svn commit: r237398 - head/sys/cam
Author: mav
Date: Thu Jun 21 14:35:46 2012
New Revision: 237398
URL: http://svn.freebsd.org/changeset/base/237398
Log:
In camisr() clear CAM_SIM_ON_DONEQ flag after camisr_runqueue() purged SIM
done queue. Clearing it before caused extra SIM queueing in some cases.
It was invisible during normal operation, but during USB device unplug and
respective SIM destruction it could keep pointer on SIM without having
counted reference and as result crash the system by use afer free.
Reported by: hselasky
MFC after: 1 week
Modified:
head/sys/cam/cam_xpt.c
Modified: head/sys/cam/cam_xpt.c
==============================================================================
--- head/sys/cam/cam_xpt.c Thu Jun 21 13:53:28 2012 (r237397)
+++ head/sys/cam/cam_xpt.c Thu Jun 21 14:35:46 2012 (r237398)
@@ -5005,8 +5005,8 @@ camisr(void *dummy)
while ((sim = TAILQ_FIRST(&queue)) != NULL) {
TAILQ_REMOVE(&queue, sim, links);
CAM_SIM_LOCK(sim);
- sim->flags &= ~CAM_SIM_ON_DONEQ;
camisr_runqueue(&sim->sim_doneq);
+ sim->flags &= ~CAM_SIM_ON_DONEQ;
CAM_SIM_UNLOCK(sim);
}
mtx_lock(&cam_simq_lock);
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"