From d14e60d2793ee15cd7416fb6bc897eae1222c41d Mon Sep 17 00:00:00 2001
From: dg <dg@FreeBSD.org>
Date: Mon, 7 Aug 1995 11:55:32 +0000
Subject: Since buffers can be pulled off of the disk queue at interrupt time
 and disksort is called at non-interrupt time and can be actively traversing
 the list when that happens, there is a very small window of vulnerability.
 Close it by protecting disksort with splbio().

---
 sys/kern/subr_disklabel.c  | 9 +++++++--
 sys/ufs/ufs/ufs_disksubr.c | 9 +++++++--
 2 files changed, 14 insertions(+), 4 deletions(-)

(limited to 'sys')

diff --git a/sys/kern/subr_disklabel.c b/sys/kern/subr_disklabel.c
index 958f594..c1d1f56 100644
--- a/sys/kern/subr_disklabel.c
+++ b/sys/kern/subr_disklabel.c
@@ -42,7 +42,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)ufs_disksubr.c	8.5 (Berkeley) 1/21/94
- * $Id: ufs_disksubr.c,v 1.14 1995/03/18 07:06:51 davidg Exp $
+ * $Id: ufs_disksubr.c,v 1.15 1995/05/30 08:15:33 rgrimes Exp $
  */
 
 #include <sys/param.h>
@@ -80,11 +80,14 @@ disksort(ap, bp)
 	register struct buf *ap, *bp;
 {
 	register struct buf *bq;
+	int s;
 
+	s = splbio();
 	/* If the queue is empty, then it's easy. */
 	if (ap->b_actf == NULL) {
 		bp->b_actf = NULL;
 		ap->b_actf = bp;
+		splx(s);
 		return;
 	}
 
@@ -142,8 +145,10 @@ disksort(ap, bp)
 	 * Neither a second list nor a larger request... we go at the end of
 	 * the first list, which is the same as the end of the whole schebang.
 	 */
-insert:	bp->b_actf = bq->b_actf;
+insert:
+	bp->b_actf = bq->b_actf;
 	bq->b_actf = bp;
+	splx(s);
 }
 
 /*
diff --git a/sys/ufs/ufs/ufs_disksubr.c b/sys/ufs/ufs/ufs_disksubr.c
index 958f594..c1d1f56 100644
--- a/sys/ufs/ufs/ufs_disksubr.c
+++ b/sys/ufs/ufs/ufs_disksubr.c
@@ -42,7 +42,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)ufs_disksubr.c	8.5 (Berkeley) 1/21/94
- * $Id: ufs_disksubr.c,v 1.14 1995/03/18 07:06:51 davidg Exp $
+ * $Id: ufs_disksubr.c,v 1.15 1995/05/30 08:15:33 rgrimes Exp $
  */
 
 #include <sys/param.h>
@@ -80,11 +80,14 @@ disksort(ap, bp)
 	register struct buf *ap, *bp;
 {
 	register struct buf *bq;
+	int s;
 
+	s = splbio();
 	/* If the queue is empty, then it's easy. */
 	if (ap->b_actf == NULL) {
 		bp->b_actf = NULL;
 		ap->b_actf = bp;
+		splx(s);
 		return;
 	}
 
@@ -142,8 +145,10 @@ disksort(ap, bp)
 	 * Neither a second list nor a larger request... we go at the end of
 	 * the first list, which is the same as the end of the whole schebang.
 	 */
-insert:	bp->b_actf = bq->b_actf;
+insert:
+	bp->b_actf = bq->b_actf;
 	bq->b_actf = bp;
+	splx(s);
 }
 
 /*
-- 
cgit v1.1