* two small scsi fixes for 3.15-rc3
@ 2014-04-25 11:09 Christoph Hellwig
2014-04-25 11:09 ` [PATCH 1/2] scsi: don't reference freed command in scsi_init_sgtable Christoph Hellwig
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Christoph Hellwig @ 2014-04-25 11:09 UTC (permalink / raw)
To: Linus Torvalds, James Bottomley; +Cc: linux-kernel, linux-scsi
Hi Linus, hi James,
these are two simple use after free fixes that fix a regression introduced
by me in the first scsi update for 3.15-rc1.
I've sent them to the scsi list 10 days ago and haven't seen any reply to
them, and I'd hate if they miss -rc3 in addition to -rc2.
^ permalink raw reply [flat|nested] 6+ messages in thread* [PATCH 1/2] scsi: don't reference freed command in scsi_init_sgtable 2014-04-25 11:09 two small scsi fixes for 3.15-rc3 Christoph Hellwig @ 2014-04-25 11:09 ` Christoph Hellwig 2014-04-25 11:09 ` [PATCH 2/2] scsi: don't reference freed command in scsi_prep_return Christoph Hellwig 2014-04-25 15:00 ` two small scsi fixes for 3.15-rc3 James Bottomley 2 siblings, 0 replies; 6+ messages in thread From: Christoph Hellwig @ 2014-04-25 11:09 UTC (permalink / raw) To: Linus Torvalds, James Bottomley; +Cc: linux-kernel, linux-scsi When scsi_init_io fails we have to release our device reference, but we do this trying to reference the just freed command. Add a local scsi_device pointer to fix this. Reported-by: Sander Eikelenboom <linux@eikelenboom.it> Signed-off-by: Christoph Hellwig <hch@lst.de> --- drivers/scsi/scsi_lib.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c index 65a123d..54eff6a 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c @@ -1044,6 +1044,7 @@ static int scsi_init_sgtable(struct request *req, struct scsi_data_buffer *sdb, */ int scsi_init_io(struct scsi_cmnd *cmd, gfp_t gfp_mask) { + struct scsi_device *sdev = cmd->device; struct request *rq = cmd->request; int error = scsi_init_sgtable(rq, &cmd->sdb, gfp_mask); @@ -1091,7 +1092,7 @@ err_exit: scsi_release_buffers(cmd); cmd->request->special = NULL; scsi_put_command(cmd); - put_device(&cmd->device->sdev_gendev); + put_device(&sdev->sdev_gendev); return error; } EXPORT_SYMBOL(scsi_init_io); -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/2] scsi: don't reference freed command in scsi_prep_return 2014-04-25 11:09 two small scsi fixes for 3.15-rc3 Christoph Hellwig 2014-04-25 11:09 ` [PATCH 1/2] scsi: don't reference freed command in scsi_init_sgtable Christoph Hellwig @ 2014-04-25 11:09 ` Christoph Hellwig 2014-04-25 15:00 ` two small scsi fixes for 3.15-rc3 James Bottomley 2 siblings, 0 replies; 6+ messages in thread From: Christoph Hellwig @ 2014-04-25 11:09 UTC (permalink / raw) To: Linus Torvalds, James Bottomley; +Cc: linux-kernel, linux-scsi In the kill case of scsi_prep_return we have to release our device reference, but we do this trying to reference the just freed command. Use the local sdev pointer instead. Reported-by: Joe Lawrence <joe.lawrence@stratus.com> Signed-off-by: Christoph Hellwig <hch@lst.de> --- drivers/scsi/scsi_lib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c index 54eff6a..7fa54fe 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c @@ -1274,7 +1274,7 @@ int scsi_prep_return(struct request_queue *q, struct request *req, int ret) struct scsi_cmnd *cmd = req->special; scsi_release_buffers(cmd); scsi_put_command(cmd); - put_device(&cmd->device->sdev_gendev); + put_device(&sdev->sdev_gendev); req->special = NULL; } break; -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: two small scsi fixes for 3.15-rc3 2014-04-25 11:09 two small scsi fixes for 3.15-rc3 Christoph Hellwig 2014-04-25 11:09 ` [PATCH 1/2] scsi: don't reference freed command in scsi_init_sgtable Christoph Hellwig 2014-04-25 11:09 ` [PATCH 2/2] scsi: don't reference freed command in scsi_prep_return Christoph Hellwig @ 2014-04-25 15:00 ` James Bottomley 2014-04-28 9:03 ` Christoph Hellwig 