From owner-svn-src-all@FreeBSD.ORG Thu Jun 21 14:35:47 2012 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 82AB310656B8; Thu, 21 Jun 2012 14:35:47 +0000 (UTC) (envelope-from mav@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 6DEA48FC17; Thu, 21 Jun 2012 14:35:47 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q5LEZl2G018407; Thu, 21 Jun 2012 14:35:47 GMT (envelope-from mav@svn.freebsd.org) Received: (from mav@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q5LEZlKS018405; Thu, 21 Jun 2012 14:35:47 GMT (envelope-from mav@svn.freebsd.org) Message-Id: <201206211435.q5LEZlKS018405@svn.freebsd.org> From: Alexander Motin Date: Thu, 21 Jun 2012 14:35:47 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r237398 - head/sys/cam X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jun 2012 14:35:47 -0000 Author: mav Date: Thu Jun 21 14:35:46 2012 New Revision: 237398 URL: http://svn.freebsd.org/changeset/base/237398 Log: In camisr() clear CAM_SIM_ON_DONEQ flag after camisr_runqueue() purged SIM done queue. Clearing it before caused extra SIM queueing in some cases. It was invisible during normal operation, but during USB device unplug and respective SIM destruction it could keep pointer on SIM without having counted reference and as result crash the system by use afer free. Reported by: hselasky MFC after: 1 week Modified: head/sys/cam/cam_xpt.c Modified: head/sys/cam/cam_xpt.c ============================================================================== --- head/sys/cam/cam_xpt.c Thu Jun 21 13:53:28 2012 (r237397) +++ head/sys/cam/cam_xpt.c Thu Jun 21 14:35:46 2012 (r237398) @@ -5005,8 +5005,8 @@ camisr(void *dummy) while ((sim = TAILQ_FIRST(&queue)) != NULL) { TAILQ_REMOVE(&queue, sim, links); CAM_SIM_LOCK(sim); - sim->flags &= ~CAM_SIM_ON_DONEQ; camisr_runqueue(&sim->sim_doneq); + sim->flags &= ~CAM_SIM_ON_DONEQ; CAM_SIM_UNLOCK(sim); } mtx_lock(&cam_simq_lock);