I noticed the following code path in /sys/dev/softraid.c:
int
sr_scsi_cmd(struct scsi_xfer *xs)
{
...
sd = sc->sc_dis[link->scsibus];
if (sd == NULL) {
s = splhigh();
sd = sc->sc_attach_dis;
splx(s);
DNPRINTF(SR_D_CMD, "%s: sr_scsi_cmd: attaching %p\n",
DEVNAME(sc), sd);
if (sd == NULL) {
wu = NULL;
printf("%s: sr_scsi_cmd NULL discipline\n",
DEVNAME(sc));
goto stuffup;
...
stuffup:
if (sd->sd_scsi_sense.error_code) {
If I'm not mistaken this leads to dereferencing sd as a NULL pointer.
I'm not sure whether this causes an actual real world problem or where to put
a guard to avoid this.
Regards,
Remco
