Date: Wed, 23 Oct 2013 12:53:06 +0000 (UTC) From: Alexander Motin <mav@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r256960 - head/sys/cam Message-ID: <201310231253.r9NCr6sw073685@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mav Date: Wed Oct 23 12:53:05 2013 New Revision: 256960 URL: http://svnweb.freebsd.org/changeset/base/256960 Log: Move CAM_UNQUEUED_INDEX setting to the last moment and under the periph lock. This fixes race condition with cam_periph_ccbwait(), causing use-after-free. Modified: head/sys/cam/cam_xpt.c Modified: head/sys/cam/cam_xpt.c ============================================================================== --- head/sys/cam/cam_xpt.c Wed Oct 23 12:29:39 2013 (r256959) +++ head/sys/cam/cam_xpt.c Wed Oct 23 12:53:05 2013 (r256960) @@ -5239,6 +5239,7 @@ xpt_done_process(struct ccb_hdr *ccb_h) } /* Call the peripheral driver's callback */ + ccb_h->pinfo.index = CAM_UNQUEUED_INDEX; (*ccb_h->cbfcnp)(ccb_h->path->periph, (union ccb *)ccb_h); if (mtx != NULL) mtx_unlock(mtx); @@ -5270,7 +5271,6 @@ xpt_done_td(void *arg) THREAD_NO_SLEEPING(); while ((ccb_h = STAILQ_FIRST(&doneq)) != NULL) { STAILQ_REMOVE_HEAD(&doneq, sim_links.stqe); - ccb_h->pinfo.index = CAM_UNQUEUED_INDEX; xpt_done_process(ccb_h); } THREAD_SLEEPING_OK();
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201310231253.r9NCr6sw073685>