In camisr() clear CAM_SIM_ON_DONEQ flag after camisr_runqueue() purged SIM

done queue. Clearing it before caused extra SIM queueing in some cases. It was invisible during normal operation, but during USB device unplug and respective SIM destruction it could keep pointer on SIM without having counted reference and as result crash the system by use afer free. Reported by: hselasky MFC after: 1 week
2012-06-21 14:35:46 +00:00 · 2012-06-21 14:35:46 +00:00 · 10284c8b26
commit 10284c8b26
parent db356f0370
1 changed files with 1 additions and 1 deletions
--- a/sys/cam/cam_xpt.c
+++ b/sys/cam/cam_xpt.c
@ -5005,8 +5005,8 @@ camisr(void *dummy)
 		while ((sim = TAILQ_FIRST(&queue)) != NULL) {
 			TAILQ_REMOVE(&queue, sim, links);
 			CAM_SIM_LOCK(sim);
-			sim->flags &= ~CAM_SIM_ON_DONEQ;
 			camisr_runqueue(&sim->sim_doneq);
+			sim->flags &= ~CAM_SIM_ON_DONEQ;
 			CAM_SIM_UNLOCK(sim);
 		}
 		mtx_lock(&cam_simq_lock);