>Number:         1820
>Category:       kern
>Synopsis:       unconfiguring of ccd causes system panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Dec  7 06:20:01 1995
>Last-Modified:
>Originator:     
>Organization:
Don "Truck" Lewis                                       Silicon Systems
Internet: gdonl@gv.ssi1.com                             138 New Mohawk Road
Phone: +1 916 478-8284       FAX: +1 916 478-8251       Nevada City, CA  95959
>Release:        NetBSD 1.1
>Environment:
	
System: NetBSD frankenstein 1.1 NetBSD 1.1 (FRANKENSTEIN) #5: Thu Dec 7 02:13:42 PST 1995 root@frankenstein:/usr/src/sys/arch/hp300/compile/FRANKENSTEIN hp300


>Description:
If you configure and then unconfigure a ccd, you can get a system panic.
On an hp300 the stack backtrace looks like:

_Debugger( ... )
_panic( ... ) + ...
_trap(8545, 767000) + 1be
_adderr(0,2,1c0f040,2,1c59600,3,1c77380,1c46300) + a6
_ccdioctl(502,80184611,7c2ec8,3,1c46300) + 33a
_spec_ioctl(7c2dfc) + a0
_vn_ioctl(1c8a480,80184511,7c2ec8,1c46300) + e4
_sys_ioctl(1c46300,7c2f88,7c2f80) + 212
_syscall(36) + 10a
_trap0() + e

>How-To-Repeat:
Stripe three equal sized partitions together, then unconfigure the ccd:
ccdconfig -c ccd0 16 none /dev/sd2a /dev/sd3a /dev/sd4a
ccdconfig -u ccd0
>Fix:
	

The list of ii_index arrays can be less than the number of components in
the ccd.  Don't try to free more arrays than were allocated.

Here's a patch:

*** dev/ORIGccd.c	Fri Nov  3 04:35:46 1995
--- dev/ccd.c	Thu Dec  7 02:12:16 1995
***************
*** 1107,1112 ****
--- 1107,1114 ----
  			(void)vn_close(cs->sc_cinfo[i].ci_vp, FREAD|FWRITE,
  			    p->p_ucred, p);
  			free(cs->sc_cinfo[i].ci_path, M_DEVBUF);
+ 		}
+ 		for (i = 0; cs->sc_itable[i].ii_ndisk; ++i) {
  			free(cs->sc_itable[i].ii_index, M_DEVBUF);
  		}
  		free(cs->sc_cinfo, M_DEVBUF);
>Audit-Trail:
>Unformatted: