_suOn 09/06/12 18:27, Michael Christie wrote: > On Sep 3, 2012, at 9:12 AM, Bart Van Assche <bvanassche@xxxxxxx> wrote: >> If the put_device() call in scsi_request_fn() drops the sdev refcount >> to zero then the spin_lock() call after the put_device() call triggers >> a use-after-free. Avoid that by making sure that blk_cleanup_queue() >> can only finish after all active scsi_request_fn() calls have returned. > > If we have this patch http://marc.info/?l=linux-scsi&m=134453905402413&w=2 > it seems we have all the scsi layer callers of the request_fn/ > *blk_run_queue holding a reference to the device when they make the call. > Right, or are there some other places missing? > > What are the other places we can call the request_fn without already > holding a reference to the device? Is it the block layer? Is that why we > need this patch? Hello Mike, The purpose of this patch is indeed to make *blk_run_queue() calls from the block layer safe. There are several direct or indirect *blk_run_queue() calls in the block layer where a reference on the queue is held but not on the sdev, e.g. in the md, dm and bsg drivers. Bart. -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
