On Sep 3, 2012, at 9:12 AM, Bart Van Assche <bvanassche@xxxxxxx> wrote: > If the put_device() call in scsi_request_fn() drops the sdev refcount > to zero then the spin_lock() call after the put_device() call triggers > a use-after-free. Avoid that by making sure that blk_cleanup_queue() > can only finish after all active scsi_request_fn() calls have returned. If we have this patch http://marc.info/?l=linux-scsi&m=134453905402413&w=2 it seems we have all the scsi layer callers of the request_fn/*blk_run_queue holding a reference to the device when they make the call. Right, or are there some other places missing? What are the other places we can call the request_fn without already holding a reference to the device? Is it the block layer? Is that why we need this patch?-- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
