Re: [PATCH 10/31] Avoid that scsi_exit_rq() triggers a use-after-free

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 05/24/2017 02:33 AM, Bart Van Assche wrote:
> Dereferencing shost from scsi_exit_rq() is not safe because the
> SCSI host may already have been freed when scsi_exit_rq() is
> called. Increasing the shost reference count in scsi_init_rq()
> and dropping that reference in scsi_exit_rq() is nontrivial since
> scsi_host_dev_release() may sleep and since scsi_exit_rq() may
> be called from interrupt context. Since scsi_exit_rq() only needs
> a single bit from shost, copy that bit into struct scsi_cmnd.
> 
> Reported-by: Scott Bauer <scott.bauer@xxxxxxxxx>
> Fixes: e9c787e65c0c ("scsi: allocate scsi_cmnd structures as part of struct request")
> Signed-off-by: Bart Van Assche <bart.vanassche@xxxxxxxxxxx>
> Cc: Scott Bauer <scott.bauer@xxxxxxxxx>
> Cc: Christoph Hellwig <hch@xxxxxx>
> Cc: Jan Kara <jack@xxxxxxx>
> Cc: Hannes Reinecke <hare@xxxxxxxx>
> Cc: <stable@xxxxxxxxxxxxxxx>
> ---
>  drivers/scsi/scsi_lib.c  | 43 +++++++++++++++++++++++++------------------
>  include/scsi/scsi_cmnd.h |  1 +
>  2 files changed, 26 insertions(+), 18 deletions(-)
> 
Reviewed-by: Hannes Reinecke <hare@xxxxxxxx>

Cheers,

Hannes
-- 
Dr. Hannes Reinecke		   Teamlead Storage & Networking
hare@xxxxxxx			               +49 911 74053 688
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: F. Imendörffer, J. Smithard, J. Guild, D. Upmanyu, G. Norton
HRB 21284 (AG Nürnberg)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]

  Powered by Linux