From nobody@FreeBSD.org  Mon Mar  5 18:46:30 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 5C8521065670
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  5 Mar 2012 18:46:30 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 33B8A8FC28
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  5 Mar 2012 18:46:30 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q25IkTjX022062
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 5 Mar 2012 18:46:29 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q25IkTuN022061;
	Mon, 5 Mar 2012 18:46:29 GMT
	(envelope-from nobody)
Message-Id: <201203051846.q25IkTuN022061@red.freebsd.org>
Date: Mon, 5 Mar 2012 18:46:29 GMT
From: HPS <hselasky@c2i.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: SCSI code must drain callbacks before free
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         165740
>Category:       kern
>Synopsis:       [cam] SCSI code must drain callbacks before free
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-scsi
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar 05 18:50:13 UTC 2012
>Closed-Date:    
>Last-Modified:  Mon Apr 15 08:00:00 UTC 2013
>Originator:     HPS
>Release:        FreeBSD 8/9/10
>Organization:
>Environment:
FreeBSD 8.3-PRERELEASE amd64
>Description:
In /sys/cam/cam_xpt.c:

4569                    void
4570                    xpt_release_device(struct cam_ed *device)
4571                    {
4572                    
4573    mjacob  224806  if (device->refcount == 1) {
4574    gibbs   39212   struct cam_devq *devq;
4575                    
4576    gibbs   44500   if (device->alloc_ccb_entry.pinfo.index != CAM_UNQUEUED_INDEX
4577                    || device->send_ccb_entry.pinfo.index != CAM_UNQUEUED_INDEX)
4578                    panic("Removing device while still queued for ccbs");
4579    gibbs   49927   
4580                    if ((device->flags & CAM_DEV_REL_TIMEOUT_PENDING) != 0)

Here callout_drain() should be used unconditionally. callout_drain()
requires that the caller is not locked. I don't have enough information
if it is possible to drop/pickup locks at this point in the code.

4581    mjacob  224806  callout_stop(&device->callout);


4583    mav     198748  TAILQ_REMOVE(&device->target->ed_entries, device,links);
4584                    device->target->generation++;
4585                    device->target->bus->sim->max_ccbs -= device->ccbq.devq_openings;
4586    trasz   186184  /* Release our slot in the devq */
4587    mav     198748  devq = device->target->bus->sim->devq;
4588    trasz   186184  cam_devq_resize(devq, devq->alloc_queue.array_size - 1);
4589    avatar  147571  camq_fini(&device->drvq);
4590    mav     198377  cam_ccbq_fini(&device->ccbq);
4591    ken     230590  /*
4592                    * Free allocated memory. free(9) does nothing if the
4593                    * supplied pointer is NULL, so it is safe to call without
4594                    * checking.
4595                    */
4596                    free(device->supported_vpds, M_CAMXPT);
4597                    free(device->device_id, M_CAMXPT);
4598                    free(device->physpath, M_CAMXPT);
4599                    free(device->rcap_buf, M_CAMXPT);
4600                    free(device->serial_num, M_CAMXPT);
4601                    
4602    mav     198748  xpt_release_target(device->target);
4603    avatar  147723  free(device, M_CAMXPT);

--HPS
>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-scsi 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat Mar 10 05:49:55 UTC 2012 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=165740 

From: Sean Bruno <seanwbruno@gmail.com>
To: bug-followup@FreeBSD.org, hselasky@c2i.net
Cc:  
Subject: Re: kern/165740: [cam] SCSI code must drain callbacks before free
Date: Sun, 14 Apr 2013 12:25:11 -0700

 --=-7ioxYkG49srDd2DdJ9Zr
 Content-Type: text/plain; charset="us-ascii"
 Content-Transfer-Encoding: quoted-printable
 
 Hans:
 
 Can you regenerate this patch?  It looks like it got garbled by gnats.
 Or this is a copy/paste from an annotated version of a web page?
 
 Sean
 
 --=-7ioxYkG49srDd2DdJ9Zr
 Content-Type: application/pgp-signature; name="signature.asc"
 Content-Description: This is a digitally signed message part
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.13 (FreeBSD)
 
 iQEcBAABAgAGBQJRawKUAAoJEBkJRdwI6BaHvK8H/RLYS0Z55GdjA9B3N9Je81sF
 NJqXjTqu2IDhtNa14kd/2lUyuJAPJtPa8WoyNP/SjQeVVjY/HTvnIm/1oUHuTAe/
 VI17a+szedlGSSJyiMMfghVd2sJFOSSDT8ATqaENtyFZnNhiNf8nrGllZOn9P0WS
 4qA6DiUn/ecjoPXVcapOpnEerL2tGee4Br1X35d/tp5CUWNEgm1qkA7ry0jpcU83
 wxBrY3z0p4qSPesxJPMT3+wz6TD2dpyq1NDS5Uy/g8Qc8yep8mQp0SapQBT8Yqm4
 44iGfPYFfDXr83d5pfvZo46UyLqZPNUhORsqyM1Hfs3VQCTWEjzRVBA1H895aLg=
 =LmW5
 -----END PGP SIGNATURE-----
 
 --=-7ioxYkG49srDd2DdJ9Zr--
 

From: Hans Petter Selasky <hselasky@c2i.net>
To: sbruno@freebsd.org
Cc: Sean Bruno <seanwbruno@gmail.com>, bug-followup@FreeBSD.org, 
 Alexander Motin <mav@FreeBSD.org>
Subject: Re: kern/165740: [cam] SCSI code must drain callbacks before free
Date: Mon, 15 Apr 2013 07:58:40 +0200

 On 04/14/13 21:25, Sean Bruno wrote:
 > Hans:
 >
 > Can you regenerate this patch?  It looks like it got garbled by gnats.
 > Or this is a copy/paste from an annotated version of a web page?
 >
 > Sean
 >
 
 
 Hi,
 
 Can you check the commit logs? I wonder if Alexander has fixed this issue.
 
 --HPS

From: Alexander Motin <mav@FreeBSD.org>
To: Hans Petter Selasky <hselasky@c2i.net>
Cc: sbruno@freebsd.org, bug-followup@FreeBSD.org
Subject: Re: kern/165740: [cam] SCSI code must drain callbacks before free
Date: Mon, 15 Apr 2013 10:58:32 +0300

 On 15.04.2013 08:58, Hans Petter Selasky wrote:
 > On 04/14/13 21:25, Sean Bruno wrote:
 >> Can you regenerate this patch?  It looks like it got garbled by gnats.
 >> Or this is a copy/paste from an annotated version of a web page?
 >
 > Can you check the commit logs? I wonder if Alexander has fixed this issue.
 
 No, I haven't, but I've noticed it also myself. I think that the code 
 around these callouts is historically not exactly correct and needs some 
 more attention then just dropping the lock and draining.
 
 BTW one way to avoid dropping lock there could be in taking extra 
 reference to device before arming it. That would keep device from 
 destruction until callout actually fire.
 
 -- 
 Alexander Motin
>Unformatted:
