Author: mav
Date: Sat Jan 11 16:52:09 2014
New Revision: 260549
URL: http://svnweb.freebsd.org/changeset/base/260549
Log:
Move xpt_run_devq() call before request completion callback where it was
originally.
I am not sure why exactly have I moved it during one of many refactorings
during camlock project, but obviously it opens race window that may cause
use after free panics during SIM (in reported cases umass(4)) detach.
MFC after: 2 weeks
Modified:
head/sys/cam/cam_xpt.c
Modified: head/sys/cam/cam_xpt.c
==============================================================================
--- head/sys/cam/cam_xpt.c Sat Jan 11 16:50:41 2014 (r260548)
+++ head/sys/cam/cam_xpt.c Sat Jan 11 16:52:09 2014 (r260549)
@@ -5188,8 +5188,7 @@ xpt_done_process(struct ccb_hdr *ccb_h)
if ((ccb_h->flags & CAM_DEV_QFRZDIS)
&& (ccb_h->status & CAM_DEV_QFRZN)) {
- xpt_release_devq(ccb_h->path, /*count*/1,
- /*run_queue*/FALSE);
+ xpt_release_devq(ccb_h->path, /*count*/1, /*run_queue*/TRUE);
ccb_h->status &= ~CAM_DEV_QFRZN;
}
@@ -5218,6 +5217,7 @@ xpt_done_process(struct ccb_hdr *ccb_h)
if (!device_is_queued(dev))
(void)xpt_schedule_devq(devq, dev);
+ xpt_run_devq(devq);
mtx_unlock(&devq->send_mtx);
if ((dev->flags & CAM_DEV_TAG_AFTER_COUNT) != 0) {
@@ -5247,10 +5247,6 @@ xpt_done_process(struct ccb_hdr *ccb_h)
(*ccb_h->cbfcnp)(ccb_h->path->periph, (union ccb *)ccb_h);
if (mtx != NULL)
mtx_unlock(mtx);
-
- mtx_lock(&devq->send_mtx);
- xpt_run_devq(devq);
- mtx_unlock(&devq->send_mtx);
}
void
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
