From owner-svn-src-head@FreeBSD.ORG Sat Jan 11 16:52:10 2014 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 25F9623D; Sat, 11 Jan 2014 16:52:10 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 123621029; Sat, 11 Jan 2014 16:52:10 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id s0BGq99U049850; Sat, 11 Jan 2014 16:52:09 GMT (envelope-from mav@svn.freebsd.org) Received: (from mav@localhost) by svn.freebsd.org (8.14.7/8.14.7/Submit) id s0BGq9QE049849; Sat, 11 Jan 2014 16:52:09 GMT (envelope-from mav@svn.freebsd.org) Message-Id: <201401111652.s0BGq9QE049849@svn.freebsd.org> From: Alexander Motin Date: Sat, 11 Jan 2014 16:52:09 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r260549 - head/sys/cam X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Jan 2014 16:52:10 -0000 Author: mav Date: Sat Jan 11 16:52:09 2014 New Revision: 260549 URL: http://svnweb.freebsd.org/changeset/base/260549 Log: Move xpt_run_devq() call before request completion callback where it was originally. I am not sure why exactly have I moved it during one of many refactorings during camlock project, but obviously it opens race window that may cause use after free panics during SIM (in reported cases umass(4)) detach. MFC after: 2 weeks Modified: head/sys/cam/cam_xpt.c Modified: head/sys/cam/cam_xpt.c ============================================================================== --- head/sys/cam/cam_xpt.c Sat Jan 11 16:50:41 2014 (r260548) +++ head/sys/cam/cam_xpt.c Sat Jan 11 16:52:09 2014 (r260549) @@ -5188,8 +5188,7 @@ xpt_done_process(struct ccb_hdr *ccb_h) if ((ccb_h->flags & CAM_DEV_QFRZDIS) && (ccb_h->status & CAM_DEV_QFRZN)) { - xpt_release_devq(ccb_h->path, /*count*/1, - /*run_queue*/FALSE); + xpt_release_devq(ccb_h->path, /*count*/1, /*run_queue*/TRUE); ccb_h->status &= ~CAM_DEV_QFRZN; } @@ -5218,6 +5217,7 @@ xpt_done_process(struct ccb_hdr *ccb_h) if (!device_is_queued(dev)) (void)xpt_schedule_devq(devq, dev); + xpt_run_devq(devq); mtx_unlock(&devq->send_mtx); if ((dev->flags & CAM_DEV_TAG_AFTER_COUNT) != 0) { @@ -5247,10 +5247,6 @@ xpt_done_process(struct ccb_hdr *ccb_h) (*ccb_h->cbfcnp)(ccb_h->path->periph, (union ccb *)ccb_h); if (mtx != NULL) mtx_unlock(mtx); - - mtx_lock(&devq->send_mtx); - xpt_run_devq(devq); - mtx_unlock(&devq->send_mtx); } void