[src/trunk]: src/sys/dev/ata stop timeout handler while scheduling another pa...

[jdolecek <jdolecek%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/0177de20446a
branches:  trunk
changeset: 972249:0177de20446a
user:      jdolecek <jdolecek%NetBSD.org@localhost>
date:      Thu May 21 09:11:33 2020 +0000

description:
stop timeout handler while scheduling another part of partial I/O,
to avoid race between the timeout and I/O submission; the I/O
submission can sleep with xfer while waiting for the controller to
be ready once it gets to thread context, and timeout might cause
the xfer to be freed, leading to crashes due to use-after-free

this fixes another type of crashes with slow devices under QEMU reported
by Paul Ripke - thanks a lot with extensive debugging help

diffstat:

 sys/dev/ata/ata_wdc.c |  6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diffs (27 lines):

diff -r f7bc74416688 -r 0177de20446a sys/dev/ata/ata_wdc.c
--- a/sys/dev/ata/ata_wdc.c     Thu May 21 08:43:57 2020 +0000
+++ b/sys/dev/ata/ata_wdc.c     Thu May 21 09:11:33 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ata_wdc.c,v 1.117 2020/05/19 08:08:51 jdolecek Exp $   */
+/*     $NetBSD: ata_wdc.c,v 1.118 2020/05/21 09:11:33 jdolecek Exp $   */
 
 /*
  * Copyright (c) 1998, 2001, 2003 Manuel Bouyer.
@@ -54,7 +54,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ata_wdc.c,v 1.117 2020/05/19 08:08:51 jdolecek Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ata_wdc.c,v 1.118 2020/05/21 09:11:33 jdolecek Exp $");
 
 #include "opt_ata.h"
 #include "opt_wdc.h"
@@ -769,6 +769,8 @@
        if (xfer->c_bcount > 0) {
                if ((ata_bio->flags & ATA_POLL) == 0) {
                        /* Start the next operation */
+                       KASSERT((chp->ch_flags & ATACH_IRQ_WAIT) == 0);
+                       callout_stop(&chp->c_timo_callout);
                        ata_xfer_start(xfer);
                } else {
                        /* Let _wdc_ata_bio_start do the loop */