From da00bec1e7243a6545b45e42283b8549cf19de1f Mon Sep 17 00:00:00 2001
From: Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org>
Date: Wed, 6 Apr 2022 12:00:56 +0200
Subject: 14654 blkdev softstate use after free Reviewed by: Andrew Giles
 <agiles@tintri.com> Reviewed by: Guy Morrogh <gmorrogh@tintri.com> Reviewed
 by: Ben Jameson <bjameson@tintri.com> Reviewed by: Gordon Ross
 <Gordon.W.Ross@gmail.com> Reviewed by: Paul Winder <paul@winder.uk.net>
 Reviewed by: Toomas Soome <tsoome@me.com> Approved by: Robert Mustacchi
 <rm+illumos@fingolfin.org>

---
 usr/src/uts/common/io/blkdev/blkdev.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

(limited to 'usr/src/uts/common/io/blkdev/blkdev.c')

diff --git a/usr/src/uts/common/io/blkdev/blkdev.c b/usr/src/uts/common/io/blkdev/blkdev.c
index 847c7c58fc..7e5e5716e2 100644
--- a/usr/src/uts/common/io/blkdev/blkdev.c
+++ b/usr/src/uts/common/io/blkdev/blkdev.c
@@ -22,11 +22,10 @@
  * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
  * Copyright 2012 Garrett D'Amore <garrett@damore.org>.  All rights reserved.
  * Copyright 2012 Alexey Zaytsev <alexey.zaytsev@gmail.com> All rights reserved.
- * Copyright 2016 Nexenta Systems, Inc.  All rights reserved.
  * Copyright 2017 The MathWorks, Inc.  All rights reserved.
- * Copyright 2019 Western Digital Corporation.
  * Copyright 2020 Joyent, Inc.
  * Copyright 2022 OmniOS Community Edition (OmniOSce) Association.
+ * Copyright 2022 Tintri by DDN, Inc. All rights reserved.
  */
 
 #include <sys/types.h>
@@ -719,7 +718,6 @@ bd_attach(dev_info_t *dip, ddi_attach_cmd_t cmd)
 
 	bd->d_dip = dip;
 	bd->d_handle = hdl;
-	hdl->h_bd = bd;
 	ddi_set_driver_private(dip, bd);
 
 	mutex_init(&bd->d_ksmutex, NULL, MUTEX_DRIVER, NULL);
@@ -862,6 +860,7 @@ bd_attach(dev_info_t *dip, ddi_attach_cmd_t cmd)
 		    "hotpluggable", NULL, 0);
 	}
 
+	hdl->h_bd = bd;
 	ddi_report_dev(dip);
 
 	return (DDI_SUCCESS);
@@ -893,9 +892,11 @@ fail_drive_info:
 static int
 bd_detach(dev_info_t *dip, ddi_detach_cmd_t cmd)
 {
-	bd_t	*bd;
+	bd_handle_t	hdl;
+	bd_t		*bd;
 
 	bd = ddi_get_driver_private(dip);
+	hdl = ddi_get_parent_data(dip);
 
 	switch (cmd) {
 	case DDI_DETACH:
@@ -907,6 +908,8 @@ bd_detach(dev_info_t *dip, ddi_detach_cmd_t cmd)
 		return (DDI_FAILURE);
 	}
 
+	hdl->h_bd = NULL;
+
 	if (bd->d_ksp != NULL) {
 		kstat_delete(bd->d_ksp);
 		bd->d_ksp = NULL;
-- 
cgit v1.2.3