Home » Mailing list archives » git-commits-head » 2008 » January » 26

[SCSI] zfcp: fix use after free bug.

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Linux Kernel Mailing List
Subject: [SCSI] zfcp: fix use after free bug.
Date: Friday, January 25, 2008 - 7:06 pm

Gitweb:     http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d1ad09...
Commit:     d1ad09db2fd551d49d65ef040591cb9298e70fb6
Parent:     bfd90dce248a49ced2b7419ecf78af9f7f37039e
Author:     Heiko Carstens <heiko.carstens@de.ibm.com>
AuthorDate: Thu Dec 20 12:30:22 2007 +0100
Committer:  James Bottomley <James.Bottomley@HansenPartnership.com>
CommitDate: Fri Jan 11 18:29:00 2008 -0600

    [SCSI] zfcp: fix use after free bug.
    
    zfcp_erp_strategy_check_fsfreq() checks if it is safe to access the
    fsf_req associated with the erp_action that gets passed. To test if
    it is safe it accesses the fsf_req in order to get its index into
    the hash list. This is broken since the fsf_req might be freed already
    and the read index has no meaning. It could lead to memory corruption.
    Fix this by introducing a new zfcp_reqlist_find_safe() method which
    just checks if addresses are equal. This is slower, but only gets
    called in case of error recovery.
    
    Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
    Signed-off-by: Christof Schmitt <christof.schmitt@de.ibm.com>
    Signed-off-by: Martin Peschke <mp3@de.ibm.com>
    Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
 drivers/s390/scsi/zfcp_def.h |   14 ++++++++++++++
 drivers/s390/scsi/zfcp_erp.c |    3 ++-
 2 files changed, 16 insertions(+), 1 deletions(-)

diff --git a/drivers/s390/scsi/zfcp_def.h b/drivers/s390/scsi/zfcp_def.h
index 294d079..9e9f6c1 100644
--- a/drivers/s390/scsi/zfcp_def.h
+++ b/drivers/s390/scsi/zfcp_def.h
@@ -1123,6 +1123,20 @@ zfcp_reqlist_find(struct zfcp_adapter *adapter, unsigned long req_id)
 	return NULL;
 }
 
+static inline struct zfcp_fsf_req *
+zfcp_reqlist_find_safe(struct zfcp_adapter *adapter, struct zfcp_fsf_req *req)
+{
+	struct zfcp_fsf_req *request;
+	unsigned int idx;
+
+	for (idx = 0; idx < REQUEST_LIST_SIZE; idx++) {
+		list_for_each_entry(request, &adapter->req_list[idx], list)
+			if (request == req)
+				return request;
+	}
+	return NULL;
+}
+
 /*
  *  functions needed for reference/usage counting
  */
diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c
index 67d74ed..76fef3f 100644
--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -846,7 +846,8 @@ zfcp_erp_strategy_check_fsfreq(struct zfcp_erp_action *erp_action)
 	if (erp_action->fsf_req) {
 		/* take lock to ensure that request is not deleted meanwhile */
 		spin_lock(&adapter->req_list_lock);
-		if (zfcp_reqlist_find(adapter, erp_action->fsf_req->req_id)) {
+		if (zfcp_reqlist_find_safe(adapter, erp_action->fsf_req) &&
+		    erp_action->fsf_req->erp_action == erp_action) {
 			/* fsf_req still exists */
 			debug_text_event(adapter->erp_dbf, 3, "a_ca_req");
 			debug_event(adapter->erp_dbf, 3, &erp_action->fsf_req,
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
[SCSI] zfcp: fix use after free bug., Linux Kernel Mailing ..., (Fri Jan 25, 7:06 pm)