From owner-svn-src-all@FreeBSD.ORG  Sat Jan 25 01:58:16 2014
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 27E90BF6;
 Sat, 25 Jan 2014 01:58:16 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 138F2102E;
 Sat, 25 Jan 2014 01:58:16 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id s0P1wFJ7048763;
 Sat, 25 Jan 2014 01:58:15 GMT (envelope-from mav@svn.freebsd.org)
Received: (from mav@localhost)
 by svn.freebsd.org (8.14.7/8.14.7/Submit) id s0P1wFgv048762;
 Sat, 25 Jan 2014 01:58:15 GMT (envelope-from mav@svn.freebsd.org)
Message-Id: <201401250158.s0P1wFgv048762@svn.freebsd.org>
From: Alexander Motin <mav@FreeBSD.org>
Date: Sat, 25 Jan 2014 01:58:15 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject: svn commit: r261145 - stable/10/sys/cam
X-SVN-Group: stable-10
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jan 2014 01:58:16 -0000

Author: mav
Date: Sat Jan 25 01:58:15 2014
New Revision: 261145
URL: http://svnweb.freebsd.org/changeset/base/261145

Log:
  MFC r260549:
  Move xpt_run_devq() call before request completion callback where it was
  originally.
  
  I am not sure why exactly have I moved it during one of many refactorings
  during camlock project, but obviously it opens race window that may cause
  use after free panics during SIM (in reported cases umass(4)) detach.

Modified:
  stable/10/sys/cam/cam_xpt.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/cam/cam_xpt.c
==============================================================================
--- stable/10/sys/cam/cam_xpt.c	Sat Jan 25 01:08:35 2014	(r261144)
+++ stable/10/sys/cam/cam_xpt.c	Sat Jan 25 01:58:15 2014	(r261145)
@@ -5186,8 +5186,7 @@ xpt_done_process(struct ccb_hdr *ccb_h)
 
 	if ((ccb_h->flags & CAM_DEV_QFRZDIS)
 	 && (ccb_h->status & CAM_DEV_QFRZN)) {
-		xpt_release_devq(ccb_h->path, /*count*/1,
-				 /*run_queue*/FALSE);
+		xpt_release_devq(ccb_h->path, /*count*/1, /*run_queue*/TRUE);
 		ccb_h->status &= ~CAM_DEV_QFRZN;
 	}
 
@@ -5216,6 +5215,7 @@ xpt_done_process(struct ccb_hdr *ccb_h)
 
 		if (!device_is_queued(dev))
 			(void)xpt_schedule_devq(devq, dev);
+		xpt_run_devq(devq);
 		mtx_unlock(&devq->send_mtx);
 
 		if ((dev->flags & CAM_DEV_TAG_AFTER_COUNT) != 0) {
@@ -5245,10 +5245,6 @@ xpt_done_process(struct ccb_hdr *ccb_h)
 	(*ccb_h->cbfcnp)(ccb_h->path->periph, (union ccb *)ccb_h);
 	if (mtx != NULL)
 		mtx_unlock(mtx);
-
-	mtx_lock(&devq->send_mtx);
-	xpt_run_devq(devq);
-	mtx_unlock(&devq->send_mtx);
 }
 
 void