From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
alan@lxorguk.ukuu.org.uk,
Martin Peschke <mpeschke@linux.vnet.ibm.com>,
Steffen Maier <maier@linux.vnet.ibm.com>,
James Bottomley <JBottomley@Parallels.com>
Subject: [ 45/84] SCSI: zfcp: only access zfcp_scsi_dev for valid scsi_device
Date: Thu, 11 Oct 2012 11:03:29 +0900 [thread overview]
Message-ID: <20121011015425.124844897@linuxfoundation.org> (raw)
In-Reply-To: <20121011015417.017144658@linuxfoundation.org>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Peschke <mpeschke@linux.vnet.ibm.com>
commit d436de8ce25f53a8a880a931886821f632247943 upstream.
__scsi_remove_device (e.g. due to dev_loss_tmo) calls
zfcp_scsi_slave_destroy which in turn sends a close LUN FSF request to
the adapter. After 30 seconds without response,
zfcp_erp_timeout_handler kicks the ERP thread failing the close LUN
ERP action. zfcp_erp_wait in zfcp_erp_lun_shutdown_wait and thus
zfcp_scsi_slave_destroy returns and then scsi_device is no longer
valid. Sometime later the response to the close LUN FSF request may
finally come in. However, commit
b62a8d9b45b971a67a0f8413338c230e3117dff5
"[SCSI] zfcp: Use SCSI device data zfcp_scsi_dev instead of zfcp_unit"
introduced a number of attempts to unconditionally access struct
zfcp_scsi_dev through struct scsi_device causing a use-after-free.
This leads to an Oops due to kernel page fault in one of:
zfcp_fsf_abort_fcp_command_handler, zfcp_fsf_open_lun_handler,
zfcp_fsf_close_lun_handler, zfcp_fsf_req_trace,
zfcp_fsf_fcp_handler_common.
Move dereferencing of zfcp private data zfcp_scsi_dev allocated in
scsi_device via scsi_transport_reserve_device after the check for
potentially aborted FSF request and thus no longer valid scsi_device.
Only then assign sdev_to_zfcp(sdev) to the local auto variable struct
zfcp_scsi_dev *zfcp_sdev.
Signed-off-by: Martin Peschke <mpeschke@linux.vnet.ibm.com>
Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/scsi/zfcp_fsf.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
--- a/drivers/s390/scsi/zfcp_fsf.c
+++ b/drivers/s390/scsi/zfcp_fsf.c
@@ -771,12 +771,14 @@ out:
static void zfcp_fsf_abort_fcp_command_handler(struct zfcp_fsf_req *req)
{
struct scsi_device *sdev = req->data;
- struct zfcp_scsi_dev *zfcp_sdev = sdev_to_zfcp(sdev);
+ struct zfcp_scsi_dev *zfcp_sdev;
union fsf_status_qual *fsq = &req->qtcb->header.fsf_status_qual;
if (req->status & ZFCP_STATUS_FSFREQ_ERROR)
return;
+ zfcp_sdev = sdev_to_zfcp(sdev);
+
switch (req->qtcb->header.fsf_status) {
case FSF_PORT_HANDLE_NOT_VALID:
if (fsq->word[0] == fsq->word[1]) {
@@ -1730,13 +1732,15 @@ static void zfcp_fsf_open_lun_handler(st
{
struct zfcp_adapter *adapter = req->adapter;
struct scsi_device *sdev = req->data;
- struct zfcp_scsi_dev *zfcp_sdev = sdev_to_zfcp(sdev);
+ struct zfcp_scsi_dev *zfcp_sdev;
struct fsf_qtcb_header *header = &req->qtcb->header;
struct fsf_qtcb_bottom_support *bottom = &req->qtcb->bottom.support;
if (req->status & ZFCP_STATUS_FSFREQ_ERROR)
return;
+ zfcp_sdev = sdev_to_zfcp(sdev);
+
atomic_clear_mask(ZFCP_STATUS_COMMON_ACCESS_DENIED |
ZFCP_STATUS_COMMON_ACCESS_BOXED |
ZFCP_STATUS_LUN_SHARED |
@@ -1847,11 +1851,13 @@ out:
static void zfcp_fsf_close_lun_handler(struct zfcp_fsf_req *req)
{
struct scsi_device *sdev = req->data;
- struct zfcp_scsi_dev *zfcp_sdev = sdev_to_zfcp(sdev);
