Re: [PATCH] scsi_scan.c: bug fix: starget use after free issue

All of lore.kernel.org
 help / color / mirror / Atom feed

From: James Smart <James.Smart@Emulex.Com>
To: James Bottomley <James.Bottomley@SteelEye.com>
Cc: linux-scsi@vger.kernel.org
Subject: Re: [PATCH] scsi_scan.c: bug fix: starget use after free issue
Date: Tue, 27 Jun 2006 12:39:02 -0400	[thread overview]
Message-ID: <44A15F26.3070608@emulex.com> (raw)
In-Reply-To: <1151423925.3340.32.camel@mulgrave.il.steeleye.com>

And we've already seen this, even without this change - e.g. the target was
2/3's torn down when we created a new one....

what this really sounds like then is that we need to stop the teardown and
reuse the structure - or - figure out a way to make the kobj teardown happen
sooner so that we reuse the namespace (or disconnect the namespace and the
structures).

-- james

James Bottomley wrote:
> On Thu, 2006-06-15 at 12:55 -0400, James Smart wrote:
>> When reaping the starget, after all sdev's have been removed, the starget
>> was queued for deletion via usercontext, but was left on the shost's
>> __targets list. Another scanning thread can match the starget and use it, 
>> causing reference after free problems.
>>
>> This patch unlinks the starget at the same time it is scheduled for deletion.
>>
> This cannot be done this way.  The problem it will introduce is that
> we'll think the target has gone and possibly reallocate its name before
> device_del is called on it (which means if the new device gets added, it
> will return -EEXIST and everything will go wrong).
> 
> Where is the actual reference coming from ... perhaps the using place
> should simply be checking the state.
> 
> James
> 
> 
>

next prev parent reply	other threads:[~2006-06-27 16:39 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-06-15 16:55 [PATCH] scsi_scan.c: bug fix: starget use after free issue James Smart
2006-06-27 15:58 ` James Bottomley
2006-06-27 16:39   ` James Smart [this message]
2006-07-19 14:22 ` James Smart

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=44A15F26.3070608@emulex.com \
    --to=james.smart@emulex.com \
    --cc=James.Bottomley@SteelEye.com \
    --cc=linux-scsi@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.