1
linux/drivers/s390/scsi
Martin Peschke d436de8ce2 [SCSI] zfcp: only access zfcp_scsi_dev for valid scsi_device
__scsi_remove_device (e.g. due to dev_loss_tmo) calls
zfcp_scsi_slave_destroy which in turn sends a close LUN FSF request to
the adapter. After 30 seconds without response,
zfcp_erp_timeout_handler kicks the ERP thread failing the close LUN
ERP action. zfcp_erp_wait in zfcp_erp_lun_shutdown_wait and thus
zfcp_scsi_slave_destroy returns and then scsi_device is no longer
valid. Sometime later the response to the close LUN FSF request may
finally come in. However, commit
b62a8d9b45
"[SCSI] zfcp: Use SCSI device data zfcp_scsi_dev instead of zfcp_unit"
introduced a number of attempts to unconditionally access struct
zfcp_scsi_dev through struct scsi_device causing a use-after-free.
This leads to an Oops due to kernel page fault in one of:
zfcp_fsf_abort_fcp_command_handler, zfcp_fsf_open_lun_handler,
zfcp_fsf_close_lun_handler, zfcp_fsf_req_trace,
zfcp_fsf_fcp_handler_common.
Move dereferencing of zfcp private data zfcp_scsi_dev allocated in
scsi_device via scsi_transport_reserve_device after the check for
potentially aborted FSF request and thus no longer valid scsi_device.
Only then assign sdev_to_zfcp(sdev) to the local auto variable struct
zfcp_scsi_dev *zfcp_sdev.

Signed-off-by: Martin Peschke <mpeschke@linux.vnet.ibm.com>
Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
Cc: <stable@vger.kernel.org> #2.6.37+
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
2012-09-24 12:11:02 +04:00
..
Makefile [SCSI] zfcp: Move code for managing zfcp_unit devices to new file 2010-09-16 22:54:15 -04:00
zfcp_aux.c [SCSI] zfcp: restore refcount check on port_remove 2012-09-24 12:11:02 +04:00
zfcp_ccw.c [SCSI] zfcp: No automatic port_rescan on events 2012-09-24 12:11:02 +04:00
zfcp_cfdc.c [SCSI] zfcp: remove invalid reference to list iterator variable 2012-09-24 12:11:02 +04:00
zfcp_dbf.c [SCSI] zfcp: Do not wakeup while suspended 2012-09-24 12:11:01 +04:00
zfcp_dbf.h [SCSI] zfcp: Do not wakeup while suspended 2012-09-24 12:11:01 +04:00
zfcp_def.h [SCSI] zfcp: restore refcount check on port_remove 2012-09-24 12:11:02 +04:00
zfcp_erp.c [SCSI] zfcp: No automatic port_rescan on events 2012-09-24 12:11:02 +04:00
zfcp_ext.h [SCSI] zfcp: No automatic port_rescan on events 2012-09-24 12:11:02 +04:00
zfcp_fc.c [SCSI] zfcp: No automatic port_rescan on events 2012-09-24 12:11:02 +04:00
zfcp_fc.h s390/comments: unify copyright messages and remove file names 2012-07-20 11:15:04 +02:00
zfcp_fsf.c [SCSI] zfcp: only access zfcp_scsi_dev for valid scsi_device 2012-09-24 12:11:02 +04:00
zfcp_fsf.h s390/comments: unify copyright messages and remove file names 2012-07-20 11:15:04 +02:00
zfcp_qdio.c [SCSI] zfcp: Bounds checking for deferred error trace 2012-09-24 12:11:01 +04:00
zfcp_qdio.h s390/comments: unify copyright messages and remove file names 2012-07-20 11:15:04 +02:00
zfcp_reqlist.h s390/comments: unify copyright messages and remove file names 2012-07-20 11:15:04 +02:00
zfcp_scsi.c s390/comments: unify copyright messages and remove file names 2012-07-20 11:15:04 +02:00
zfcp_sysfs.c [SCSI] zfcp: restore refcount check on port_remove 2012-09-24 12:11:02 +04:00
zfcp_unit.c [SCSI] zfcp: restore refcount check on port_remove 2012-09-24 12:11:02 +04:00