+ scsi-midlayer-fix-sdev-reuse-after-free.patch added to -mm tree

akpm@xxxxxxxx · Tue, 27 Jun 2006 14:44:14 -0700

The patch titled

     scsi midlayer: fix sdev reuse after free

has been added to the -mm tree.  Its filename is

     scsi-midlayer-fix-sdev-reuse-after-free.patch

See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find
out what to do about this

------------------------------------------------------
Subject: scsi midlayer: fix sdev reuse after free
From: James Smart <James.Smart@xxxxxxxxxx>


The conversion to execute_in_process_context() highlighted a use-after-free
race condition.  Although the sdev was torn down, it remained in the linked
lists looked at by scan, and allowed scan to reuse the sdev.

This patch removes the sdev from the lists at the point it tears down the
sdev.

Signed-off-by: James Smart <james.smart@xxxxxxxxxx>
Cc: James Bottomley <James.Bottomley@xxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---

 drivers/scsi/scsi_sysfs.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

diff -puN drivers/scsi/scsi_sysfs.c~scsi-midlayer-fix-sdev-reuse-after-free drivers/scsi/scsi_sysfs.c

--- 25/drivers/scsi/scsi_sysfs.c~scsi-midlayer-fix-sdev-reuse-after-free	Tue Jun 27 14:44:13 2006
+++ 25-akpm/drivers/scsi/scsi_sysfs.c	Tue Jun 27 14:44:13 2006
@@ -232,8 +232,6 @@ static void scsi_device_dev_release_user
 
 	spin_lock_irqsave(sdev->host->host_lock, flags);
 	starget->reap_ref++;
-	list_del(&sdev->siblings);
-	list_del(&sdev->same_target_siblings);
 	list_del(&sdev->starved_entry);
 	spin_unlock_irqrestore(sdev->host->host_lock, flags);
 
@@ -736,10 +734,15 @@ int scsi_sysfs_add_sdev(struct scsi_devi
 void __scsi_remove_device(struct scsi_device *sdev)
 {
 	struct device *dev = &sdev->sdev_gendev;
+	unsigned long flags;
 
 	if (scsi_device_set_state(sdev, SDEV_CANCEL) != 0)
 		return;
 
+	spin_lock_irqsave(sdev->host->host_lock, flags);
+	list_del(&sdev->siblings);
+	list_del(&sdev->same_target_siblings);
+	spin_unlock_irqrestore(sdev->host->host_lock, flags);
 	class_device_unregister(&sdev->sdev_classdev);
 	transport_remove_device(dev);
 	device_del(dev);
_

Patches currently in -mm which might be from James.Smart@xxxxxxxxxx are

git-scsi-misc.patch
fc-transport-bug-fix-correct-references.patch
scsi-midlayer-fix-sdev-reuse-after-free.patch
block-i-o-while-sg-reset-operation-in-progress-midlayer.patch
block-i-o-while-sg-reset-operation-in-progress-lpfc.patch
fc-transport-resolve-scan-vs-delete-deadlocks.patch

-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




