Bug 274875
| Summary: | A possible null-pointer dereference caused by a data race in sys/geom/gate/g_gate.c | ||
|---|---|---|---|
| Product: | Base System | Reporter: | Tuo Li <islituo> |
| Component: | kern | Assignee: | freebsd-bugs (Nobody) <bugs> |
| Status: | Closed Not A Bug | ||
| Severity: | Affects Only Me | CC: | markj |
| Priority: | --- | ||
| Version: | 14.0-RELEASE | ||
| Hardware: | Any | ||
| OS: | Any | ||
The geom topology lock synchronizes relevant accesses to sc->sc_readcons. In particular, dumpconf is invoked with the topology lock held, and this lock is also held when clearing sc_readcons. Why do you think that there is a race? (In reply to Mark Johnston from comment #1) Thanks very much for your reply! I am sorry to bother you and I have carefully checked the code related to this report and found that this data race may be a false positive since the geom topology lock is used to synchronize all accesses to sc->sc_readcons. |
In the function g_gate_dumpconf(), sc->sc_readcons is first checked to be not NULL: if (sc->sc_readcons != NULL) and then dereferenced: sbuf_printf(sb, "%s<read_provider>%s</read_provider>\n", indent, sc->sc_readcons->provider->name); However, sc->sc_readcons can be set to NULL by other functions such as g_gate_modify() right after it is checked: sc->sc_readcons = NULL; and thus can cause a null-pointer dereference.