From: Christof Schmitt <christof.schmitt@de.ibm.com>
To: James Bottomley <James.Bottomley@suse.de>
Cc: linux-scsi@vger.kernel.org, linux-s390@vger.kernel.org,
schwidefsky@de.ibm.com, heiko.carstens@de.ibm.com,
Swen Schillig <swen@vnet.ibm.com>,
Christof Schmitt <christof.schmitt@de.ibm.com>
Subject: [patch 01/27] zfcp: invalid usage after free of port resources
Date: Tue, 18 Aug 2009 15:43:06 +0200 [thread overview]
Message-ID: <20090818135028.887008000@de.ibm.com> (raw)
In-Reply-To: 20090818134305.841868000@de.ibm.com
[-- Attachment #1: 700-zfcp-use-after-free.diff --]
[-- Type: text/plain, Size: 1988 bytes --]
From: Swen Schillig <swen@vnet.ibm.com>
In certain error scenarios ports, rports are getting attached,
validated and removed from the systems environment. Depending on the
layer this occurs asynchronously. This patch fixes the few races
which existed and ensures all references and cross references are
cleared at the time they're invalid. In addition fc transports
actions are only scheduled when required.
Signed-off-by: Swen Schillig <swen@vnet.ibm.com>
Signed-off-by: Christof Schmitt <christof.schmitt@de.ibm.com>
---
drivers/s390/scsi/zfcp_aux.c | 7 +++++--
drivers/s390/scsi/zfcp_scsi.c | 6 ++++--
2 files changed, 9 insertions(+), 4 deletions(-)
--- a/drivers/s390/scsi/zfcp_aux.c 2009-08-17 11:28:54.000000000 +0200
+++ b/drivers/s390/scsi/zfcp_aux.c 2009-08-17 11:28:56.000000000 +0200
@@ -672,12 +672,15 @@ err_out:
*/
void zfcp_port_dequeue(struct zfcp_port *port)
{
- wait_event(port->remove_wq, atomic_read(&port->refcount) == 0);
write_lock_irq(&zfcp_data.config_lock);
list_del(&port->list);
write_unlock_irq(&zfcp_data.config_lock);
- if (port->rport)
+ if (port->rport) {
port->rport->dd_data = NULL;
+ port->rport = NULL;
+ }
+ wait_event(port->remove_wq, atomic_read(&port->refcount) == 0);
+ cancel_work_sync(&port->rport_work); /* usually not necessary */
zfcp_adapter_put(port->adapter);
sysfs_remove_group(&port->sysfs_device.kobj, &zfcp_sysfs_port_attrs);
device_unregister(&port->sysfs_device);
--- a/drivers/s390/scsi/zfcp_scsi.c 2009-08-17 11:28:54.000000000 +0200
+++ b/drivers/s390/scsi/zfcp_scsi.c 2009-08-17 11:28:56.000000000 +0200
@@ -582,8 +582,10 @@ void zfcp_scsi_schedule_rport_block(stru
zfcp_port_get(port);
port->rport_task = RPORT_DEL;
- if (!queue_work(zfcp_data.work_queue, &port->rport_work))
- zfcp_port_put(port);
+ if (port->rport && queue_work(zfcp_data.work_queue, &port->rport_work))
+ return;
+
+ zfcp_port_put(port);
}
void zfcp_scsi_schedule_rports_block(struct zfcp_adapter *adapter)
next prev parent reply other threads:[~2009-08-18 13:43 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-18 13:43 [patch 00/27] zfcp updates for 2.6.32 Christof Schmitt
2009-08-18 13:43 ` Christof Schmitt [this message]
2009-08-18 13:43 ` [patch 02/27] zfcp: Move debug data from zfcp_data to own data structure Christof Schmitt
2009-08-18 13:43 ` [patch 03/27] zfcp: Only collect SCSI debug data for matching trace levels Christof Schmitt
2009-08-18 13:43 ` [patch 04/27] zfcp: Only collect FSF/HBA " Christof Schmitt
2009-08-18 13:43 ` [patch 05/27] zfcp: Remove useless assignment Christof Schmitt
2009-08-18 13:43 ` [patch 06/27] zfcp: Only issue one test link command per port Christof Schmitt
2009-08-18 13:43 ` [patch 07/27] zfcp: Implicitly close all wka ports Christof Schmitt
2009-08-18 13:43 ` [patch 08/27] zfcp: fix layering oddities between zfcp_fsf and zfcp_qdio Christof Schmitt
2009-08-18 13:43 ` [patch 09/27] zfcp: Replace fsf_req wait_queue with completion Christof Schmitt
2009-08-18 13:43 ` [patch 10/27] zfcp: Improve request allocation through mempools Christof Schmitt
2009-08-18 13:43 ` [patch 11/27] zfcp: Remove the useless ZFCP_REQ_AUTO_CLEANUP flag Christof Schmitt
2009-08-18 13:43 ` [patch 12/27] zfcp: Move workqueue to adapter struct Christof Schmitt
2009-08-18 13:43 ` [patch 13/27] zfcp: Separate qdio attributes from zfcp_fsf_req Christof Schmitt
2009-08-18 13:43 ` [patch 14/27] zfcp: Move qdio related data out of zfcp_adapter Christof Schmitt
2009-08-18 13:43 ` [patch 15/27] zfcp: Decouple gid_pn requests from erp Christof Schmitt
2009-08-18 13:43 ` [patch 16/27] zfcp: Update dbf calls Christof Schmitt
2009-08-18 13:43 ` [patch 17/27] zfcp: introduce _setup, _destroy for qdio and FC Christof Schmitt
2009-08-18 13:43 ` [patch 18/27] zfcp: Apply common naming conventions to zfcp_fc Christof Schmitt
2009-08-18 13:43 ` [patch 19/27] zfcp: resolve false usage of dd_data in fc_rport Christof Schmitt
2009-08-18 13:43 ` [patch 20/27] zfcp: Use kthread API for zfcp erp thread Christof Schmitt
2009-08-18 13:43 ` [patch 21/27] zfcp: Simplify and update ct/gs and els timeout handling Christof Schmitt
2009-08-18 13:43 ` [patch 22/27] zfcp: Defer resource allocation to first ccw_set_online call Christof Schmitt
2009-08-18 13:43 ` [patch 23/27] zfcp: Replace config semaphore with mutex Christof Schmitt
2009-08-18 13:43 ` [patch 24/27] zfcp: proper use of device register Christof Schmitt
2009-08-18 13:43 ` [patch 25/27] zfcp: Handle failures during device allocation correctly Christof Schmitt
2009-08-18 13:43 ` [patch 26/27] zfcp: Remove duplicated code for debug timestamps Christof Schmitt
2009-08-18 13:43 ` [patch 27/27] zfcp: optimize zfcp_qdio_account Christof Schmitt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090818135028.887008000@de.ibm.com \
--to=christof.schmitt@de.ibm.com \
--cc=James.Bottomley@suse.de \
--cc=heiko.carstens@de.ibm.com \
--cc=linux-s390@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=schwidefsky@de.ibm.com \
--cc=swen@vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.