[src/trunk]: src/sys/dev/ata stop timeout handler while scheduling another pa...

[jdolecek <jdolecek%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/6442769548a2
branches:  trunk
changeset: 933187:6442769548a2
user:      jdolecek <jdolecek%NetBSD.org@localhost>
date:      Thu May 21 09:11:33 2020 +0000

description:
stop timeout handler while scheduling another part of partial I/O,
to avoid race between the timeout and I/O submission; the I/O
submission can sleep with xfer while waiting for the controller to
be ready once it gets to thread context, and timeout might cause
the xfer to be freed, leading to crashes due to use-after-free

this fixes another type of crashes with slow devices under QEMU reported
by Paul Ripke - thanks a lot with extensive debugging help

diffstat:

 sys/dev/ata/ata_wdc.c |  6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diffs (27 lines):

diff -r a20a6db564c8 -r 6442769548a2 sys/dev/ata/ata_wdc.c
--- a/sys/dev/ata/ata_wdc.c     Thu May 21 08:43:57 2020 +0000
+++ b/sys/dev/ata/ata_wdc.c     Thu May 21 09:11:33 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ata_wdc.c,v 1.117 2020/05/19 08:08:51 jdolecek Exp $   */
+/*     $NetBSD: ata_wdc.c,v 1.118 2020/05/21 09:11:33 jdolecek Exp $   */
 
 /*
  * Copyright (c) 1998, 2001, 2003 Manuel Bouyer.
@@ -54,7 +54,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ata_wdc.c,v 1.117 2020/05/19 08:08:51 jdolecek Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ata_wdc.c,v 1.118 2020/05/21 09:11:33 jdolecek Exp $");
 
 #include "opt_ata.h"
 #include "opt_wdc.h"
@@ -769,6 +769,8 @@
        if (xfer->c_bcount > 0) {
                if ((ata_bio->flags & ATA_POLL) == 0) {
                        /* Start the next operation */
+                       KASSERT((chp->ch_flags & ATACH_IRQ_WAIT) == 0);
+                       callout_stop(&chp->c_timo_callout);
                        ata_xfer_start(xfer);
                } else {
                        /* Let _wdc_ata_bio_start do the loop */