+ struct zfcp_scsi_dev *zfcp_sdev;
if (req->status & ZFCP_STATUS_FSFREQ_ERROR)
return;
+ zfcp_sdev = sdev_to_zfcp(sdev);
+
switch (req->qtcb->header.fsf_status) {
case FSF_PORT_HANDLE_NOT_VALID:
zfcp_erp_adapter_reopen(zfcp_sdev->port->adapter, 0, "fscuh_1");
@@ -1941,7 +1947,7 @@ static void zfcp_fsf_req_trace(struct zf
{
struct fsf_qual_latency_info *lat_in;
struct latency_cont *lat = NULL;
- struct zfcp_scsi_dev *zfcp_sdev = sdev_to_zfcp(scsi->device);
+ struct zfcp_scsi_dev *zfcp_sdev;
struct zfcp_blk_drv_data blktrc;
int ticks = req->adapter->timer_ticks;
@@ -1956,6 +1962,7 @@ static void zfcp_fsf_req_trace(struct zf
if (req->adapter->adapter_features & FSF_FEATURE_MEASUREMENT_DATA &&
!(req->status & ZFCP_STATUS_FSFREQ_ERROR)) {
+ zfcp_sdev = sdev_to_zfcp(scsi->device);
blktrc.flags |= ZFCP_BLK_LAT_VALID;
blktrc.channel_lat = lat_in->channel_lat * ticks;
blktrc.fabric_lat = lat_in->fabric_lat * ticks;
@@ -1993,12 +2000,14 @@ static void zfcp_fsf_fcp_handler_common(
{
struct scsi_cmnd *scmnd = req->data;
struct scsi_device *sdev = scmnd->device;
- struct zfcp_scsi_dev *zfcp_sdev = sdev_to_zfcp(sdev);
+ struct zfcp_scsi_dev *zfcp_sdev;
struct fsf_qtcb_header *header = &req->qtcb->header;
if (unlikely(req->status & ZFCP_STATUS_FSFREQ_ERROR))
return;
+ zfcp_sdev = sdev_to_zfcp(sdev);
+
switch (header->fsf_status) {
case FSF_HANDLE_MISMATCH:
case FSF_PORT_HANDLE_NOT_VALID:
next prev parent reply other threads:[~2012-10-11 2:14 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-11 2:01 [ 00/84] 3.0.46-stable review Greg Kroah-Hartman
2012-10-11 2:02 ` [ 01/84] mn10300: only add -mmem-funcs to KBUILD_CFLAGS if gcc supports it Greg Kroah-Hartman
2012-10-11 2:02 ` [ 02/84] kbuild: make: fix if_changed when command contains backslashes Greg Kroah-Hartman
2012-10-11 2:02 ` [ 03/84] media: rc: ite-cir: Initialise ite_dev::rdev earlier Greg Kroah-Hartman
2012-10-11 2:02 ` [ 04/84] ACPI: run _OSC after ACPI_FULL_INITIALIZATION Greg Kroah-Hartman
2012-10-11 2:02 ` [ 05/84] PCI: acpiphp: check whether _ADR evaluation succeeded Greg Kroah-Hartman
2012-10-11 2:02 ` [ 06/84] lib/gcd.c: prevent possible div by 0 Greg Kroah-Hartman
2012-10-11 2:02 ` [ 07/84] kernel/sys.c: call disable_nonboot_cpus() in kernel_restart() Greg Kroah-Hartman
2012-10-11 2:02 ` [ 08/84] drivers/scsi/atp870u.c: fix bad use of udelay Greg Kroah-Hartman
2012-10-11 2:02 ` [ 09/84] workqueue: add missing smp_wmb() in process_one_work() Greg Kroah-Hartman
2012-10-11 2:02 ` [ 10/84] xfrm: Workaround incompatibility of ESN and async crypto Greg Kroah-Hartman
2012-10-11 2:02 ` [ 11/84] xfrm_user: return error pointer instead of NULL Greg Kroah-Hartman
2012-10-11 2:02 ` [ 12/84] xfrm_user: return error pointer instead of NULL #2 Greg Kroah-Hartman
2012-10-11 2:02 ` [ 13/84] xfrm: fix a read lock imbalance in make_blackhole Greg Kroah-Hartman
2012-10-11 2:02 ` [ 14/84] xfrm_user: fix info leak in copy_to_user_auth() Greg Kroah-Hartman
2012-10-11 2:02 ` [ 15/84] xfrm_user: fix info leak in copy_to_user_state() Greg Kroah-Hartman
2012-10-11 2:03 ` [ 16/84] xfrm_user: fix info leak in copy_to_user_policy() Greg Kroah-Hartman
2012-10-11 2:03 ` [ 17/84] xfrm_user: fix info leak in copy_to_user_tmpl() Greg Kroah-Hartman
2012-10-11 2:03 ` [ 18/84] xfrm_user: dont copy esn replay window twice for new states Greg Kroah-Hartman
