[ipfire-2.x.git] / src / patches / suse-2.6.27.39 / patches.fixes / scsi-call-unprep_request-under-lock

Subject: [SCSI] scsi_lib: only call scsi_unprep_request() under queue lock
From: James Bottomley <James.Bottomley@HansenPartnership.com>
Date: Sat Dec 13 14:31:03 2008 -0600:
Git: 02bd3499a3be984f1e88821c3ed252c8c49c498e
References: bnc#464155

It's called under that lock everywhere else and it does alter the
request state, so it should be.

This one occurance in scsi_requeue_command() could open a window where
req->special is set to NULL while the requests is going through either
timeout or completion processing leading to NULL pointer derefs of the
sort complained of in bugzillas 12020 and 12195.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Hannes Reinecke <hare@suse.de>

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index fa45a1a..148d3af 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -648,8 +648,8 @@ static void scsi_requeue_command(struct request_queue *q, struct scsi_cmnd *cmd)
 	struct request *req = cmd->request;
 	unsigned long flags;
 
-	scsi_unprep_request(req);
 	spin_lock_irqsave(q->queue_lock, flags);
+	scsi_unprep_request(req);
 	blk_requeue_request(q, req);
 	spin_unlock_irqrestore(q->queue_lock, flags);
Commit	Line	Data
2cb7cef9 BS	1	Subject: [SCSI] scsi_lib: only call scsi_unprep_request() under queue lock
	2	From: James Bottomley <James.Bottomley@HansenPartnership.com>
	3	Date: Sat Dec 13 14:31:03 2008 -0600:
	4	Git: 02bd3499a3be984f1e88821c3ed252c8c49c498e
	5	References: bnc#464155
	6
	7	It's called under that lock everywhere else and it does alter the
	8	request state, so it should be.
	9
	10	This one occurance in scsi_requeue_command() could open a window where
	11	req->special is set to NULL while the requests is going through either
	12	timeout or completion processing leading to NULL pointer derefs of the
	13	sort complained of in bugzillas 12020 and 12195.
	14
	15	Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
	16	Signed-off-by: Hannes Reinecke <hare@suse.de>
	17
	18	diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
	19	index fa45a1a..148d3af 100644
	20	--- a/drivers/scsi/scsi_lib.c
	21	+++ b/drivers/scsi/scsi_lib.c
	22	@@ -648,8 +648,8 @@ static void scsi_requeue_command(struct request_queue q, struct scsi_cmnd cmd)
	23	struct request *req = cmd->request;
	24	unsigned long flags;
	25
	26	- scsi_unprep_request(req);
	27	spin_lock_irqsave(q->queue_lock, flags);
	28	+ scsi_unprep_request(req);
	29	blk_requeue_request(q, req);
	30	spin_unlock_irqrestore(q->queue_lock, flags);
	31