2 siblings, 1 reply; 6+ messages in thread From: James Bottomley @ 2014-04-25 15:00 UTC (permalink / raw) To: Christoph Hellwig; +Cc: Linus Torvalds, linux-kernel, linux-scsi On Fri, 2014-04-25 at 13:09 +0200, Christoph Hellwig wrote: > Hi Linus, hi James, > > these are two simple use after free fixes that fix a regression introduced > by me in the first scsi update for 3.15-rc1. > > I've sent them to the scsi list 10 days ago and haven't seen any reply to > them, and I'd hate if they miss -rc3 in addition to -rc2. You should have received my git tree emails that they were already in SCSI fixes ... didn't you? I certainly got a copy. James ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: two small scsi fixes for 3.15-rc3 2014-04-25 15:00 ` two small scsi fixes for 3.15-rc3 James Bottomley @ 2014-04-28 9:03 ` Christoph Hellwig 2014-04-28 13:58 ` James Bottomley 0 siblings, 1 reply; 6+ messages in thread From: Christoph Hellwig @ 2014-04-28 9:03 UTC (permalink / raw) To: James Bottomley; +Cc: Linus Torvalds, linux-kernel, linux-scsi On Fri, Apr 25, 2014 at 08:00:48AM -0700, James Bottomley wrote: > You should have received my git tree emails that they were already in > SCSI fixes ... didn't you? I certainly got a copy. I've not seen a single reply to the patches either in my inbox or on linux-scsi. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: two small scsi fixes for 3.15-rc3 2014-04-28 9:03 ` Christoph Hellwig @ 2014-04-28 13:58 ` James Bottomley 0 siblings, 0 replies; 6+ messages in thread From: James Bottomley @ 2014-04-28 13:58 UTC (permalink / raw) To: Christoph Hellwig; +Cc: Linus Torvalds, linux-kernel, linux-scsi On Mon, 2014-04-28 at 11:03 +0200, Christoph Hellwig wrote: > On Fri, Apr 25, 2014 at 08:00:48AM -0700, James Bottomley wrote: > > You should have received my git tree emails that they were already in > > SCSI fixes ... didn't you? I certainly got a copy. > > I've not seen a single reply to the patches either in my inbox or on > linux-scsi. Well, it might be a bit late to trace what went wrong, but these are the transfer logs with msgid and remote ack. Apr 19 13:59:31 bedivere amavis[17271]: (17271-15) Passed CLEAN {RelayedOpenRelay}, <jejb@bedivere.hansenpartnership.com> -> <hch@lst.de>,<JBottomley@Parallels.com>,<joe.lawrence@stratus.com>, Message-ID: <20140419205930.1DD598EE0C5@bedivere.hansenpartnership.com>, mail_id: ZmsodClKD9Uy, Hits: -, size: 1796, queued_as: BC8688EE1B6, 663 ms Apr 19 13:59:33 bedivere postfix/smtp[4861]: BC8688EE1B6: to=<hch@lst.de>, relay=verein.lst.de[213.95.11.211]:25, delay=2.6, delays=0.3/0.05/1.9/0.37, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as E31ED14564) Apr 19 13:59:31 bedivere amavis[19335]: (19335-15) Passed CLEAN {RelayedOpenRelay}, <jejb@bedivere.hansenpartnership.com> -> <linux@eikelenboom.it>,<hch@lst.de>,<JBottomley@Parallels.com>, Message-ID: <20140419205930.4C52A8EE0A9@bedivere.hansenpartnership.com>, mail_id: 1_YssH8P_WCo, Hits: -, size: 1796, queued_as: D5D558EE213, 473 ms Apr 19 13:59:33 bedivere postfix/smtp[4865]: D5D558EE213: to=<hch@lst.de>, relay=verein.lst.de[213.95.11.211]:25, delay=2.9, delays=0.28/0.14/2.1/0.36, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 31924145CD) James > -- > To unsubscribe from this list: send the line "unsubscribe linux-scsi" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2014-04-28 13:58 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-04-25 11:09 two small scsi fixes for 3.15-rc3 Christoph Hellwig 2014-04-25 11:09 ` [PATCH 1/2] scsi: don't reference freed command in scsi_init_sgtable Christoph Hellwig 2014-04-25 11:09 ` [PATCH 2/2] scsi: don't reference freed command in scsi_prep_return Christoph Hellwig 2014-04-25 15:00 ` two small scsi fixes for 3.15-rc3 James Bottomley 2014-04-28 9:03 ` Christoph Hellwig 2014-04-28 13:58 ` James Bottomley
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox