diff options
author | Vaughan Cao <vaughan.cao@oracle.com> | 2013-08-29 10:00:38 +0800 |
---|---|---|
committer | James Bottomley <JBottomley@Parallels.com> | 2013-09-03 07:28:09 -0700 |
commit | e32c9e6300e3af659cbfe45e90a1e7dcd3572ada (patch) | |
tree | 2e924a5838335cbfca0cf52a0add8e38801773e2 | |
parent | 00b2d9d6d05b56fc1d77071ff8ccbd2c65b48dec (diff) | |
download | op-kernel-dev-e32c9e6300e3af659cbfe45e90a1e7dcd3572ada.zip op-kernel-dev-e32c9e6300e3af659cbfe45e90a1e7dcd3572ada.tar.gz |
[SCSI] sg: checking sdp->detached isn't protected when open
@detached is set under the protection of sg_index_lock. Without getting the
lock, new sfp will be added during sg removal and there is no chance for it
to be picked out. So check with sg_index_lock held in sg_add_sfp().
Signed-off-by: Vaughan Cao <vaughan.cao@oracle.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
-rw-r--r-- | drivers/scsi/sg.c | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index d4af132..64df1ab 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -295,23 +295,20 @@ sg_open(struct inode *inode, struct file *filp) if (flags & O_EXCL) sdp->exclude = 1; /* used by release lock */ - if (sdp->detached) { - retval = -ENODEV; - goto sem_out; - } if (sfds_list_empty(sdp)) { /* no existing opens on this device */ sdp->sgdebug = 0; q = sdp->device->request_queue; sdp->sg_tablesize = queue_max_segments(q); } - if ((sfp = sg_add_sfp(sdp, dev))) + sfp = sg_add_sfp(sdp, dev); + if (!IS_ERR(sfp)) filp->private_data = sfp; /* retval is already provably zero at this point because of the * check after retval = scsi_autopm_get_device(sdp->device)) */ else { - retval = -ENOMEM; -sem_out: + retval = PTR_ERR(sfp); + if (flags & O_EXCL) { sdp->exclude = 0; /* undo if error */ up_write(&sdp->o_sem); @@ -2045,7 +2042,7 @@ sg_add_sfp(Sg_device * sdp, int dev) sfp = kzalloc(sizeof(*sfp), GFP_ATOMIC | __GFP_NOWARN); if (!sfp) - return NULL; + return ERR_PTR(-ENOMEM); init_waitqueue_head(&sfp->read_wait); rwlock_init(&sfp->rq_list_lock); @@ -2060,6 +2057,10 @@ sg_add_sfp(Sg_device * sdp, int dev) sfp->keep_orphan = SG_DEF_KEEP_ORPHAN; sfp->parentdp = sdp; write_lock_irqsave(&sg_index_lock, iflags); + if (sdp->detached) { + write_unlock_irqrestore(&sg_index_lock, iflags); + return ERR_PTR(-ENODEV); + } list_add_tail(&sfp->sfd_siblings, &sdp->sfds); write_unlock_irqrestore(&sg_index_lock, iflags); SCSI_LOG_TIMEOUT(3, printk("sg_add_sfp: sfp=0x%p\n", sfp)); |