Date: Fri, 12 Oct 2012 18:21:31 +0000 (UTC) From: Alexander Motin <mav@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r241488 - head/sys/cam/scsi Message-ID: <201210121821.q9CILV5T053194@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mav Date: Fri Oct 12 18:21:31 2012 New Revision: 241488 URL: http://svn.freebsd.org/changeset/base/241488 Log: Get SIM lock in several places while calling CAM functions. This fixes several use-after-free panics on systems with SAS enclosures. Submitted by: ken@, mav@ Modified: head/sys/cam/scsi/scsi_enc_ses.c Modified: head/sys/cam/scsi/scsi_enc_ses.c ============================================================================== --- head/sys/cam/scsi/scsi_enc_ses.c Fri Oct 12 18:14:54 2012 (r241487) +++ head/sys/cam/scsi/scsi_enc_ses.c Fri Oct 12 18:21:31 2012 (r241488) @@ -886,6 +886,7 @@ ses_path_iter_devid_callback(enc_softc_t struct device_match_result *device_match; struct device_match_pattern *device_pattern; ses_path_iter_args_t *args; + struct cam_sim *sim; args = (ses_path_iter_args_t *)arg; match_pattern.type = DEV_MATCH_DEVICE; @@ -920,14 +921,18 @@ ses_path_iter_devid_callback(enc_softc_t return; device_match = &match_result.result.device_result; - if (xpt_create_path(&cdm.ccb_h.path, /*periph*/NULL, - device_match->path_id, - device_match->target_id, - device_match->target_lun) != CAM_REQ_CMP) + if (xpt_create_path_unlocked(&cdm.ccb_h.path, /*periph*/NULL, + device_match->path_id, + device_match->target_id, + device_match->target_lun) != CAM_REQ_CMP) return; args->callback(enc, elem, cdm.ccb_h.path, args->callback_arg); + + sim = xpt_path_sim(cdm.ccb_h.path); + CAM_SIM_LOCK(sim); xpt_free_path(cdm.ccb_h.path); + CAM_SIM_UNLOCK(sim); } /** @@ -999,7 +1004,7 @@ ses_setphyspath_callback(enc_softc_t *en args = (ses_setphyspath_callback_args_t *)arg; old_physpath = malloc(MAXPATHLEN, M_SCSIENC, M_WAITOK|M_ZERO); - + cam_periph_lock(enc->periph); xpt_setup_ccb(&cdai.ccb_h, path, CAM_PRIORITY_NORMAL); cdai.ccb_h.func_code = XPT_DEV_ADVINFO; cdai.buftype = CDAI_TYPE_PHYS_PATH; @@ -1024,6 +1029,7 @@ ses_setphyspath_callback(enc_softc_t *en if (cdai.ccb_h.status == CAM_REQ_CMP) args->num_set++; } + cam_periph_unlock(enc->periph); free(old_physpath, M_SCSIENC); } @@ -1063,9 +1069,11 @@ ses_set_physpath(enc_softc_t *enc, enc_e ret = ENOMEM; goto out; } + cam_periph_lock(enc->periph); xpt_action((union ccb *)&cdai); if ((cdai.ccb_h.status & CAM_DEV_QFRZN) != 0) cam_release_devq(cdai.ccb_h.path, 0, 0, 0, FALSE); + cam_periph_unlock(enc->periph); if (cdai.ccb_h.status != CAM_REQ_CMP) goto out;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201210121821.q9CILV5T053194>