two small scsi fixes for 3.15-rc3

two small scsi fixes for 3.15-rc3

[Christoph Hellwig]

Hi Linus, hi James,

these are two simple use after free fixes that fix a regression introduced
by me in the first scsi update for 3.15-rc1.

I've sent them to the scsi list 10 days ago and haven't seen any reply to
them, and I'd hate if they miss -rc3 in addition to -rc2.

[PATCH 1/2] scsi: don't reference freed command in scsi_init_sgtable

[Christoph Hellwig]

When scsi_init_io fails we have to release our device reference, but
we do this trying to reference the just freed command.  Add a local
scsi_device pointer to fix this.

Reported-by: Sander Eikelenboom <linux@eikelenboom.it>
Signed-off-by: Christoph Hellwig <hch@lst.de>
---
 drivers/scsi/scsi_lib.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 65a123d..54eff6a 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1044,6 +1044,7 @@ static int scsi_init_sgtable(struct request *req, struct scsi_data_buffer *sdb,
  */
 int scsi_init_io(struct scsi_cmnd *cmd, gfp_t gfp_mask)
 {
+	struct scsi_device *sdev = cmd->device;
 	struct request *rq = cmd->request;
 
 	int error = scsi_init_sgtable(rq, &cmd->sdb, gfp_mask);
@@ -1091,7 +1092,7 @@ err_exit:
 	scsi_release_buffers(cmd);
 	cmd->request->special = NULL;
 	scsi_put_command(cmd);
-	put_device(&cmd->device->sdev_gendev);
+	put_device(&sdev->sdev_gendev);
 	return error;
 }
 EXPORT_SYMBOL(scsi_init_io);
-- 
1.7.10.4

[PATCH 2/2] scsi: don't reference freed command in scsi_prep_return

[Christoph Hellwig]

In the kill case of scsi_prep_return we have to release our device
reference, but we do this trying to reference the just freed command.
Use the local sdev pointer instead.

Reported-by: Joe Lawrence <joe.lawrence@stratus.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
---
 drivers/scsi/scsi_lib.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 54eff6a..7fa54fe 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1274,7 +1274,7 @@ int scsi_prep_return(struct request_queue *q, struct request *req, int ret)
 			struct scsi_cmnd *cmd = req->special;
 			scsi_release_buffers(cmd);
 			scsi_put_command(cmd);
-			put_device(&cmd->device->sdev_gendev);
+			put_device(&sdev->sdev_gendev);
 			req->special = NULL;
 		}
 		break;
-- 
1.7.10.4

Re: two small scsi fixes for 3.15-rc3

[James Bottomley]

On Fri, 2014-04-25 at 13:09 +0200, Christoph Hellwig wrote:
> Hi Linus, hi James,
> 
> these are two simple use after free fixes that fix a regression introduced
> by me in the first scsi update for 3.15-rc1.
> 
> I've sent them to the scsi list 10 days ago and haven't seen any reply to
> them, and I'd hate if they miss -rc3 in addition to -rc2.

You should have received my git tree emails that they were already in
SCSI fixes ... didn't you?  I certainly got a copy.

James

Re: two small scsi fixes for 3.15-rc3

[Christoph Hellwig]

On Fri, Apr 25, 2014 at 08:00:48AM -0700, James Bottomley wrote:
> You should have received my git tree emails that they were already in
> SCSI fixes ... didn't you?  I certainly got a copy.

I've not seen a single reply to the patches either in my inbox or on
linux-scsi.

Re: two small scsi fixes for 3.15-rc3

[James Bottomley]

On Mon, 2014-04-28 at 11:03 +0200, Christoph Hellwig wrote:
> On Fri, Apr 25, 2014 at 08:00:48AM -0700, James Bottomley wrote:
> > You should have received my git tree emails that they were already in
> > SCSI fixes ... didn't you?  I certainly got a copy.
> 
> I've not seen a single reply to the patches either in my inbox or on
> linux-scsi.

Well, it might be a bit late to trace what went wrong, but these are the
transfer logs with msgid and remote ack.

Apr 19 13:59:31 bedivere amavis[17271]: (17271-15) Passed CLEAN {RelayedOpenRelay}, <jejb@bedivere.hansenpartnership.com> -> <hch@lst.de>,<JBottomley@Parallels.com>,<joe.lawrence@stratus.com>, Message-ID: <20140419205930.1DD598EE0C5@bedivere.hansenpartnership.com>, mail_id: ZmsodClKD9Uy, Hits: -, size: 1796, queued_as: BC8688EE1B6, 663 ms
Apr 19 13:59:33 bedivere postfix/smtp[4861]: BC8688EE1B6: to=<hch@lst.de>, relay=verein.lst.de[213.95.11.211]:25, delay=2.6, delays=0.3/0.05/1.9/0.37, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as E31ED14564)
Apr 19 13:59:31 bedivere amavis[19335]: (19335-15) Passed CLEAN {RelayedOpenRelay}, <jejb@bedivere.hansenpartnership.com> -> <linux@eikelenboom.it>,<hch@lst.de>,<JBottomley@Parallels.com>, Message-ID: <20140419205930.4C52A8EE0A9@bedivere.hansenpartnership.com>, mail_id: 1_YssH8P_WCo, Hits: -, size: 1796, queued_as: D5D558EE213, 473 ms
Apr 19 13:59:33 bedivere postfix/smtp[4865]: D5D558EE213: to=<hch@lst.de>, relay=verein.lst.de[213.95.11.211]:25, delay=2.9, delays=0.28/0.14/2.1/0.36, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 31924145CD)

James


> --
> To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html