svn commit: r256960 - head/sys/cam
Alexander Motin
mav at FreeBSD.org
Wed Oct 23 12:53:06 UTC 2013
Author: mav
Date: Wed Oct 23 12:53:05 2013
New Revision: 256960
URL: http://svnweb.freebsd.org/changeset/base/256960
Log:
Move CAM_UNQUEUED_INDEX setting to the last moment and under the periph lock.
This fixes race condition with cam_periph_ccbwait(), causing use-after-free.
Modified:
head/sys/cam/cam_xpt.c
Modified: head/sys/cam/cam_xpt.c
==============================================================================
--- head/sys/cam/cam_xpt.c Wed Oct 23 12:29:39 2013 (r256959)
+++ head/sys/cam/cam_xpt.c Wed Oct 23 12:53:05 2013 (r256960)
@@ -5239,6 +5239,7 @@ xpt_done_process(struct ccb_hdr *ccb_h)
}
/* Call the peripheral driver's callback */
+ ccb_h->pinfo.index = CAM_UNQUEUED_INDEX;
(*ccb_h->cbfcnp)(ccb_h->path->periph, (union ccb *)ccb_h);
if (mtx != NULL)
mtx_unlock(mtx);
@@ -5270,7 +5271,6 @@ xpt_done_td(void *arg)
THREAD_NO_SLEEPING();
while ((ccb_h = STAILQ_FIRST(&doneq)) != NULL) {
STAILQ_REMOVE_HEAD(&doneq, sim_links.stqe);
- ccb_h->pinfo.index = CAM_UNQUEUED_INDEX;
xpt_done_process(ccb_h);
}
THREAD_SLEEPING_OK();
More information about the svn-src-all
mailing list