]>
Commit | Line | Data |
---|---|---|
00e5a55c BS |
1 | From: Gerald Schaefer <geraldsc@de.ibm.com> |
2 | Subject: zfcp: eliminate race between validation and locking. | |
3 | References: bnc#440610 | |
4 | ||
5 | Symptom: machine stalls | |
6 | Problem: ptr is verified before processing is secured by lock. | |
7 | Solution: assign, verify ptr after secured by lock | |
8 | ||
9 | Acked-by: John Jolly <jjolly@suse.de> | |
10 | --- | |
11 | drivers/s390/scsi/zfcp_fsf.c | 14 +++++++++----- | |
12 | 1 file changed, 9 insertions(+), 5 deletions(-) | |
13 | ||
14 | Index: linux-sles11/drivers/s390/scsi/zfcp_fsf.c | |
15 | =================================================================== | |
16 | --- linux-sles11.orig/drivers/s390/scsi/zfcp_fsf.c | |
17 | +++ linux-sles11/drivers/s390/scsi/zfcp_fsf.c | |
18 | @@ -2115,18 +2115,21 @@ static inline void zfcp_fsf_trace_latenc | |
19 | ||
20 | static void zfcp_fsf_send_fcp_command_task_handler(struct zfcp_fsf_req *req) | |
21 | { | |
22 | - struct scsi_cmnd *scpnt = req->data; | |
23 | + struct scsi_cmnd *scpnt; | |
24 | struct fcp_rsp_iu *fcp_rsp_iu = (struct fcp_rsp_iu *) | |
25 | &(req->qtcb->bottom.io.fcp_rsp); | |
26 | u32 sns_len; | |
27 | char *fcp_rsp_info = (unsigned char *) &fcp_rsp_iu[1]; | |
28 | unsigned long flags; | |
29 | ||
30 | - if (unlikely(!scpnt)) | |
31 | - return; | |
32 | - | |
33 | read_lock_irqsave(&req->adapter->abort_lock, flags); | |
34 | ||
35 | + scpnt = req->data; | |
36 | + if (unlikely(!scpnt)) { | |
37 | + read_unlock_irqrestore(&req->adapter->abort_lock, flags); | |
38 | + return; | |
39 | + } | |
40 | + | |
41 | if (unlikely(req->status & ZFCP_STATUS_FSFREQ_ABORTED)) { | |
42 | set_host_byte(scpnt, DID_SOFT_ERROR); | |
43 | set_driver_byte(scpnt, SUGGEST_RETRY); | |
44 | @@ -2181,7 +2184,8 @@ skip_fsfstatus: | |
45 | zfcp_scsi_dbf_event_result("norm", 6, req->adapter, scpnt, req); | |
46 | ||
47 | scpnt->host_scribble = NULL; | |
48 | - (scpnt->scsi_done) (scpnt); | |
49 | + if (scpnt->scsi_done) | |
50 | + (scpnt->scsi_done) (scpnt); | |
51 | /* | |
52 | * We must hold this lock until scsi_done has been called. | |
53 | * Otherwise we may call scsi_done after abort regarding this |