Date: Sat, 11 Jan 2014 16:52:09 +0000 (UTC) From: Alexander Motin <mav@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r260549 - head/sys/cam Message-ID: <201401111652.s0BGq9QE049849@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mav Date: Sat Jan 11 16:52:09 2014 New Revision: 260549 URL: http://svnweb.freebsd.org/changeset/base/260549 Log: Move xpt_run_devq() call before request completion callback where it was originally. I am not sure why exactly have I moved it during one of many refactorings during camlock project, but obviously it opens race window that may cause use after free panics during SIM (in reported cases umass(4)) detach. MFC after: 2 weeks Modified: head/sys/cam/cam_xpt.c Modified: head/sys/cam/cam_xpt.c ============================================================================== --- head/sys/cam/cam_xpt.c Sat Jan 11 16:50:41 2014 (r260548) +++ head/sys/cam/cam_xpt.c Sat Jan 11 16:52:09 2014 (r260549) @@ -5188,8 +5188,7 @@ xpt_done_process(struct ccb_hdr *ccb_h) if ((ccb_h->flags & CAM_DEV_QFRZDIS) && (ccb_h->status & CAM_DEV_QFRZN)) { - xpt_release_devq(ccb_h->path, /*count*/1, - /*run_queue*/FALSE); + xpt_release_devq(ccb_h->path, /*count*/1, /*run_queue*/TRUE); ccb_h->status &= ~CAM_DEV_QFRZN; } @@ -5218,6 +5217,7 @@ xpt_done_process(struct ccb_hdr *ccb_h) if (!device_is_queued(dev)) (void)xpt_schedule_devq(devq, dev); + xpt_run_devq(devq); mtx_unlock(&devq->send_mtx); if ((dev->flags & CAM_DEV_TAG_AFTER_COUNT) != 0) { @@ -5247,10 +5247,6 @@ xpt_done_process(struct ccb_hdr *ccb_h) (*ccb_h->cbfcnp)(ccb_h->path->periph, (union ccb *)ccb_h); if (mtx != NULL) mtx_unlock(mtx); - - mtx_lock(&devq->send_mtx); - xpt_run_devq(devq); - mtx_unlock(&devq->send_mtx); } void
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201401111652.s0BGq9QE049849>