+ scsi_target_reap-use-after-free-fix.patch added to -mm tree

akpm@xxxxxxxx · Tue, 27 Jun 2006 19:45:05 -0700

The patch titled

     scsi_target_reap(): use-after-free fix

has been added to the -mm tree.  Its filename is

     scsi_target_reap-use-after-free-fix.patch

See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find
out what to do about this

------------------------------------------------------
Subject: scsi_target_reap(): use-after-free fix
From: James Smart <James.Smart@xxxxxxxxxx>

When reaping the starget, after all sdev's have been removed, the starget
was queued for deletion via usercontext, but was left on the shost's
__targets list.  Another scanning thread can match the starget and use it,
causing reference after free problems.

This patch unlinks the starget at the same time it is scheduled for deletion.

Signed-off-by: James Smart <james.smart@xxxxxxxxxx>
Cc: James Bottomley <James.Bottomley@xxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---

 drivers/scsi/scsi_scan.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff -puN drivers/scsi/scsi_scan.c~scsi_target_reap-use-after-free-fix drivers/scsi/scsi_scan.c

--- a/drivers/scsi/scsi_scan.c~scsi_target_reap-use-after-free-fix
+++ a/drivers/scsi/scsi_scan.c
@@ -415,7 +415,6 @@ static void scsi_target_reap_usercontext
 	spin_lock_irqsave(shost->host_lock, flags);
 	if (shost->hostt->target_destroy)
 		shost->hostt->target_destroy(starget);
-	list_del_init(&starget->siblings);
 	spin_unlock_irqrestore(shost->host_lock, flags);
 	put_device(&starget->dev);
 }
@@ -439,6 +438,7 @@ void scsi_target_reap(struct scsi_target
 	if (--starget->reap_ref == 0 && list_empty(&starget->devices)) {
 		BUG_ON(starget->state == STARGET_DEL);
 		starget->state = STARGET_DEL;
+		list_del_init(&starget->siblings);
 		spin_unlock_irqrestore(shost->host_lock, flags);
 		execute_in_process_context(scsi_target_reap_usercontext,
 					   starget, &starget->ew);
_

Patches currently in -mm which might be from James.Smart@xxxxxxxxxx are

git-scsi-misc.patch
fc-transport-bug-fix-correct-references.patch
block-i-o-while-sg-reset-operation-in-progress-midlayer.patch
block-i-o-while-sg-reset-operation-in-progress-lpfc.patch
fc-transport-resolve-scan-vs-delete-deadlocks.patch
scsi_target_reap-use-after-free-fix.patch

-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




