Date: Sun, 21 Dec 2014 16:43:57 +0000 (UTC) From: Steven Hartland <smh@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r276020 - stable/10/sys/dev/ahci Message-ID: <201412211643.sBLGhv2k024171@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: smh Date: Sun Dec 21 16:43:56 2014 New Revision: 276020 URL: https://svnweb.freebsd.org/changeset/base/276020 Log: MFC r272223: Prevent possible use after free in ahci direct mode Sponsored by: Multiplay Modified: stable/10/sys/dev/ahci/ahci.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/dev/ahci/ahci.c ============================================================================== --- stable/10/sys/dev/ahci/ahci.c Sun Dec 21 16:38:29 2014 (r276019) +++ stable/10/sys/dev/ahci/ahci.c Sun Dec 21 16:43:56 2014 (r276020) @@ -1580,6 +1580,7 @@ ahci_ch_intr_direct(void *arg) struct ahci_channel *ch = device_get_softc(dev); struct ccb_hdr *ccb_h; uint32_t istatus; + STAILQ_HEAD(, ccb_hdr) tmp_doneq = STAILQ_HEAD_INITIALIZER(tmp_doneq); /* Read interrupt statuses. */ istatus = ATA_INL(ch->r_mem, AHCI_P_IS); @@ -1590,9 +1591,14 @@ ahci_ch_intr_direct(void *arg) ch->batch = 1; ahci_ch_intr_main(ch, istatus); ch->batch = 0; + /* + * Prevent the possibility of issues caused by processing the queue + * while unlocked below by moving the contents to a local queue. + */ + STAILQ_CONCAT(&tmp_doneq, &ch->doneq); mtx_unlock(&ch->mtx); - while ((ccb_h = STAILQ_FIRST(&ch->doneq)) != NULL) { - STAILQ_REMOVE_HEAD(&ch->doneq, sim_links.stqe); + while ((ccb_h = STAILQ_FIRST(&tmp_doneq)) != NULL) { + STAILQ_REMOVE_HEAD(&tmp_doneq, sim_links.stqe); xpt_done_direct((union ccb *)ccb_h); } }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201412211643.sBLGhv2k024171>