FYI: This patch is NACK'd as it is superceeded by a patch proposed long
ago (2/23/06), which finally showed up in 2.6.17-rc1. See:
http://marc.theaimsgroup.com/?l=linux-scsi&m=114072663121857&w=2
Note: this patch was corrected the reuse error w/o issue, but did not
address the reuse of the sysfs namespace. The other patch addresses
both.
-- james s
James Smart wrote:
When reaping the starget, after all sdev's have been removed, the starget
was queued for deletion via usercontext, but was left on the shost's
__targets list. Another scanning thread can match the starget and use it,
causing reference after free problems.
This patch unlinks the starget at the same time it is scheduled for deletion.
-- james s
Signed-off-by: James Smart <james.smart@xxxxxxxxxx>
diff -upNr a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
--- a/drivers/scsi/scsi_scan.c 2006-06-14 11:37:09.000000000 -0400
+++ b/drivers/scsi/scsi_scan.c 2006-06-14 16:55:58.000000000 -0400
@@ -415,7 +415,6 @@ static void scsi_target_reap_usercontext
spin_lock_irqsave(shost->host_lock, flags);
if (shost->hostt->target_destroy)
shost->hostt->target_destroy(starget);
- list_del_init(&starget->siblings);
spin_unlock_irqrestore(shost->host_lock, flags);
put_device(&starget->dev);
}
@@ -439,6 +438,7 @@ void scsi_target_reap(struct scsi_target
if (--starget->reap_ref == 0 && list_empty(&starget->devices)) {
BUG_ON(starget->state == STARGET_DEL);
starget->state = STARGET_DEL;
+ list_del_init(&starget->siblings);
spin_unlock_irqrestore(shost->host_lock, flags);
execute_in_process_context(scsi_target_reap_usercontext,
starget, &starget->ew);
-
: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
-
: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
