diff options
| author | Bart Van Assche <[email protected]> | 2017-06-02 14:21:52 -0700 |
|---|---|---|
| committer | Martin K. Petersen <[email protected]> | 2017-06-12 20:55:58 -0400 |
| commit | 8e6882545d8c06f99e9e117741cc87f3338b0bef (patch) | |
| tree | 12a6bb40ee60e460788b3b45cddce7326dba6a4f /tools/perf/scripts/python | |
| parent | 896f6966fc815abe71f85fb26f0193875df8a035 (diff) | |
scsi: Avoid that scsi_exit_rq() triggers a use-after-free
Dereferencing shost from scsi_exit_rq() is not safe because the SCSI
host may already have been freed when scsi_exit_rq() is called.
Increasing the shost reference count in scsi_init_rq() and dropping that
reference in scsi_exit_rq() is nontrivial since scsi_host_dev_release()
may sleep and since scsi_exit_rq() may be called from interrupt
context. Since scsi_exit_rq() only needs a single bit from shost, copy
that bit into struct scsi_cmnd.
Reported-by: Scott Bauer <[email protected]>
Fixes: e9c787e65c0c ("scsi: allocate scsi_cmnd structures as part of struct request")
Signed-off-by: Bart Van Assche <[email protected]>
Reviewed-by: Christoph Hellwig <[email protected]>
Cc: Hannes Reinecke <[email protected]>
Cc: Scott Bauer <[email protected]>
Cc: Jan Kara <[email protected]>
Cc: <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Diffstat (limited to 'tools/perf/scripts/python')
0 files changed, 0 insertions, 0 deletions