From owner-svn-src-all@FreeBSD.ORG  Fri Oct 12 18:21:32 2012
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 233FD2AA;
 Fri, 12 Oct 2012 18:21:32 +0000 (UTC) (envelope-from mav@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
 by mx1.freebsd.org (Postfix) with ESMTP id E6CB48FC16;
 Fri, 12 Oct 2012 18:21:31 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
 by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q9CILVOR053196;
 Fri, 12 Oct 2012 18:21:31 GMT (envelope-from mav@svn.freebsd.org)
Received: (from mav@localhost)
 by svn.freebsd.org (8.14.4/8.14.4/Submit) id q9CILV5T053194;
 Fri, 12 Oct 2012 18:21:31 GMT (envelope-from mav@svn.freebsd.org)
Message-Id: <201210121821.q9CILV5T053194@svn.freebsd.org>
From: Alexander Motin <mav@FreeBSD.org>
Date: Fri, 12 Oct 2012 18:21:31 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r241488 - head/sys/cam/scsi
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Oct 2012 18:21:32 -0000

Author: mav
Date: Fri Oct 12 18:21:31 2012
New Revision: 241488
URL: http://svn.freebsd.org/changeset/base/241488

Log:
  Get SIM lock in several places while calling CAM functions.
  This fixes several use-after-free panics on systems with SAS enclosures.
  
  Submitted by:	ken@, mav@

Modified:
  head/sys/cam/scsi/scsi_enc_ses.c

Modified: head/sys/cam/scsi/scsi_enc_ses.c
==============================================================================
--- head/sys/cam/scsi/scsi_enc_ses.c	Fri Oct 12 18:14:54 2012	(r241487)
+++ head/sys/cam/scsi/scsi_enc_ses.c	Fri Oct 12 18:21:31 2012	(r241488)
@@ -886,6 +886,7 @@ ses_path_iter_devid_callback(enc_softc_t
 	struct device_match_result  *device_match;
 	struct device_match_pattern *device_pattern;
 	ses_path_iter_args_t	    *args;
+	struct cam_sim		    *sim;
 
 	args = (ses_path_iter_args_t *)arg;
 	match_pattern.type = DEV_MATCH_DEVICE;
@@ -920,14 +921,18 @@ ses_path_iter_devid_callback(enc_softc_t
 		return;
 
 	device_match = &match_result.result.device_result;
-	if (xpt_create_path(&cdm.ccb_h.path, /*periph*/NULL,
-			    device_match->path_id,
-			    device_match->target_id,
-			    device_match->target_lun) != CAM_REQ_CMP)
+	if (xpt_create_path_unlocked(&cdm.ccb_h.path, /*periph*/NULL,
+				     device_match->path_id,
+				     device_match->target_id,
+				     device_match->target_lun) != CAM_REQ_CMP)
 		return;
 
 	args->callback(enc, elem, cdm.ccb_h.path, args->callback_arg);
+
+	sim = xpt_path_sim(cdm.ccb_h.path);
+	CAM_SIM_LOCK(sim);
 	xpt_free_path(cdm.ccb_h.path);
+	CAM_SIM_UNLOCK(sim);
 }
 
 /**
@@ -999,7 +1004,7 @@ ses_setphyspath_callback(enc_softc_t *en
 
 	args = (ses_setphyspath_callback_args_t *)arg;
 	old_physpath = malloc(MAXPATHLEN, M_SCSIENC, M_WAITOK|M_ZERO);
-
+	cam_periph_lock(enc->periph);
 	xpt_setup_ccb(&cdai.ccb_h, path, CAM_PRIORITY_NORMAL);
 	cdai.ccb_h.func_code = XPT_DEV_ADVINFO;
 	cdai.buftype = CDAI_TYPE_PHYS_PATH;
@@ -1024,6 +1029,7 @@ ses_setphyspath_callback(enc_softc_t *en
 		if (cdai.ccb_h.status == CAM_REQ_CMP)
 			args->num_set++;
 	}
+	cam_periph_unlock(enc->periph);
 	free(old_physpath, M_SCSIENC);
 }
 
@@ -1063,9 +1069,11 @@ ses_set_physpath(enc_softc_t *enc, enc_e
 		ret = ENOMEM;
 		goto out;
 	}
+	cam_periph_lock(enc->periph);
 	xpt_action((union ccb *)&cdai);
 	if ((cdai.ccb_h.status & CAM_DEV_QFRZN) != 0)
 		cam_release_devq(cdai.ccb_h.path, 0, 0, 0, FALSE);
+	cam_periph_unlock(enc->periph);
 	if (cdai.ccb_h.status != CAM_REQ_CMP)
 		goto out;