2012-10-11 2:03 ` [ 19/84] xfrm_user: ensure user supplied esn replay window is valid Greg Kroah-Hartman
2012-10-11 2:03 ` [ 20/84] net: ethernet: davinci_cpdma: decrease the desc count when cleaning up the remaining packets Greg Kroah-Hartman
2012-10-11 2:03 ` [ 21/84] ixp4xx_hss: fix build failure due to missing linux/module.h inclusion Greg Kroah-Hartman
2012-10-11 2:03 ` [ 22/84] netxen: check for root bus in netxen_mask_aer_correctable Greg Kroah-Hartman
2012-10-11 2:03 ` [ 23/84] net-sched: sch_cbq: avoid infinite loop Greg Kroah-Hartman
2012-10-11 2:03 ` [ 24/84] pkt_sched: fix virtual-start-time update in QFQ Greg Kroah-Hartman
2012-10-11 2:03 ` [ 25/84] sierra_net: Endianess bug fix Greg Kroah-Hartman
2012-10-11 2:03 ` [ 26/84] 8021q: fix mac_len recomputation in vlan_untag() Greg Kroah-Hartman
2012-10-11 2:03 ` [ 27/84] ipv6: release reference of ip6_null_entrys dst entry in __ip6_del_rt Greg Kroah-Hartman
2012-10-11 2:03 ` [ 28/84] tcp: flush DMA queue before sk_wait_data if rcv_wnd is zero Greg Kroah-Hartman
2012-10-11 2:03 ` [ 29/84] sctp: Dont charge for data in sndbuf again when transmitting packet Greg Kroah-Hartman
2012-10-11 2:03 ` [ 30/84] pppoe: drop PPPOX_ZOMBIEs in pppoe_release Greg Kroah-Hartman
2012-10-11 2:03 ` [ 31/84] net: small bug on rxhash calculation Greg Kroah-Hartman
2012-10-11 2:03 ` [ 32/84] net: guard tcp_set_keepalive() to tcp sockets Greg Kroah-Hartman
2012-10-11 2:03 ` [ 33/84] ipv4: raw: fix icmp_filter() Greg Kroah-Hartman
2012-10-11 2:03 ` [ 34/84] ipv6: raw: fix icmpv6_filter() Greg Kroah-Hartman
2012-10-11 2:03 ` [ 35/84] ipv6: mip6: fix mip6_mh_filter() Greg Kroah-Hartman
2012-10-11 2:03 ` [ 36/84] l2tp: fix a typo in l2tp_eth_dev_recv() Greg Kroah-Hartman
2012-10-11 2:03 ` [ 37/84] netrom: copy_datagram_iovec can fail Greg Kroah-Hartman
2012-10-11 2:03 ` [ 38/84] net: do not disable sg for packets requiring no checksum Greg Kroah-Hartman
2012-10-11 2:03 ` [ 39/84] aoe: assert AoE packets marked as " Greg Kroah-Hartman
2012-10-11 2:03 ` [ 40/84] tg3: Fix TSO CAP for 5704 devs w / ASF enabled Greg Kroah-Hartman
2012-10-11 2:03 ` [ 41/84] SCSI: zfcp: Make trace record tags unique Greg Kroah-Hartman
2012-10-11 2:03 ` [ 42/84] SCSI: zfcp: Do not wakeup while suspended Greg Kroah-Hartman
2012-10-11 2:03 ` [ 43/84] SCSI: zfcp: remove invalid reference to list iterator variable Greg Kroah-Hartman
2012-10-11 2:03 ` [ 44/84] SCSI: zfcp: restore refcount check on port_remove Greg Kroah-Hartman
2012-10-11 2:03 ` Greg Kroah-Hartman [this message]
2012-10-11 2:03 ` [ 46/84] PCI: Check P2P bridge for invalid secondary/subordinate range Greg Kroah-Hartman
2012-10-11 2:03 ` [ 47/84] ext4: online defrag is not supported for journaled files Greg Kroah-Hartman
2012-10-11 2:03 ` [ 48/84] ext4: always set i_op in ext4_mknod() Greg Kroah-Hartman
2012-10-11 2:03 ` [ 49/84] ext4: fix fdatasync() for files with only i_size changes Greg Kroah-Hartman
2012-10-11 2:03 ` [ 50/84] ASoC: wm9712: Fix name of Capture Switch Greg Kroah-Hartman
2012-10-11 2:03 ` [ 51/84] mm: fix invalidate_complete_page2() lock ordering Greg Kroah-Hartman
2012-10-11 2:03 ` [ 52/84] mm: thp: fix pmd_present for split_huge_page and PROT_NONE with THP Greg Kroah-Hartman
2012-10-11 2:03 ` [ 53/84] ALSA: aloop - add locking to timer access Greg Kroah-Hartman
