svn commit: r276020 - stable/10/sys/dev/ahci
Steven Hartland
smh at FreeBSD.org
Sun Dec 21 16:43:57 UTC 2014
Author: smh
Date: Sun Dec 21 16:43:56 2014
New Revision: 276020
URL: https://svnweb.freebsd.org/changeset/base/276020
Log:
MFC r272223:
Prevent possible use after free in ahci direct mode
Sponsored by: Multiplay
Modified:
stable/10/sys/dev/ahci/ahci.c
Directory Properties:
stable/10/ (props changed)
Modified: stable/10/sys/dev/ahci/ahci.c
==============================================================================
--- stable/10/sys/dev/ahci/ahci.c Sun Dec 21 16:38:29 2014 (r276019)
+++ stable/10/sys/dev/ahci/ahci.c Sun Dec 21 16:43:56 2014 (r276020)
@@ -1580,6 +1580,7 @@ ahci_ch_intr_direct(void *arg)
struct ahci_channel *ch = device_get_softc(dev);
struct ccb_hdr *ccb_h;
uint32_t istatus;
+ STAILQ_HEAD(, ccb_hdr) tmp_doneq = STAILQ_HEAD_INITIALIZER(tmp_doneq);
/* Read interrupt statuses. */
istatus = ATA_INL(ch->r_mem, AHCI_P_IS);
@@ -1590,9 +1591,14 @@ ahci_ch_intr_direct(void *arg)
ch->batch = 1;
ahci_ch_intr_main(ch, istatus);
ch->batch = 0;
+ /*
+ * Prevent the possibility of issues caused by processing the queue
+ * while unlocked below by moving the contents to a local queue.
+ */
+ STAILQ_CONCAT(&tmp_doneq, &ch->doneq);
mtx_unlock(&ch->mtx);
- while ((ccb_h = STAILQ_FIRST(&ch->doneq)) != NULL) {
- STAILQ_REMOVE_HEAD(&ch->doneq, sim_links.stqe);
+ while ((ccb_h = STAILQ_FIRST(&tmp_doneq)) != NULL) {
+ STAILQ_REMOVE_HEAD(&tmp_doneq, sim_links.stqe);
xpt_done_direct((union ccb *)ccb_h);
}
}
More information about the svn-src-stable-10
mailing list