Created attachment 147952 [details] ctl_frontend_cam_sim patch While hunting some memory use-after-free bugs involving CAM_SIM_QUEUED being set on a freed ccb, I found what looks like a possible race where the CTL frontend can queue a ccb for processing before setting the CAM_SIM_QUEUED flag. CTL also seems to be missing a ccb completion in the case where the ccb couldn't be queued. Patch attached.
When this is committed it should be marked as sponsored by EMC/Isilon Storage Division.
A commit references this bug: Author: mav Date: Mon Oct 6 14:52:05 UTC 2014 New revision: 272650 URL: https://svnweb.freebsd.org/changeset/base/272650 Log: Set CAM_SIM_QUEUED flag before calling ctl_queue() to avoid race. PR: 194128 Submitted by: Scott M. Ferris <smferris@gmail.com> MFC after: 3 days Sponsored by: EMC/Isilon Storage Division Changes: head/sys/cam/ctl/ctl_frontend_cam_sim.c
Looks good to me. Committed to FreeBSD head. Thank you.
A commit references this bug: Author: mav Date: Thu Oct 9 05:28:12 UTC 2014 New revision: 272798 URL: https://svnweb.freebsd.org/changeset/base/272798 Log: MFC r272650: Set CAM_SIM_QUEUED flag before calling ctl_queue() to avoid race. PR: 194128 Submitted by: Scott M. Ferris <smferris@gmail.com> Sponsored by: EMC/Isilon Storage Division Changes: _U stable/10/ stable/10/sys/cam/ctl/ctl_frontend_cam_sim.c