Date: Mon, 2 Nov 2009 16:13:18 +1300 From: Andrew Thompson <thompsa@FreeBSD.org> To: Alexander Motin <mav@freebsd.org> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r198748 - in head/sys/cam: . ata scsi Message-ID: <20091102031318.GB49898@citylink.fud.org.nz> In-Reply-To: <1280352d0911011907k34498c71g5b49ffb7220c377b@mail.gmail.com> References: <200911011131.nA1BV6lO022276@svn.freebsd.org> <1280352d0911011907k34498c71g5b49ffb7220c377b@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Author: mav > Date: Sun Nov 1 11:31:06 2009 > New Revision: 198748 > URL: http://svn.freebsd.org/changeset/base/198748 > > Log: > MFp4: > Fix reference counting bug, when device unreferenced before then > invalidated. To do it, do not handle validity flag as another > reference, but explicitly modify reference count each time flag is > modified. There is still one problem with this. In xpt_async() we go through the device list on the target and call the async function followed by xpt_async_bcast(). With the above change its possible for scsi_dev_async() to free the device due to dropping the CAM_DEV_UNCONFIGURED flag, leading to a panic in xpt_async_bcast() on freed memory. This fixes it for me. Index: cam/cam_xpt.c =================================================================== --- cam/cam_xpt.c (revision 198779) +++ cam/cam_xpt.c (working copy) @@ -4023,12 +4023,15 @@ xpt_async(u_int32_t async_code, struct cam_path *p && device->lun_id != CAM_LUN_WILDCARD) continue; + /* The async callback could free the device */ + xpt_acquire_device(device); (*(bus->xport->async))(async_code, bus, target, device, async_arg); xpt_async_bcast(&device->asyncs, async_code, path, async_arg); + xpt_release_device(device); } }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091102031318.GB49898>