[SCSI] sg: checking sdp->detached isn't protected when open

@detached is set under the protection of sg_index_lock. Without getting the lock, new sfp will be added during sg removal and there is no chance for it to be picked out. So check with sg_index_lock held in sg_add_sfp(). Signed-off-by: Vaughan Cao <vaughan.cao@oracle.com> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: James Bottomley <JBottomley@Parallels.com>
author: Vaughan Cao <vaughan.cao@oracle.com> 2013-08-28 22:00:38 -0400
committer: James Bottomley <JBottomley@Parallels.com> 2013-09-03 10:28:09 -0400
commit: e32c9e6300e3af659cbfe45e90a1e7dcd3572ada (patch)
tree: 2e924a5838335cbfca0cf52a0add8e38801773e2
parent: 00b2d9d6d05b56fc1d77071ff8ccbd2c65b48dec (diff)
1 files changed, 9 insertions, 8 deletions
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index d4af13269e85..64df1ab141e5 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -295,23 +295,20 @@ sg_open(struct inode *inode, struct file *filp)
        if (flags & O_EXCL)
                sdp->exclude = 1;       /* used by release lock */
-        if (sdp->detached) {
-                retval = -ENODEV;
-                goto sem_out;
-        }
        if (sfds_list_empty(sdp)) {     /* no existing opens on this device */
                sdp->sgdebug = 0;
                q = sdp->device->request_queue;
                sdp->sg_tablesize = queue_max_segments(q);
        }
-        if ((sfp = sg_add_sfp(sdp, dev)))
+        sfp = sg_add_sfp(sdp, dev);
+        if (!IS_ERR(sfp))
                filp->private_data = sfp;
                /* retval is already provably zero at this point because of the
                 * check after retval = scsi_autopm_get_device(sdp->device))
                 */
        else {
-                retval = -ENOMEM;
+                retval = PTR_ERR(sfp);
-sem_out:
                if (flags & O_EXCL) {
                        sdp->exclude = 0;       /* undo if error */
                        up_write(&sdp->o_sem);
@@ -2045,7 +2042,7 @@ sg_add_sfp(Sg_device * sdp, int dev)
        sfp = kzalloc(sizeof(*sfp), GFP_ATOMIC | __GFP_NOWARN);
        if (!sfp)
-                return NULL;
+                return ERR_PTR(-ENOMEM);
        init_waitqueue_head(&sfp->read_wait);
        rwlock_init(&sfp->rq_list_lock);
@@ -2060,6 +2057,10 @@ sg_add_sfp(Sg_device * sdp, int dev)
        sfp->keep_orphan = SG_DEF_KEEP_ORPHAN;
        sfp->parentdp = sdp;
        write_lock_irqsave(&sg_index_lock, iflags);
+        if (sdp->detached) {
+                write_unlock_irqrestore(&sg_index_lock, iflags);
+                return ERR_PTR(-ENODEV);
+        }
        list_add_tail(&sfp->sfd_siblings, &sdp->sfds);
        write_unlock_irqrestore(&sg_index_lock, iflags);
        SCSI_LOG_TIMEOUT(3, printk("sg_add_sfp: sfp=0x%p\n", sfp));
author	Vaughan Cao <vaughan.cao@oracle.com>	2013-08-28 22:00:38 -0400
committer	James Bottomley <JBottomley@Parallels.com>	2013-09-03 10:28:09 -0400
commit	e32c9e6300e3af659cbfe45e90a1e7dcd3572ada (patch)
tree	2e924a5838335cbfca0cf52a0add8e38801773e2
parent	00b2d9d6d05b56fc1d77071ff8ccbd2c65b48dec (diff)

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index d4af13269e85..64df1ab141e5 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c
@@ -295,23 +295,20 @@ sg_open(struct inode inode, struct file filp)
295	if (flags & O_EXCL)	295	if (flags & O_EXCL)
296	sdp->exclude = 1; /* used by release lock */	296	sdp->exclude = 1; /* used by release lock */
297		297
298	if (sdp->detached) {
299	retval = -ENODEV;
300	goto sem_out;
301	}
302	if (sfds_list_empty(sdp)) { /* no existing opens on this device */	298	if (sfds_list_empty(sdp)) { /* no existing opens on this device */
303	sdp->sgdebug = 0;	299	sdp->sgdebug = 0;
304	q = sdp->device->request_queue;	300	q = sdp->device->request_queue;
305	sdp->sg_tablesize = queue_max_segments(q);	301	sdp->sg_tablesize = queue_max_segments(q);
306	}	302	}
307	if ((sfp = sg_add_sfp(sdp, dev)))	303	sfp = sg_add_sfp(sdp, dev);
		304	if (!IS_ERR(sfp))
308	filp->private_data = sfp;	305	filp->private_data = sfp;
309	/* retval is already provably zero at this point because of the	306	/* retval is already provably zero at this point because of the
310	* check after retval = scsi_autopm_get_device(sdp->device))	307	* check after retval = scsi_autopm_get_device(sdp->device))
311	*/	308	*/
312	else {	309	else {
313	retval = -ENOMEM;	310	retval = PTR_ERR(sfp);
314	sem_out:	311
315	if (flags & O_EXCL) {	312	if (flags & O_EXCL) {
316	sdp->exclude = 0; /* undo if error */	313	sdp->exclude = 0; /* undo if error */
317	up_write(&sdp->o_sem);	314	up_write(&sdp->o_sem);
@@ -2045,7 +2042,7 @@ sg_add_sfp(Sg_device * sdp, int dev)
2045		2042
2046	sfp = kzalloc(sizeof(*sfp), GFP_ATOMIC \| __GFP_NOWARN);	2043	sfp = kzalloc(sizeof(*sfp), GFP_ATOMIC \| __GFP_NOWARN);
2047	if (!sfp)	2044	if (!sfp)
2048	return NULL;	2045	return ERR_PTR(-ENOMEM);
2049		2046
2050	init_waitqueue_head(&sfp->read_wait);	2047	init_waitqueue_head(&sfp->read_wait);
2051	rwlock_init(&sfp->rq_list_lock);	2048	rwlock_init(&sfp->rq_list_lock);
@@ -2060,6 +2057,10 @@ sg_add_sfp(Sg_device * sdp, int dev)
2060	sfp->keep_orphan = SG_DEF_KEEP_ORPHAN;	2057	sfp->keep_orphan = SG_DEF_KEEP_ORPHAN;
2061	sfp->parentdp = sdp;	2058	sfp->parentdp = sdp;
2062	write_lock_irqsave(&sg_index_lock, iflags);	2059	write_lock_irqsave(&sg_index_lock, iflags);
		2060	if (sdp->detached) {
		2061	write_unlock_irqrestore(&sg_index_lock, iflags);
		2062	return ERR_PTR(-ENODEV);
		2063	}
2063	list_add_tail(&sfp->sfd_siblings, &sdp->sfds);	2064	list_add_tail(&sfp->sfd_siblings, &sdp->sfds);
2064	write_unlock_irqrestore(&sg_index_lock, iflags);	2065	write_unlock_irqrestore(&sg_index_lock, iflags);
2065	SCSI_LOG_TIMEOUT(3, printk("sg_add_sfp: sfp=0x%p\n", sfp));	2066	SCSI_LOG_TIMEOUT(3, printk("sg_add_sfp: sfp=0x%p\n", sfp));