2012-10-11 2:03 ` [ 54/84] ALSA: usb - disable broken hw volume for Tenx TP6911 Greg Kroah-Hartman
2012-10-11 2:03 ` [ 55/84] ALSA: USB: Support for (original) Xbox Communicator Greg Kroah-Hartman
2012-10-11 2:03 ` [ 56/84] drm/radeon: only adjust default clocks on NI GPUs Greg Kroah-Hartman
2012-10-11 2:03 ` [ 57/84] drm/radeon: Add MSI quirk for gateway RS690 Greg Kroah-Hartman
2012-10-11 2:03 ` [ 58/84] drm/radeon: force MSIs on RS690 asics Greg Kroah-Hartman
2012-10-11 2:03 ` [ 59/84] rcu: Fix day-one dyntick-idle stall-warning bug Greg Kroah-Hartman
2012-10-11 2:03 ` [ 60/84] r8169: fix wake on lan setting for non-8111E Greg Kroah-Hartman
2012-10-11 7:15 ` Jonathan Nieder
2012-10-11 10:59 ` Greg Kroah-Hartman
2012-10-11 2:03 ` [ 61/84] r8169: dont enable rx when shutdown Greg Kroah-Hartman
2012-10-11 2:03 ` [ 62/84] r8169: remove erroneous processing of always set bit Greg Kroah-Hartman
2012-10-11 2:03 ` [ 63/84] r8169: jumbo fixes Greg Kroah-Hartman
2012-10-11 2:03 ` [ 64/84] r8169: expand received packet length indication Greg Kroah-Hartman
2012-10-11 2:03 ` [ 65/84] r8169: increase the delay parameter of pm_schedule_suspend Greg Kroah-Hartman
2012-10-11 2:03 ` [ 66/84] r8169: Rx FIFO overflow fixes Greg Kroah-Hartman
2012-10-11 2:03 ` [ 67/84] r8169: fix Config2 MSIEnable bit setting Greg Kroah-Hartman
2012-10-11 2:03 ` [ 68/84] r8169: missing barriers Greg Kroah-Hartman
2012-10-11 2:03 ` [ 69/84] r8169: runtime resume before shutdown Greg Kroah-Hartman
2012-10-11 2:03 ` [ 70/84] r8169: Config1 is read-only on 8168c and later Greg Kroah-Hartman
2012-10-11 2:03 ` [ 71/84] r8169: 8168c and later require bit 0x20 to be set in Config2 for PME signaling Greg Kroah-Hartman
2012-10-11 2:03 ` [ 72/84] r8169: fix unsigned int wraparound with TSO Greg Kroah-Hartman
2012-10-11 2:03 ` [ 73/84] r8169: call netif_napi_del at errpaths and at driver unload Greg Kroah-Hartman
2012-10-11 2:03 ` [ 74/84] revert "mm: mempolicy: Let vma_merge and vma_split handle vma->vm_policy linkages" Greg Kroah-Hartman
2012-10-11 2:03 ` [ 75/84] mempolicy: remove mempolicy sharing Greg Kroah-Hartman
2012-10-11 2:04 ` [ 76/84] mempolicy: fix a race in shared_policy_replace() Greg Kroah-Hartman
2012-10-11 2:04 ` [ 77/84] mempolicy: fix refcount leak in mpol_set_shared_policy() Greg Kroah-Hartman
2012-10-11 2:04 ` [ 78/84] mempolicy: fix a memory corruption by refcount imbalance in alloc_pages_vma() Greg Kroah-Hartman
2012-10-11 2:04 ` [ 79/84] CPU hotplug, cpusets, suspend: Dont modify cpusets during suspend/resume Greg Kroah-Hartman
2012-10-11 2:04 ` [ 80/84] mtd: autcpu12-nvram: Fix compile breakage Greg Kroah-Hartman
2012-10-11 2:04 ` [ 81/84] mtd: nandsim: bugfix: fail if overridesize is too big Greg Kroah-Hartman
2012-10-11 2:04 ` [ 82/84] mtd: nand: Use the mirror BBT descriptor when reading its version Greg Kroah-Hartman
2012-10-11 2:04 ` [ 83/84] mtd: omap2: fix omap_nand_remove segfault Greg Kroah-Hartman
2012-10-11 2:04 ` [ 84/84] mtd: omap2: fix module loading Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121011015425.124844897@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=JBottomley@Parallels.com \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=maier@linux.vnet.ibm.com \
--cc=mpeschke@linux.vnet.ibm.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox