Page MenuHomeFreeBSD
Files F144982691

D9869.diff
No OneTemporary
Actions

D9869.diff
View Options

Index: head/sys/cam/cam_xpt.c
===================================================================
--- head/sys/cam/cam_xpt.c
+++ head/sys/cam/cam_xpt.c
@@ -435,6 +435,9 @@
inccb->csio.bio = NULL;
#endif
+ if (inccb->ccb_h.flags & CAM_UNLOCKED)
+ return (EINVAL);
+
bus = xpt_find_bus(inccb->ccb_h.path_id);
if (bus == NULL)
return (EINVAL);
Index: head/sys/cam/scsi/scsi_pass.c
===================================================================
--- head/sys/cam/scsi/scsi_pass.c
+++ head/sys/cam/scsi/scsi_pass.c
@@ -1782,6 +1782,11 @@
inccb->csio.bio = NULL;
#endif
+ if (inccb->ccb_h.flags & CAM_UNLOCKED) {
+ error = EINVAL;
+ break;
+ }
+
/*
* Some CCB types, like scan bus and scan lun can only go
* through the transport layer device.
@@ -1875,24 +1880,27 @@
xpt_print(periph->path, "Copy of user CCB %p to "
"kernel address %p failed with error %d\n",
*user_ccb, ccb, error);
- uma_zfree(softc->pass_zone, io_req);
- cam_periph_lock(periph);
- break;
+ goto camioqueue_error;
}
#if defined(BUF_TRACKING) || defined(FULL_BUF_TRACKING)
if (ccb->ccb_h.func_code == XPT_SCSI_IO)
ccb->csio.bio = NULL;
#endif
+ if (ccb->ccb_h.flags & CAM_UNLOCKED) {
+ error = EINVAL;
+ goto camioqueue_error;
+ }
+
if (ccb->ccb_h.flags & CAM_CDB_POINTER) {
if (ccb->csio.cdb_len > IOCDBLEN) {
error = EINVAL;
- break;
+ goto camioqueue_error;
}
error = copyin(ccb->csio.cdb_io.cdb_ptr,
ccb->csio.cdb_io.cdb_bytes, ccb->csio.cdb_len);
- if (error)
- break;
+ if (error != 0)
+ goto camioqueue_error;
ccb->ccb_h.flags &= ~CAM_CDB_POINTER;
}
@@ -1904,10 +1912,8 @@
xpt_print(periph->path, "CCB function code %#x is "
"restricted to the XPT device\n",
ccb->ccb_h.func_code);
- uma_zfree(softc->pass_zone, io_req);
- cam_periph_lock(periph);
error = ENODEV;
- break;
+ goto camioqueue_error;
}
/*
@@ -1953,11 +1959,8 @@
|| (fc == XPT_SMP_IO) || (fc == XPT_DEV_MATCH)
|| (fc == XPT_DEV_ADVINFO)) {
error = passmemsetup(periph, io_req);
- if (error != 0) {
- uma_zfree(softc->pass_zone, io_req);
- cam_periph_lock(periph);
- break;
- }
+ if (error != 0)
+ goto camioqueue_error;
} else
io_req->mapinfo.num_bufs_used = 0;
@@ -2002,6 +2005,11 @@
TAILQ_INSERT_TAIL(&softc->done_queue, io_req, links);
}
break;
+
+camioqueue_error:
+ uma_zfree(softc->pass_zone, io_req);
+ cam_periph_lock(periph);
+ break;
}
case CAMIOGET:
{

File Metadata

Mime Type
text/plain
Expires
Sun, Feb 15, 5:45 PM (5 h, 4 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
28750569
Default Alt Text
D9869.diff (2 KB)

Event Timeline