From owner-svn-src-all@freebsd.org  Wed Oct  5 17:18:25 2016
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A96B0AF6A41;
 Wed,  5 Oct 2016 17:18:25 +0000 (UTC)
 (envelope-from markj@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 68CF8946;
 Wed,  5 Oct 2016 17:18:25 +0000 (UTC)
 (envelope-from markj@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u95HIOSg020687;
 Wed, 5 Oct 2016 17:18:24 GMT (envelope-from markj@FreeBSD.org)
Received: (from markj@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u95HIOdk020685;
 Wed, 5 Oct 2016 17:18:24 GMT (envelope-from markj@FreeBSD.org)
Message-Id: <201610051718.u95HIOdk020685@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: markj set sender to
 markj@FreeBSD.org using -f
From: Mark Johnston <markj@FreeBSD.org>
Date: Wed, 5 Oct 2016 17:18:24 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r306710 - head/sys/cam
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Oct 2016 17:18:25 -0000

Author: markj
Date: Wed Oct  5 17:18:24 2016
New Revision: 306710
URL: https://svnweb.freebsd.org/changeset/base/306710

Log:
  CAM ccbq sanity: checks on insert and remove
  
  KASSERT in cam_ccbq_insert_ccb that only XPT_FC_QUEUED ops are queued,
  and XPT_FC_USER_CCB ops are not. Otherwise cam_ccbq_ccb_done may be
  skipped.
  
  Bounds check the index used for camq_remove in order to panic instead
  of scribble on removal of an out-of-bounds index (e.g. consider the
  effect of camq_remove of CAM_UNQUEUED_INDEX).
  
  KASSERT in cam_ccbq_remove_ccb that the ccb removed by index was the
  one sought.
  
  Submitted by:	Ryan Libby <rlibby@gmail.com>
  Reviewed by:	imp, mav
  MFC after:	2 weeks
  Sponsored by:	Dell EMC Isilon
  Differential Revision:	https://reviews.freebsd.org/D8151

Modified:
  head/sys/cam/cam_queue.c
  head/sys/cam/cam_queue.h

Modified: head/sys/cam/cam_queue.c
==============================================================================
--- head/sys/cam/cam_queue.c	Wed Oct  5 17:04:58 2016	(r306709)
+++ head/sys/cam/cam_queue.c	Wed Oct  5 17:18:24 2016	(r306710)
@@ -176,8 +176,11 @@ camq_remove(struct camq *queue, int inde
 {
 	cam_pinfo *removed_entry;
 
-	if (index == 0 || index > queue->entries)
-		return (NULL);
+	if (index <= 0 || index > queue->entries)
+		panic("%s: Attempt to remove out-of-bounds index %d "
+		    "from queue %p of size %d", __func__, index, queue,
+		    queue->entries);
+
 	removed_entry = queue->queue_array[index];
 	if (queue->entries != index) {
 		queue->queue_array[index] = queue->queue_array[queue->entries];

Modified: head/sys/cam/cam_queue.h
==============================================================================
--- head/sys/cam/cam_queue.h	Wed Oct  5 17:04:58 2016	(r306709)
+++ head/sys/cam/cam_queue.h	Wed Oct  5 17:18:24 2016	(r306710)
@@ -197,6 +197,11 @@ cam_ccbq_insert_ccb(struct cam_ccbq *ccb
 	struct ccb_hdr *old_ccb;
 	struct camq *queue = &ccbq->queue;
 
+	KASSERT((new_ccb->ccb_h.func_code & XPT_FC_QUEUED) != 0 &&
+	    (new_ccb->ccb_h.func_code & XPT_FC_USER_CCB) == 0,
+	    ("%s: Cannot queue ccb %p func_code %#x", __func__, new_ccb,
+	     new_ccb->ccb_h.func_code));
+
 	/*
 	 * If queue is already full, try to resize.
 	 * If resize fail, push CCB with lowest priority out to the TAILQ.
@@ -218,6 +223,7 @@ cam_ccbq_remove_ccb(struct cam_ccbq *ccb
 {
 	struct ccb_hdr *cccb, *bccb;
 	struct camq *queue = &ccbq->queue;
+	cam_pinfo *removed_entry __unused;
 
 	/* If the CCB is on the TAILQ, remove it from there. */
 	if (ccb->ccb_h.pinfo.index == CAM_EXTRAQ_INDEX) {
@@ -228,7 +234,10 @@ cam_ccbq_remove_ccb(struct cam_ccbq *ccb
 		return;
 	}
 
-	camq_remove(queue, ccb->ccb_h.pinfo.index);
+	removed_entry = camq_remove(queue, ccb->ccb_h.pinfo.index);
+	KASSERT(removed_entry == &ccb->ccb_h.pinfo,
+	    ("%s: Removed wrong entry from queue (%p != %p)", __func__,
+	     removed_entry, &ccb->ccb_h.pinfo));
 
 	/*
 	 * If there are some CCBs on TAILQ, find the best one and move it