svn commit: r198748 - in head/sys/cam: . ata scsi
Andrew Thompson
thompsa at FreeBSD.org
Mon Nov 2 03:28:41 UTC 2009
> Author: mav
> Date: Sun Nov 1 11:31:06 2009
> New Revision: 198748
> URL: http://svn.freebsd.org/changeset/base/198748
>
> Log:
> MFp4:
> Fix reference counting bug, when device unreferenced before then
> invalidated. To do it, do not handle validity flag as another
> reference, but explicitly modify reference count each time flag is
> modified.
There is still one problem with this. In xpt_async() we go through the
device list on the target and call the async function followed by
xpt_async_bcast(). With the above change its possible for
scsi_dev_async() to free the device due to dropping the
CAM_DEV_UNCONFIGURED flag, leading to a panic in xpt_async_bcast() on
freed memory.
This fixes it for me.
Index: cam/cam_xpt.c
===================================================================
--- cam/cam_xpt.c (revision 198779)
+++ cam/cam_xpt.c (working copy)
@@ -4023,12 +4023,15 @@ xpt_async(u_int32_t async_code, struct cam_path *p
&& device->lun_id != CAM_LUN_WILDCARD)
continue;
+ /* The async callback could free the device */
+ xpt_acquire_device(device);
(*(bus->xport->async))(async_code, bus,
target, device,
async_arg);
xpt_async_bcast(&device->asyncs, async_code,
path, async_arg);
+ xpt_release_device(device);
}
}
More information about the svn-src-head
mailing list