From owner-svn-src-all@FreeBSD.ORG  Wed Jun  4 12:24:54 2014
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 6B3FC9C1;
 Wed,  4 Jun 2014 12:24:54 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 572B72BEC;
 Wed,  4 Jun 2014 12:24:54 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s54COsZV073806;
 Wed, 4 Jun 2014 12:24:54 GMT (envelope-from mav@svn.freebsd.org)
Received: (from mav@localhost)
 by svn.freebsd.org (8.14.8/8.14.8/Submit) id s54COsEY073805;
 Wed, 4 Jun 2014 12:24:54 GMT (envelope-from mav@svn.freebsd.org)
Message-Id: <201406041224.s54COsEY073805@svn.freebsd.org>
From: Alexander Motin <mav@FreeBSD.org>
Date: Wed, 4 Jun 2014 12:24:54 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org
Subject: svn commit: r267052 - stable/7/sys/cam
X-SVN-Group: stable-7
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jun 2014 12:24:54 -0000

Author: mav
Date: Wed Jun  4 12:24:53 2014
New Revision: 267052
URL: http://svnweb.freebsd.org/changeset/base/267052

Log:
  MFC r237398:
  In camisr() clear CAM_SIM_ON_DONEQ flag after camisr_runqueue() purged SIM
  done queue. Clearing it before caused extra SIM queueing in some cases.
  It was invisible during normal operation, but during USB device unplug and
  respective SIM destruction it could keep pointer on SIM without having
  counted reference and as result crash the system by use afer free.
  
  PR:		usb/168743

Modified:
  stable/7/sys/cam/cam_xpt.c
Directory Properties:
  stable/7/   (props changed)
  stable/7/sys/   (props changed)

Modified: stable/7/sys/cam/cam_xpt.c
==============================================================================
--- stable/7/sys/cam/cam_xpt.c	Wed Jun  4 12:05:47 2014	(r267051)
+++ stable/7/sys/cam/cam_xpt.c	Wed Jun  4 12:24:53 2014	(r267052)
@@ -7227,8 +7227,8 @@ camisr(void *dummy)
 	while ((sim = TAILQ_FIRST(&queue)) != NULL) {
 		TAILQ_REMOVE(&queue, sim, links);
 		CAM_SIM_LOCK(sim);
-		sim->flags &= ~CAM_SIM_ON_DONEQ;
 		camisr_runqueue(&sim->sim_doneq);
+		sim->flags &= ~CAM_SIM_ON_DONEQ;
 		CAM_SIM_UNLOCK(sim);
 	}
 }