When reaping the starget, after all sdev's have been removed, the starget
was queued for deletion via usercontext, but was left on the shost's
__targets list. Another scanning thread can match the starget and use it,
causing reference after free problems.
This patch unlinks the starget at the same time it is scheduled for deletion.
-- james s
Signed-off-by: James Smart <james.smart@xxxxxxxxxx>
diff -upNr a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
--- a/drivers/scsi/scsi_scan.c 2006-06-14 11:37:09.000000000 -0400
+++ b/drivers/scsi/scsi_scan.c 2006-06-14 16:55:58.000000000 -0400
@@ -415,7 +415,6 @@ static void scsi_target_reap_usercontext
spin_lock_irqsave(shost->host_lock, flags);
if (shost->hostt->target_destroy)
shost->hostt->target_destroy(starget);
- list_del_init(&starget->siblings);
spin_unlock_irqrestore(shost->host_lock, flags);
put_device(&starget->dev);
}
@@ -439,6 +438,7 @@ void scsi_target_reap(struct scsi_target
if (--starget->reap_ref == 0 && list_empty(&starget->devices)) {
BUG_ON(starget->state == STARGET_DEL);
starget->state = STARGET_DEL;
+ list_del_init(&starget->siblings);
spin_unlock_irqrestore(shost->host_lock, flags);
execute_in_process_context(scsi_target_reap_usercontext,
starget, &starget->ew);
-
: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
