On Mon, 07 Jul 2008 15:50:01 -0500 James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote: > If you do a modremove of any sas driver, you run into an oops on > shutdown when the host is removed (coming from the host bsg device). > The root cause seems to be that there's a use after free of the > bsg_class_device: In bsg_kref_release_function, this is used (to do a > put_device(bcg->parent) after bcg->release has been called. In sas (and > possibly many other things) bcd->release frees the queue which contains > the bsg_class_device, so we get a put_device on unreferenced memory. > Fix this by taking a copy of the pointer to the parent before releasing > bsg. Thanks, Currently, as you know, only sas SMP handler uses bcg->release so I overlooked this silly bug with the removal of iSCSI module. > Signed-off-by: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> Acked-by: FUJITA Tomonori <fujita.tomonori@xxxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
