Bug 274874
| Summary: | A possible null-pointer dereference caused by a data race in sys/dev/firewire/fwdev.c | ||
|---|---|---|---|
| Product: | Base System | Reporter: | Tuo Li <islituo> |
| Component: | kern | Assignee: | freebsd-bugs (Nobody) <bugs> |
| Status: | New --- | ||
| Severity: | Affects Only Me | CC: | markj |
| Priority: | --- | ||
| Version: | 14.0-RELEASE | ||
| Hardware: | Any | ||
| OS: | Any | ||
Yes, this code is buggy and should continue to use giant. I'm not sure if the firewire driver gets any maintenance these days, though. (In reply to Mark Johnston from comment #1) Thanks for your reply! I have also found some other data races in the firewire driver and I will carefully recheck them. If they are true positives, I will report them soon. |
In the function fw_read(), ir->stproc is first checked to be not NULL: } else if (ir->stproc != NULL) { and then is dereferenced after releasing the protecting lock: FW_GUNLOCK(fc); fp = (struct fw_pkt *)fwdma_v_addr(ir->buf, ir->stproc->poffset + ir->queued); However, if ir->stproc is set to NULL by other functions such as fw_write() right after the lock is released, a null-pointer dereference can occur: it->stproc = NULL;