The branch main has been updated by imp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=3b3591d3e1ac6423570201da0b23ab3d087816a9
commit 3b3591d3e1ac6423570201da0b23ab3d087816a9
Author: Warner Losh <i...@freebsd.org>
AuthorDate: 2025-07-07 20:05:02 +0000
Commit: Warner Losh <i...@freebsd.org>
CommitDate: 2025-07-07 23:17:00 +0000
cam: In scsi_scan_bus, fix an error case
If we can't allocate the new path when loopoing over the target range,
then we have to free the scan_info->cpi CCB, not the work_ccb. This was
accidentally correct for the first iteration (because work_ccb ==
scan_info->cpi), but incorrect after that since we'll be freeing the CCB
for XPT_SCAN_LUN for the prior LUN we kicked off. Reorder the free so we
free it before we free scan_info so the pointer is still valid.
I do not have a test case for this since it requires that we fail in the
second or later iteration of the loop due to low memory, and only
fuzzing would catch that.
Sponsored by: Netflix
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D51169
---
sys/cam/scsi/scsi_xpt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys/cam/scsi/scsi_xpt.c b/sys/cam/scsi/scsi_xpt.c
index 175716ca6a67..2506a9fba799 100644
--- a/sys/cam/scsi/scsi_xpt.c
+++ b/sys/cam/scsi/scsi_xpt.c
@@ -2034,9 +2034,9 @@ scsi_scan_bus(struct cam_periph *periph, union ccb
*request_ccb)
printf(
"scsi_scan_bus: xpt_create_path failed with status %#x, bus
scan halted\n",
status);
+ xpt_free_ccb((union ccb *)scan_info->cpi);
free(scan_info, M_CAMXPT);
request_ccb->ccb_h.status = status;
- xpt_free_ccb(work_ccb);
xpt_done(request_ccb);
break;
}
