Gitweb:     http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8df5fc...
Commit:     8df5fc042c8e7c08dc438c8198b62407ee1e91a0
Parent:     27898988174bb211fd962ea73b9c6dc09f888705
Author:     James Bottomley <James.Bottomley@HansenPartnership.com>
AuthorDate: Mon Jul 7 15:50:01 2008 -0500
Committer:  James Bottomley <James.Bottomley@HansenPartnership.com>
CommitDate: Sat Jul 12 10:14:56 2008 -0500

    [SCSI] bsg: fix oops on remove
    
    If you do a modremove of any sas driver, you run into an oops on
    shutdown when the host is removed (coming from the host bsg device).
    The root cause seems to be that there's a use after free of the
    bsg_class_device:  In bsg_kref_release_function, this is used (to do a
    put_device(bcg->parent) after bcg->release has been called.  In sas (and
    possibly many other things) bcd->release frees the queue which contains
    the bsg_class_device, so we get a put_device on unreferenced memory.
    Fix this by taking a copy of the pointer to the parent before releasing
    bsg.
    
    Acked-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
    Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
 block/bsg.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/block/bsg.c b/block/bsg.c
index f0b7cd3..54d617f 100644
--- a/block/bsg.c
+++ b/block/bsg.c
@@ -709,11 +709,12 @@ static void bsg_kref_release_function(struct kref *kref)
 {
 	struct bsg_class_device *bcd =
 		container_of(kref, struct bsg_class_device, ref);
+	struct device *parent = bcd->parent;
 
 	if (bcd->release)
 		bcd->release(bcd->parent);
 
-	put_device(bcd->parent);
+	put_device(parent);
 }
 
 static int bsg_put_device(struct bsg_device *bd)
--
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html