From mboxrd@z Thu Jan 1 00:00:00 1970 From: James Smart Subject: [PATCH] Close list corruption window in __scsi_iterate_devices Date: Tue, 21 Feb 2006 17:28:23 -0500 Message-ID: <43FB9407.7010102@emulex.com> Reply-To: James.Smart@Emulex.Com Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from emulex.emulex.com ([138.239.112.1]:60617 "EHLO emulex.emulex.com") by vger.kernel.org with ESMTP id S964795AbWBUW2c (ORCPT ); Tue, 21 Feb 2006 17:28:32 -0500 Received: from xbl3.ad.emulex.com (xbl3.ma.emulex.com [138.239.73.12]) by emulex.emulex.com (8.12.10/8.12.10) with ESMTP id k1LMSOrf025750 for ; Tue, 21 Feb 2006 14:28:24 -0800 (PST) Sender: linux-scsi-owner@vger.kernel.org List-Id: linux-scsi@vger.kernel.org To: linux-scsi The existing code could allow the use of a list pointer that is grabbed prior to the lock, changes while waiting for the lock, thus is no longer valid while the lock is held. -- james s --- a/drivers/scsi/scsi.c 2006-02-06 06:01:12.000000000 -0500 +++ b/drivers/scsi/scsi.c.NEW 2006-02-21 17:30:31.000000000 -0500 @@ -1015,11 +1015,12 @@ EXPORT_SYMBOL(scsi_device_put); struct scsi_device *__scsi_iterate_devices(struct Scsi_Host *shost, struct scsi_device *prev) { - struct list_head *list = (prev ? &prev->siblings : &shost->__devices); + struct list_head *list; struct scsi_device *next = NULL; unsigned long flags; spin_lock_irqsave(shost->host_lock, flags); + list = (prev ? &prev->siblings : &shost->__devices); while (list->next != &shost->__devices) { next = list_entry(list->next, struct scsi_device, siblings); /* skip devices that we can't get a reference to */