From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Mon, 6 Dec 2010 20:59:16 +0000 (-0800)
Subject: .27 patches
X-Git-Tag: v2.6.27.57~41
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1964ec3d31bbfa74ef6654daacae089007e4f058;p=thirdparty%2Fkernel%2Fstable-queue.git

.27 patches
---

diff --git a/queue-2.6.27/libata-fix-null-sdev-dereference-race-in-atapi_qc_complete.patch b/queue-2.6.27/libata-fix-null-sdev-dereference-race-in-atapi_qc_complete.patch
new file mode 100644
index 00000000000..855fa953076
--- /dev/null
+++ b/queue-2.6.27/libata-fix-null-sdev-dereference-race-in-atapi_qc_complete.patch
@@ -0,0 +1,36 @@
+From 2a5f07b5ec098edc69e05fdd2f35d3fbb1235723 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Mon, 1 Nov 2010 11:39:19 +0100
+Subject: libata: fix NULL sdev dereference race in atapi_qc_complete()
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 2a5f07b5ec098edc69e05fdd2f35d3fbb1235723 upstream.
+
+SCSI commands may be issued between __scsi_add_device() and dev->sdev
+assignment, so it's unsafe for ata_qc_complete() to dereference
+dev->sdev->locked without checking whether it's NULL or not.  Fix it.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ata/libata-scsi.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -2371,8 +2371,11 @@ static void atapi_qc_complete(struct ata
+ 		 *
+ 		 * If door lock fails, always clear sdev->locked to
+ 		 * avoid this infinite loop.
++		 *
++		 * This may happen before SCSI scan is complete.  Make
++		 * sure qc->dev->sdev isn't NULL before dereferencing.
+ 		 */
+-		if (qc->cdb[0] == ALLOW_MEDIUM_REMOVAL)
++		if (qc->cdb[0] == ALLOW_MEDIUM_REMOVAL && qc->dev->sdev)
+ 			qc->dev->sdev->locked = 0;
+ 
+ 		qc->scsicmd->result = SAM_STAT_CHECK_CONDITION;
diff --git a/queue-2.6.27/series b/queue-2.6.27/series
index c3b09e77fa1..f02c9847c69 100644
--- a/queue-2.6.27/series
+++ b/queue-2.6.27/series
@@ -12,3 +12,4 @@ sys_semctl-fix-kernel-stack-leakage.patch
 drivers-char-vt_ioctl.c-fix-vt_openqry-error-value.patch
 ecryptfs-clear-lookup_open-flag-when-creating-lower-file.patch
 bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
+libata-fix-null-sdev-dereference-race-in-atapi_qc_complete.patch