Module Name: src
Committed By: jdolecek
Date: Thu May 21 09:11:33 UTC 2020
Modified Files:
src/sys/dev/ata: ata_wdc.c
Log Message:
stop timeout handler while scheduling another part of partial I/O,
to avoid race between the timeout and I/O submission; the I/O
submission can sleep with xfer while waiting for the controller to
be ready once it gets to thread context, and timeout might cause
the xfer to be freed, leading to crashes due to use-after-free
this fixes another type of crashes with slow devices under QEMU reported
by Paul Ripke - thanks a lot with extensive debugging help
To generate a diff of this commit:
cvs rdiff -u -r1.117 -r1.118 src/sys/dev/ata/ata_wdc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/ata/ata_wdc.c
diff -u src/sys/dev/ata/ata_wdc.c:1.117 src/sys/dev/ata/ata_wdc.c:1.118
--- src/sys/dev/ata/ata_wdc.c:1.117 Tue May 19 08:08:51 2020
+++ src/sys/dev/ata/ata_wdc.c Thu May 21 09:11:33 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: ata_wdc.c,v 1.117 2020/05/19 08:08:51 jdolecek Exp $ */
+/* $NetBSD: ata_wdc.c,v 1.118 2020/05/21 09:11:33 jdolecek Exp $ */
/*
* Copyright (c) 1998, 2001, 2003 Manuel Bouyer.
@@ -54,7 +54,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ata_wdc.c,v 1.117 2020/05/19 08:08:51 jdolecek Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ata_wdc.c,v 1.118 2020/05/21 09:11:33 jdolecek Exp $");
#include "opt_ata.h"
#include "opt_wdc.h"
@@ -769,6 +769,8 @@ end:
if (xfer->c_bcount > 0) {
if ((ata_bio->flags & ATA_POLL) == 0) {
/* Start the next operation */
+ KASSERT((chp->ch_flags & ATACH_IRQ_WAIT) == 0);
+ callout_stop(&chp->c_timo_callout);
ata_xfer_start(xfer);
} else {
/* Let _wdc_ata_bio_start do the loop */
