op-kernel-dev - Development kernel branch for OpenPOWER systems

diff options

author	Bart Van Assche <bart.vanassche@sandisk.com>	2017-06-02 14:21:52 -0700
committer	Martin K. Petersen <martin.petersen@oracle.com>	2017-06-12 20:55:58 -0400
commit	8e6882545d8c06f99e9e117741cc87f3338b0bef (patch)
tree	12a6bb40ee60e460788b3b45cddce7326dba6a4f /include/scsi/scsi_device.h
parent	896f6966fc815abe71f85fb26f0193875df8a035 (diff)
download	op-kernel-dev-8e6882545d8c06f99e9e117741cc87f3338b0bef.zip op-kernel-dev-8e6882545d8c06f99e9e117741cc87f3338b0bef.tar.gz

scsi: Avoid that scsi_exit_rq() triggers a use-after-free

Dereferencing shost from scsi_exit_rq() is not safe because the SCSI host may already have been freed when scsi_exit_rq() is called. Increasing the shost reference count in scsi_init_rq() and dropping that reference in scsi_exit_rq() is nontrivial since scsi_host_dev_release() may sleep and since scsi_exit_rq() may be called from interrupt context. Since scsi_exit_rq() only needs a single bit from shost, copy that bit into struct scsi_cmnd. Reported-by: Scott Bauer <scott.bauer@intel.com> Fixes: e9c787e65c0c ("scsi: allocate scsi_cmnd structures as part of struct request") Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Cc: Hannes Reinecke <hare@suse.com> Cc: Scott Bauer <scott.bauer@intel.com> Cc: Jan Kara <jack@suse.cz> Cc: <stable@vger.kernel.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

Diffstat (limited to 'include/scsi/scsi_device.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: