projects / wrapfs-4.12.y.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d5ec279) | patch
scsi: Avoid that scsi_exit_rq() triggers a use-after-free
authorBart Van Assche <bart.vanassche@sandisk.com>
Fri, 2 Jun 2017 21:21:52 +0000 (14:21 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 27 Jul 2017 22:10:08 +0000 (15:10 -0700)
commitbbfbcfa3bc2f29277cf5b25c5d09228518e1d3c3
tree97fb698d7b1e09241d87330ddffcaedd014d0a13tree | snapshot
parentd5ec2793a65264c06949fedbeb2582dd93b7f49dcommit | diff
scsi: Avoid that scsi_exit_rq() triggers a use-after-free

commit 8e6882545d8c06f99e9e117741cc87f3338b0bef upstream.

Dereferencing shost from scsi_exit_rq() is not safe because the SCSI
host may already have been freed when scsi_exit_rq() is called.
Increasing the shost reference count in scsi_init_rq() and dropping that
reference in scsi_exit_rq() is nontrivial since scsi_host_dev_release()
may sleep and since scsi_exit_rq() may be called from interrupt
context. Since scsi_exit_rq() only needs a single bit from shost, copy
that bit into struct scsi_cmnd.

Reported-by: Scott Bauer <scott.bauer@intel.com>
Fixes: e9c787e65c0c ("scsi: allocate scsi_cmnd structures as part of struct request")
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Scott Bauer <scott.bauer@intel.com>
Cc: Jan Kara <jack@suse.cz>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/scsi/scsi_lib.c diff | blob | history
include/scsi/scsi_cmnd.h diff | blob | history
wrapfs-4.12.y