From 03caca368a2ada8460adecbff0b2d76823373c74 Mon Sep 17 00:00:00 2001 From: "Kenneth D. Merry" Date: Thu, 16 Jul 2020 20:43:28 +0000 Subject: [PATCH] Hold the mutex when releasing a callout. In xpt_release_device(), callout_stop() was being called without holding the mutex (send_mtx) that is used to protect the callout. So, move the mtx_unlock() call so that it is protected. MFC after: 1 week Sponsored by: Spectra Logic --- sys/cam/cam_xpt.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sys/cam/cam_xpt.c b/sys/cam/cam_xpt.c index e8fec4a325f4..9f53761c50cc 100644 --- a/sys/cam/cam_xpt.c +++ b/sys/cam/cam_xpt.c @@ -4959,16 +4959,18 @@ xpt_release_device(struct cam_ed *device) devq = bus->sim->devq; mtx_lock(&devq->send_mtx); cam_devq_resize(devq, devq->send_queue.array_size - 1); - mtx_unlock(&devq->send_mtx); KASSERT(SLIST_EMPTY(&device->periphs), ("destroying device, but periphs list is not empty")); KASSERT(device->devq_entry.index == CAM_UNQUEUED_INDEX, ("destroying device while still queued for ccbs")); + /* The send_mtx must be held when accessing the callout */ if ((device->flags & CAM_DEV_REL_TIMEOUT_PENDING) != 0) callout_stop(&device->callout); + mtx_unlock(&devq->send_mtx); + xpt_release_target(device->target); cam_ccbq_fini(&device->ccbq);