From: Christof Schmitt <christof.schmitt@de.ibm.com>
To: James Bottomley <James.Bottomley@hansenpartnership.com>
Cc: linux-scsi@vger.kernel.org, linux-s390@vger.kernel.org,
Heiko Carstens <heiko.carstens@de.ibm.com>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Christof Schmitt <christof.schmitt@de.ibm.com>,
Martin Peschke <mp3@de.ibm.com>
Subject: [patch 1/6] zfcp: fix use after free bug.
Date: Thu, 20 Dec 2007 12:30:22 +0100 [thread overview]
Message-ID: <20071220113231.840700000@de.ibm.com> (raw)
In-Reply-To: 20071220113021.955597000@de.ibm.com
[-- Attachment #1: 807-zfcp-kfree.diff --]
[-- Type: text/plain, Size: 2253 bytes --]
From: Heiko Carstens <heiko.carstens@de.ibm.com>
zfcp_erp_strategy_check_fsfreq() checks if it is safe to access the
fsf_req associated with the erp_action that gets passed. To test if
it is safe it accesses the fsf_req in order to get its index into
the hash list. This is broken since the fsf_req might be freed already
and the read index has no meaning. It could lead to memory corruption.
Fix this by introducing a new zfcp_reqlist_find_safe() method which
just checks if addresses are equal. This is slower, but only gets
called in case of error recovery.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Christof Schmitt <christof.schmitt@de.ibm.com>
Signed-off-by: Martin Peschke <mp3@de.ibm.com>
---
drivers/s390/scsi/zfcp_def.h | 14 ++++++++++++++
drivers/s390/scsi/zfcp_erp.c | 3 ++-
2 files changed, 16 insertions(+), 1 deletion(-)
--- a/drivers/s390/scsi/zfcp_def.h 2007-12-20 11:15:10.000000000 +0100
+++ b/drivers/s390/scsi/zfcp_def.h 2007-12-20 11:17:46.000000000 +0100
@@ -1123,6 +1123,20 @@ zfcp_reqlist_find(struct zfcp_adapter *a
return NULL;
}
+static inline struct zfcp_fsf_req *
+zfcp_reqlist_find_safe(struct zfcp_adapter *adapter, struct zfcp_fsf_req *req)
+{
+ struct zfcp_fsf_req *request;
+ unsigned int idx;
+
+ for (idx = 0; idx < REQUEST_LIST_SIZE; idx++) {
+ list_for_each_entry(request, &adapter->req_list[idx], list)
+ if (request == req)
+ return request;
+ }
+ return NULL;
+}
+
/*
* functions needed for reference/usage counting
*/
--- a/drivers/s390/scsi/zfcp_erp.c 2007-12-20 11:15:10.000000000 +0100
+++ b/drivers/s390/scsi/zfcp_erp.c 2007-12-20 11:17:46.000000000 +0100
@@ -846,7 +846,8 @@ zfcp_erp_strategy_check_fsfreq(struct zf
if (erp_action->fsf_req) {
/* take lock to ensure that request is not deleted meanwhile */
spin_lock(&adapter->req_list_lock);
- if (zfcp_reqlist_find(adapter, erp_action->fsf_req->req_id)) {
+ if (zfcp_reqlist_find_safe(adapter, erp_action->fsf_req) &&
+ erp_action->fsf_req->erp_action == erp_action) {
/* fsf_req still exists */
debug_text_event(adapter->erp_dbf, 3, "a_ca_req");
debug_event(adapter->erp_dbf, 3, &erp_action->fsf_req,
--
next prev parent reply other threads:[~2007-12-20 11:30 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-12-20 11:30 [patch 0/6] zfcp fixes for scsi-misc Christof Schmitt
2007-12-20 11:30 ` Christof Schmitt [this message]
2007-12-20 11:30 ` [patch 2/6] zfcp: Fix evaluation of port handles in abort handler Christof Schmitt
2007-12-20 11:30 ` [patch 3/6] zfcp: Hold queue lock when checking port/unit handle for abort command Christof Schmitt
2007-12-20 11:30 ` [patch 4/6] zfcp: Hold queue lock when checking port handle for ELS command Christof Schmitt
2007-12-20 11:30 ` [patch 5/6] zfcp: Hold queue lock when checking port/unit handle for FCP command Christof Schmitt
2007-12-20 11:30 ` [patch 6/6] zfcp: Hold queue lock when checking port/unit handle for task management cmd Christof Schmitt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071220113231.840700000@de.ibm.com \
--to=christof.schmitt@de.ibm.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=heiko.carstens@de.ibm.com \
--cc=linux-s390@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=mp3@de.ibm.com \
--cc=schwidefsky@de.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.