aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/s390/scsi
diff options
context:
space:
mode:
authorSwen Schillig <swen@vnet.ibm.com>2008-11-26 12:07:39 -0500
committerJames Bottomley <James.Bottomley@HansenPartnership.com>2008-12-01 11:17:50 -0500
commit0ac55aa90f2c3bd08e57e52a513b82b18ce0a5bc (patch)
tree0899a1087c0c4cde4d44cdcd651a6a36e6dbee96 /drivers/s390/scsi
parent26871c97d52e50dc574bd01967926650643b142a (diff)
[SCSI] zfcp: eliminate race between validation and locking
The check of having a valid pointer was performed before the processing was secured by the lock. Between those two steps the pointer can turn invalid. During further processing another value is used (referenced by the pointer described above) as a function pointer which is never verified to be valid either, resulting under some circumstances in an invalid function call. This patch is fixing both issues. Signed-off-by: Swen Schillig <swen@vnet.ibm.com> Signed-off-by: Christof Schmitt <christof.schmitt@de.ibm.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Diffstat (limited to 'drivers/s390/scsi')
-rw-r--r--drivers/s390/scsi/zfcp_fsf.c11
1 files changed, 7 insertions, 4 deletions
diff --git a/drivers/s390/scsi/zfcp_fsf.c b/drivers/s390/scsi/zfcp_fsf.c
index 0343d881babd..dc0367690405 100644
--- a/drivers/s390/scsi/zfcp_fsf.c
+++ b/drivers/s390/scsi/zfcp_fsf.c
@@ -2116,18 +2116,21 @@ static inline void zfcp_fsf_trace_latency(struct zfcp_fsf_req *fsf_req)
2116 2116
2117static void zfcp_fsf_send_fcp_command_task_handler(struct zfcp_fsf_req *req) 2117static void zfcp_fsf_send_fcp_command_task_handler(struct zfcp_fsf_req *req)
2118{ 2118{
2119 struct scsi_cmnd *scpnt = req->data; 2119 struct scsi_cmnd *scpnt;
2120 struct fcp_rsp_iu *fcp_rsp_iu = (struct fcp_rsp_iu *) 2120 struct fcp_rsp_iu *fcp_rsp_iu = (struct fcp_rsp_iu *)
2121 &(req->qtcb->bottom.io.fcp_rsp); 2121 &(req->qtcb->bottom.io.fcp_rsp);
2122 u32 sns_len; 2122 u32 sns_len;
2123 char *fcp_rsp_info = (unsigned char *) &fcp_rsp_iu[1]; 2123 char *fcp_rsp_info = (unsigned char *) &fcp_rsp_iu[1];
2124 unsigned long flags; 2124 unsigned long flags;
2125 2125
2126 if (unlikely(!scpnt))
2127 return;
2128
2129 read_lock_irqsave(&req->adapter->abort_lock, flags); 2126 read_lock_irqsave(&req->adapter->abort_lock, flags);
2130 2127
2128 scpnt = req->data;
2129 if (unlikely(!scpnt)) {
2130 read_unlock_irqrestore(&req->adapter->abort_lock, flags);
2131 return;
2132 }
2133
2131 if (unlikely(req->status & ZFCP_STATUS_FSFREQ_ABORTED)) { 2134 if (unlikely(req->status & ZFCP_STATUS_FSFREQ_ABORTED)) {
2132 set_host_byte(scpnt, DID_SOFT_ERROR); 2135 set_host_byte(scpnt, DID_SOFT_ERROR);
2133 set_driver_byte(scpnt, SUGGEST_RETRY); 2136 set_driver_byte(scpnt, SUGGEST_RETRY);