free_xs must be called at splbio(). This is usually the case since the main

caller is scsi_done which the controller interrupt handlers call. In the case of a non-buffer based transaction, the xs structure is freed by the process that initiated the transfer in scsi_scsi_cmd. In this case, an explicit splbio/splx pair around the call to free_xs is required. Without the splbio protection, the xs free list could be corrupted, and the type driver's start routine might run without spl protection. Submitted by: Tor Egge <Tor.Egge@idt.ntnu.no> Obtained from: PR kern/2891
1997-03-24 01:46:15 +00:00 · 1997-03-24 01:46:15 +00:00 · 9f4b5d5d62
commit 9f4b5d5d62
parent 1d30a41b6e
1 changed files with 3 additions and 1 deletions
--- a/sys/scsi/scsi_base.c
+++ b/sys/scsi/scsi_base.c
@ -8,7 +8,7 @@
 * file.
 *
 * Written by Julian Elischer (julian@dialix.oz.au)
- *      $Id: scsi_base.c,v 1.45 1997/02/22 09:44:28 peter Exp $
+ *      $Id: scsi_base.c,v 1.46 1997/03/23 06:33:46 bde Exp $
 */

 #include "opt_bounce.h"
@ -616,7 +616,9 @@ scsi_scsi_cmd(sc_link, scsi_cmd, cmdlen, data_addr, datalen,
 	 * check if anyone else needs to be started up.
 	 */
 bad:
+	s = splbio();
 	free_xs(xs, sc_link, flags);	/* includes the 'start' op */
+	splx(s);
 	if (bp && retval) {
 		bp->b_error = retval;
 		bp->b_flags |= B_ERROR;