d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Move xpt_run_devq() call before request completion callback where it was

Browse Source 
originally.

I am not sure why exactly have I moved it during one of many refactorings
during camlock project, but obviously it opens race window that may cause
use after free panics during SIM (in reported cases umass(4)) detach.

MFC after:	2 weeks
This commit is contained in:
mav 2014-01-11 16:52:09 +00:00
parent 9f930faa0d
commit 7aa4414d31
1 changed files with 2 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
sys/cam/cam_xpt.c
View File

@ -5188,8 +5188,7 @@ xpt_done_process(struct ccb_hdr *ccb_h)
if ((ccb_h->flags & CAM_DEV_QFRZDIS)
&& (ccb_h->status & CAM_DEV_QFRZN)) {
xpt_release_devq(ccb_h->path, /*count*/1,
/*run_queue*/FALSE);
xpt_release_devq(ccb_h->path, /*count*/1, /*run_queue*/TRUE);
ccb_h->status &= ~CAM_DEV_QFRZN;
}
@ -5218,6 +5217,7 @@ xpt_done_process(struct ccb_hdr *ccb_h)
if (!device_is_queued(dev))
(void)xpt_schedule_devq(devq, dev);
xpt_run_devq(devq);
mtx_unlock(&devq->send_mtx);
if ((dev->flags & CAM_DEV_TAG_AFTER_COUNT) != 0) {
@ -5247,10 +5247,6 @@ xpt_done_process(struct ccb_hdr *ccb_h)
(*ccb_h->cbfcnp)(ccb_h->path->periph, (union ccb *)ccb_h);
if (mtx != NULL)
mtx_unlock(mtx);
mtx_lock(&devq->send_mtx);
xpt_run_devq(devq);
mtx_unlock(&devq->send_mtx);
}
void