svn commit: r256960 - head/sys/cam

Alexander Motin mav at FreeBSD.org
Wed Oct 23 12:53:06 UTC 2013


Author: mav
Date: Wed Oct 23 12:53:05 2013
New Revision: 256960
URL: http://svnweb.freebsd.org/changeset/base/256960

Log:
  Move CAM_UNQUEUED_INDEX setting to the last moment and under the periph lock.
  This fixes race condition with cam_periph_ccbwait(), causing use-after-free.

Modified:
  head/sys/cam/cam_xpt.c

Modified: head/sys/cam/cam_xpt.c
==============================================================================
--- head/sys/cam/cam_xpt.c	Wed Oct 23 12:29:39 2013	(r256959)
+++ head/sys/cam/cam_xpt.c	Wed Oct 23 12:53:05 2013	(r256960)
@@ -5239,6 +5239,7 @@ xpt_done_process(struct ccb_hdr *ccb_h)
 	}
 
 	/* Call the peripheral driver's callback */
+	ccb_h->pinfo.index = CAM_UNQUEUED_INDEX;
 	(*ccb_h->cbfcnp)(ccb_h->path->periph, (union ccb *)ccb_h);
 	if (mtx != NULL)
 		mtx_unlock(mtx);
@@ -5270,7 +5271,6 @@ xpt_done_td(void *arg)
 		THREAD_NO_SLEEPING();
 		while ((ccb_h = STAILQ_FIRST(&doneq)) != NULL) {
 			STAILQ_REMOVE_HEAD(&doneq, sim_links.stqe);
-			ccb_h->pinfo.index = CAM_UNQUEUED_INDEX;
 			xpt_done_process(ccb_h);
 		}
 		THREAD_SLEEPING_OK();


More information about the svn-src-head mailing list