[src/trunk]: src/sys/kern autoconf(9): Sprinkle KASSERT(dev->dv_pending == 0)...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/sys/kern autoconf(9): Sprinkle KASSERT(dev->dv_pending == 0)...
From: riastradh <riastradh%NetBSD.org@localhost>
Date: Sun, 13 Jun 2021 02:23:21 +0000

details:   https://anonhg.NetBSD.org/src/rev/a83065c33112
branches:  trunk
changeset: 983874:a83065c33112
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Sun Jun 13 00:11:46 2021 +0000

description:
autoconf(9): Sprinkle KASSERT(dev->dv_pending == 0) in dealloc paths.

This would have made uhub's config_pending_incr leak more obvious by
crashing in KASSERT(dev->dv_pending == 0) early on, rather than
crashing in a tailq panic later on when the config_pending list gets
corrupted with use-after-free because nothing took the device off
dv_pending_list when attached.

(This is slightly academic now because config_detach blocks until
dev->dv_pending == 0, but it doesn't hurt and makes the intent
clearer.)

diffstat:

 sys/kern/subr_autoconf.c |  9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

diffs (45 lines):

diff -r 70a298469635 -r a83065c33112 sys/kern/subr_autoconf.c
--- a/sys/kern/subr_autoconf.c  Sun Jun 13 00:11:17 2021 +0000
+++ b/sys/kern/subr_autoconf.c  Sun Jun 13 00:11:46 2021 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: subr_autoconf.c,v 1.285 2021/06/13 00:11:17 riastradh Exp $ */
+/* $NetBSD: subr_autoconf.c,v 1.286 2021/06/13 00:11:46 riastradh Exp $ */
 
 /*
  * Copyright (c) 1996, 2000 Christopher G. Demetriou
@@ -79,7 +79,7 @@
 #define        __SUBR_AUTOCONF_PRIVATE /* see <sys/device.h> */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: subr_autoconf.c,v 1.285 2021/06/13 00:11:17 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_autoconf.c,v 1.286 2021/06/13 00:11:46 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_ddb.h"
@@ -1421,7 +1421,9 @@
 static void
 config_devfree(device_t dev)
 {
+
        KASSERT(dev->dv_flags & DVF_PRIV_ALLOC);
+       KASSERTMSG(dev->dv_pending == 0, "%d", dev->dv_pending);
 
        if (dev->dv_cfattach->ca_devsize > 0)
                kmem_free(dev->dv_private, dev->dv_cfattach->ca_devsize);
@@ -1439,6 +1441,7 @@
        int i;
 
        KASSERT(mutex_owned(&alldevs_lock));
+       KASSERTMSG(dev->dv_pending == 0, "%d", dev->dv_pending);
 
        /* Unlink from device list.  Link to garbage list. */
        TAILQ_REMOVE(&alldevs, dev, dv_list);
@@ -1469,6 +1472,8 @@
        struct device_garbage *dg = &dev->dv_garbage;
        device_lock_t dvl = device_getlock(dev);
 
+       KASSERTMSG(dev->dv_pending == 0, "%d", dev->dv_pending);
+
        if (dg->dg_devs != NULL)
                kmem_free(dg->dg_devs, sizeof(device_t) * dg->dg_ndevs);

Prev by Date: [src/trunk]: src/sys/kern autoconf(9): Take kernel lock in a few entry points.
Next by Date: [src/trunk]: src/sys/dev/usb uhub(4): Trigger bus exploration after rescannin...
Previous by Thread: [src/trunk]: src/sys/kern autoconf(9): Take kernel lock in a few entry points.
Next by Thread: [src/trunk]: src/sys/dev/usb uhub(4): Trigger bus exploration after rescannin...
Indexes:

Home | Main Index | Thread Index | Old Index