Re: [PATCH v2] scsi: sg: Avoid sg device teardown race

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 3/20/24 04:08, Alexander Wetzel wrote:

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 86210e4dd0d3..80e0d1981191 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -2232,8 +2232,8 @@ sg_remove_sfp_usercontext(struct work_struct *work)
  			"sg_remove_sfp: sfp=0x%p\n", sfp));
  	kfree(sfp);
- scsi_device_put(sdp->device); 
  	kref_put(&sdp->d_ref, sg_device_destroy);
+	scsi_device_put(sdp->device);
  	module_put(THIS_MODULE);
  }


Since sg_device_destroy() frees struct sg_device and since the
scsi_device_put() call reads from struct sg_device, does this patch
introduce a use-after-free? Has it been tested with KASAN enabled?

Thanks,

Bart.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]

  Powered by Linux