From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx2.suse.de ([195.135.220.15]:56777 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751881AbdEXF6y (ORCPT ); Wed, 24 May 2017 01:58:54 -0400 Subject: Re: [PATCH 10/31] Avoid that scsi_exit_rq() triggers a use-after-free To: Bart Van Assche , "Martin K . Petersen" , James Bottomley Cc: linux-scsi@vger.kernel.org, linux-block@vger.kernel.org, Scott Bauer , Christoph Hellwig , Jan Kara , Hannes Reinecke , stable@vger.kernel.org References: <20170524003420.5381-1-bart.vanassche@sandisk.com> <20170524003420.5381-11-bart.vanassche@sandisk.com> From: Hannes Reinecke Message-ID: Date: Wed, 24 May 2017 07:58:51 +0200 MIME-Version: 1.0 In-Reply-To: <20170524003420.5381-11-bart.vanassche@sandisk.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: On 05/24/2017 02:33 AM, Bart Van Assche wrote: > Dereferencing shost from scsi_exit_rq() is not safe because the > SCSI host may already have been freed when scsi_exit_rq() is > called. Increasing the shost reference count in scsi_init_rq() > and dropping that reference in scsi_exit_rq() is nontrivial since > scsi_host_dev_release() may sleep and since scsi_exit_rq() may > be called from interrupt context. Since scsi_exit_rq() only needs > a single bit from shost, copy that bit into struct scsi_cmnd. > > Reported-by: Scott Bauer > Fixes: e9c787e65c0c ("scsi: allocate scsi_cmnd structures as part of struct request") > Signed-off-by: Bart Van Assche > Cc: Scott Bauer > Cc: Christoph Hellwig > Cc: Jan Kara > Cc: Hannes Reinecke > Cc: > --- > drivers/scsi/scsi_lib.c | 43 +++++++++++++++++++++++++------------------ > include/scsi/scsi_cmnd.h | 1 + > 2 files changed, 26 insertions(+), 18 deletions(-) > Reviewed-by: Hannes Reinecke Cheers, Hannes -- Dr. Hannes Reinecke Teamlead Storage & Networking hare@suse.de +49 911 74053 688 SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg GF: F. Imendörffer, J. Smithard, J. Guild, D. Upmanyu, G. Norton HRB 21284 (AG Nürnberg)