Reset acb->xs to NULL before scsi_done if option DIAGNOSTIC. There seem to be

one bad case of use-after-free after a hell lot of heavy I/O creeping in again
in this driver. This doesn't fix it but will hopefully help me diagnose once
it occurs again.

1 files changed, 5 insertions, 2 deletions

diff --git a/sys/dev/ic/osiop.c b/sys/dev/ic/osiop.c
index 57675a2cf1b..f43c9f51ac5 100644
--- a/sys/dev/ic/osiop.c
+++ b/sys/dev/ic/osiop.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: osiop.c,v 1.45 2010/06/28 18:31:02 krw Exp $	*/
+/*	$OpenBSD: osiop.c,v 1.46 2010/12/08 21:57:47 miod Exp $	*/
 /*	$NetBSD: osiop.c,v 1.9 2002/04/05 18:27:54 bouyer Exp $	*/
 
 /*
@@ -594,7 +594,7 @@ osiop_scsidone(acb, status)
 
 #ifdef DIAGNOSTIC
 	if (acb == NULL || acb->xs == NULL) {
-		printf("osiop_scsidone: NULL acb or scsi_xfer\n");
+		printf("osiop_scsidone: NULL acb %p or scsi_xfer\n", acb);
 #if defined(OSIOP_DEBUG) && defined(DDB)
 		Debugger();
 #endif
@@ -709,6 +709,9 @@ osiop_scsidone(acb, status)
 		/* Put it on the free list. */
 FREE:
 		acb->status = ACB_S_FREE;
+#ifdef DIAGNOSTIC
+		acb->xs = NULL;
+#endif
 		sc->sc_tinfo[periph->target].cmds++;
 
 		xs->resid = 0;