On Wed, 6 Jul 2011, Roland Dreier wrote: > Alan Stern's patch looks a bit fishy -- the scsi_free_queue() is moved > earlier than the > > /* cause the request function to reject all I/O requests */ > sdev->request_queue->queuedata = NULL; > > which seems to leave a small window where the use-after-free can > happen, and it's not clear to me why the scsi_free_queue() has to move > at all. Looks can be deceiving. Although the scsi_free_queue() is higher up in the source file, it actually runs later than this code. That's because __scsi_remove_device() -- this code -- gets called when the device is unregistered from the driver core, whereas scsi_device_dev_release_usercontext() -- where the scsi_free_queue() is moved to -- gets called when the last reference to the device is dropped. Now, one of the things I'm not sure about (it would nice if James would pick up this thread again and comment) is whether queuedata should be set to NULL at unregistration time or later on, when the device and the queue are about to be freed. Alan Stern -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
