From 2624aec262440f89141b9838683cbfada1c736a8 Mon Sep 17 00:00:00 2001 From: stsp Date: Sat, 13 Jan 2018 15:10:02 +0000 Subject: [PATCH] In vldcp(8) fix a race between vldcpread() and vldcp_rx_intr() which was overlooked by my previous fix. Keep SPL at TTY in vldcpread() while manipulating the rx queue head. Otherwise we could end up in a situation where: 1: vldcpread() reads rx_head 2: vldcpread() calls splx() 3: vldcp_rx_intr() fires, finds rx link is down, and sets rx_head = rx_tail 4: vlcdpread() resumes and sets rx_head to the value it read in step 1 -> same interrupt storm problem as described in my previous commit ok kettenis@ mpi@ --- sys/arch/sparc64/dev/vldcp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/arch/sparc64/dev/vldcp.c b/sys/arch/sparc64/dev/vldcp.c index f8ebc731089..7d8bb3ae9f6 100644 --- a/sys/arch/sparc64/dev/vldcp.c +++ b/sys/arch/sparc64/dev/vldcp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vldcp.c,v 1.13 2018/01/06 21:35:45 stsp Exp $ */ +/* $OpenBSD: vldcp.c,v 1.14 2018/01/13 15:10:02 stsp Exp $ */ /* * Copyright (c) 2009, 2012 Mark Kettenis * @@ -397,7 +397,6 @@ retry: } goto retry; } - splx(s); ret = uiomove(lc->lc_rxq->lq_va + rx_head, 64, uio); @@ -407,6 +406,7 @@ retry: if (err != H_EOK) printf("%s: hv_ldc_rx_set_qhead %d\n", __func__, err); + splx(s); device_unref(&sc->sc_dv); return (ret); } -- 2.20.1