mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-25 11:37:56 +00:00
Code Issues Releases Activity

Move xpt_run_devq() call before request completion callback where it was

Browse Source 
originally.

I am not sure why exactly have I moved it during one of many refactorings
during camlock project, but obviously it opens race window that may cause
use after free panics during SIM (in reported cases umass(4)) detach.

MFC after:	2 weeks
This commit is contained in:
Alexander Motin 2014-01-11 16:52:09 +00:00
parent ac5863eed8
commit d718926b6d
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=260549
1 changed files with 2 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
sys/cam/cam_xpt.c
View File

@ -5188,8 +5188,7 @@ xpt_done_process(struct ccb_hdr *ccb_h)
if ((ccb_h->flags & CAM_DEV_QFRZDIS)
&& (ccb_h->status & CAM_DEV_QFRZN)) {
xpt_release_devq(ccb_h->path, /*count*/1,
/*run_queue*/FALSE);
xpt_release_devq(ccb_h->path, /*count*/1, /*run_queue*/TRUE);
ccb_h->status &= ~CAM_DEV_QFRZN;
}
@ -5218,6 +5217,7 @@ xpt_done_process(struct ccb_hdr *ccb_h)
if (!device_is_queued(dev))
(void)xpt_schedule_devq(devq, dev);
xpt_run_devq(devq);
mtx_unlock(&devq->send_mtx);
if ((dev->flags & CAM_DEV_TAG_AFTER_COUNT) != 0) {
@ -5247,10 +5247,6 @@ xpt_done_process(struct ccb_hdr *ccb_h)
(*ccb_h->cbfcnp)(ccb_h->path->periph, (union ccb *)ccb_h);
if (mtx != NULL)
mtx_unlock(mtx);
mtx_lock(&devq->send_mtx);
xpt_run_devq(devq);
mtx_unlock(&devq->send_mtx);
}
void