From f1efe4c670cac047b1e88ce32d6afe83d47a66b1 Mon Sep 17 00:00:00 2001 From: mav Date: Sat, 25 Jan 2014 01:58:15 +0000 Subject: MFC r260549: Move xpt_run_devq() call before request completion callback where it was originally. I am not sure why exactly have I moved it during one of many refactorings during camlock project, but obviously it opens race window that may cause use after free panics during SIM (in reported cases umass(4)) detach. --- sys/cam/cam_xpt.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) (limited to 'sys/cam/cam_xpt.c') diff --git a/sys/cam/cam_xpt.c b/sys/cam/cam_xpt.c index 63bac64..562d7ba 100644 --- a/sys/cam/cam_xpt.c +++ b/sys/cam/cam_xpt.c @@ -5186,8 +5186,7 @@ xpt_done_process(struct ccb_hdr *ccb_h) if ((ccb_h->flags & CAM_DEV_QFRZDIS) && (ccb_h->status & CAM_DEV_QFRZN)) { - xpt_release_devq(ccb_h->path, /*count*/1, - /*run_queue*/FALSE); + xpt_release_devq(ccb_h->path, /*count*/1, /*run_queue*/TRUE); ccb_h->status &= ~CAM_DEV_QFRZN; } @@ -5216,6 +5215,7 @@ xpt_done_process(struct ccb_hdr *ccb_h) if (!device_is_queued(dev)) (void)xpt_schedule_devq(devq, dev); + xpt_run_devq(devq); mtx_unlock(&devq->send_mtx); if ((dev->flags & CAM_DEV_TAG_AFTER_COUNT) != 0) { @@ -5245,10 +5245,6 @@ xpt_done_process(struct ccb_hdr *ccb_h) (*ccb_h->cbfcnp)(ccb_h->path->periph, (union ccb *)ccb_h); if (mtx != NULL) mtx_unlock(mtx); - - mtx_lock(&devq->send_mtx); - xpt_run_devq(devq); - mtx_unlock(&devq->send_mtx); } void -- cgit v1.1