Move CAM_UNQUEUED_INDEX setting to the last moment and under the periph lock.

This fixes race condition with cam_periph_ccbwait(), causing use-after-free.
2013-10-23 12:53:05 +00:00 · 2013-10-23 12:53:05 +00:00 · f1486b5163
commit f1486b5163
parent be9ddf4313
1 changed files with 1 additions and 1 deletions
--- a/sys/cam/cam_xpt.c
+++ b/sys/cam/cam_xpt.c
@ -5239,6 +5239,7 @@ xpt_done_process(struct ccb_hdr *ccb_h)
 	}

 	/* Call the peripheral driver's callback */
+	ccb_h->pinfo.index = CAM_UNQUEUED_INDEX;
 	(*ccb_h->cbfcnp)(ccb_h->path->periph, (union ccb *)ccb_h);
 	if (mtx != NULL)
 		mtx_unlock(mtx);
@ -5270,7 +5271,6 @@ xpt_done_td(void *arg)
 		THREAD_NO_SLEEPING();
 		while ((ccb_h = STAILQ_FIRST(&doneq)) != NULL) {
 			STAILQ_REMOVE_HEAD(&doneq, sim_links.stqe);
-			ccb_h->pinfo.index = CAM_UNQUEUED_INDEX;
 			xpt_done_process(ccb_h);
 		}
 		THREAD_SLEEPING_OK();