Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 21 Dec 2014 16:43:57 +0000 (UTC)
From:      Steven Hartland <smh@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject:   svn commit: r276020 - stable/10/sys/dev/ahci
Message-ID:  <201412211643.sBLGhv2k024171@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: smh
Date: Sun Dec 21 16:43:56 2014
New Revision: 276020
URL: https://svnweb.freebsd.org/changeset/base/276020

Log:
  MFC r272223:
  Prevent possible use after free in ahci direct mode
  
  Sponsored by:	Multiplay

Modified:
  stable/10/sys/dev/ahci/ahci.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/dev/ahci/ahci.c
==============================================================================
--- stable/10/sys/dev/ahci/ahci.c	Sun Dec 21 16:38:29 2014	(r276019)
+++ stable/10/sys/dev/ahci/ahci.c	Sun Dec 21 16:43:56 2014	(r276020)
@@ -1580,6 +1580,7 @@ ahci_ch_intr_direct(void *arg)
 	struct ahci_channel *ch = device_get_softc(dev);
 	struct ccb_hdr *ccb_h;
 	uint32_t istatus;
+	STAILQ_HEAD(, ccb_hdr) tmp_doneq = STAILQ_HEAD_INITIALIZER(tmp_doneq);
 
 	/* Read interrupt statuses. */
 	istatus = ATA_INL(ch->r_mem, AHCI_P_IS);
@@ -1590,9 +1591,14 @@ ahci_ch_intr_direct(void *arg)
 	ch->batch = 1;
 	ahci_ch_intr_main(ch, istatus);
 	ch->batch = 0;
+	/*
+	 * Prevent the possibility of issues caused by processing the queue
+	 * while unlocked below by moving the contents to a local queue.
+	 */
+	STAILQ_CONCAT(&tmp_doneq, &ch->doneq);
 	mtx_unlock(&ch->mtx);
-	while ((ccb_h = STAILQ_FIRST(&ch->doneq)) != NULL) {
-		STAILQ_REMOVE_HEAD(&ch->doneq, sim_links.stqe);
+	while ((ccb_h = STAILQ_FIRST(&tmp_doneq)) != NULL) {
+		STAILQ_REMOVE_HEAD(&tmp_doneq, sim_links.stqe);
 		xpt_done_direct((union ccb *)ccb_h);
 	}
 }



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201412211643.sBLGhv2k024171>