From owner-svn-src-all@FreeBSD.ORG Mon Nov 2 03:28:41 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 19CFA1065670; Mon, 2 Nov 2009 03:28:41 +0000 (UTC) (envelope-from thompsa@FreeBSD.org) Received: from pele.citylink.co.nz (pele.citylink.co.nz [202.8.44.226]) by mx1.freebsd.org (Postfix) with ESMTP id D04138FC12; Mon, 2 Nov 2009 03:28:40 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by pele.citylink.co.nz (Postfix) with ESMTP id AA007FFB6; Mon, 2 Nov 2009 16:13:23 +1300 (NZDT) X-Virus-Scanned: Debian amavisd-new at citylink.co.nz Received: from pele.citylink.co.nz ([127.0.0.1]) by localhost (pele.citylink.co.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2PD+Ozh8Esky; Mon, 2 Nov 2009 16:13:19 +1300 (NZDT) Received: from citylink.fud.org.nz (unknown [202.8.44.45]) by pele.citylink.co.nz (Postfix) with ESMTP; Mon, 2 Nov 2009 16:13:19 +1300 (NZDT) Received: by citylink.fud.org.nz (Postfix, from userid 1001) id 9AA3811475; Mon, 2 Nov 2009 16:13:18 +1300 (NZDT) Date: Mon, 2 Nov 2009 16:13:18 +1300 From: Andrew Thompson To: Alexander Motin Message-ID: <20091102031318.GB49898@citylink.fud.org.nz> References: <200911011131.nA1BV6lO022276@svn.freebsd.org> <1280352d0911011907k34498c71g5b49ffb7220c377b@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1280352d0911011907k34498c71g5b49ffb7220c377b@mail.gmail.com> User-Agent: Mutt/1.5.17 (2007-11-01) Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r198748 - in head/sys/cam: . ata scsi X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Nov 2009 03:28:41 -0000 > Author: mav > Date: Sun Nov 1 11:31:06 2009 > New Revision: 198748 > URL: http://svn.freebsd.org/changeset/base/198748 > > Log: > MFp4: > Fix reference counting bug, when device unreferenced before then > invalidated. To do it, do not handle validity flag as another > reference, but explicitly modify reference count each time flag is > modified. There is still one problem with this. In xpt_async() we go through the device list on the target and call the async function followed by xpt_async_bcast(). With the above change its possible for scsi_dev_async() to free the device due to dropping the CAM_DEV_UNCONFIGURED flag, leading to a panic in xpt_async_bcast() on freed memory. This fixes it for me. Index: cam/cam_xpt.c =================================================================== --- cam/cam_xpt.c (revision 198779) +++ cam/cam_xpt.c (working copy) @@ -4023,12 +4023,15 @@ xpt_async(u_int32_t async_code, struct cam_path *p && device->lun_id != CAM_LUN_WILDCARD) continue; + /* The async callback could free the device */ + xpt_acquire_device(device); (*(bus->xport->async))(async_code, bus, target, device, async_arg); xpt_async_bcast(&device->asyncs, async_code, path, async_arg); + xpt_release_device(device); } }