvsc_destroy_bounce_buffer.
 
http://fxr.watson.org/fxr/source/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c?v=FREEBSD10#L1529
 
A panic was hit when the g_hv_sgl_page_pool.in_use_sgl_list list is empty.  The remove of a NULL sgl_node causes a page fault.
 
To address this (and the same code in create_bounce_buffer), we added a LIST_EMPTY check prior to calling LIST_FIRST and LIST_REMOVE.
--------------

This bug cannot be easily reproduced. It may be triggered in some corner case.

Comment 1 Roger Pau Monné freebsd_committer

2016-01-28 10:18:01 UTC

I've already told Wei that creating your own bounce buffer is a bad idea. Instead you should use the BUSDMA API and let it take care of the bouncing when necessary:

https://reviews.freebsd.org/D1964

IIRC something was missing in BUSDMA so that the HyperV storage driver could use it, we should look into adding what's needed and then removing this custom bounce buffering.

Please upload the patch to the review system.

Roger.

Comment 2 Hongjiang 2016-01-28 10:40:01 UTC

Yes, the final fix should be using BUSDMA. Temporarily we still used the customized bounce buffer.
The code review for this patch: https://reviews.freebsd.org/D5097

Comment 3 Oleksandr Tymoshenko freebsd_committer

2019-01-22 20:23:16 UTC

Patch committed as base r295295