diff options
| author | Heiko Carstens <heiko.carstens@de.ibm.com> | 2007-12-20 06:30:22 -0500 |
|---|---|---|
| committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2008-01-11 19:29:00 -0500 |
| commit | d1ad09db2fd551d49d65ef040591cb9298e70fb6 (patch) | |
| tree | e26e31c96068ce3ab58ed14d4e51d68a308d3891 /drivers | |
| parent | bfd90dce248a49ced2b7419ecf78af9f7f37039e (diff) | |
[SCSI] zfcp: fix use after free bug.
zfcp_erp_strategy_check_fsfreq() checks if it is safe to access the
fsf_req associated with the erp_action that gets passed. To test if
it is safe it accesses the fsf_req in order to get its index into
the hash list. This is broken since the fsf_req might be freed already
and the read index has no meaning. It could lead to memory corruption.
Fix this by introducing a new zfcp_reqlist_find_safe() method which
just checks if addresses are equal. This is slower, but only gets
called in case of error recovery.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Christof Schmitt <christof.schmitt@de.ibm.com>
Signed-off-by: Martin Peschke <mp3@de.ibm.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/s390/scsi/zfcp_def.h | 14 | ||||
| -rw-r--r-- | drivers/s390/scsi/zfcp_erp.c | 3 |
2 files changed, 16 insertions, 1 deletions
diff --git a/drivers/s390/scsi/zfcp_def.h b/drivers/s390/scsi/zfcp_def.h index 294d0792e82b..9e9f6c1e4e5d 100644 --- a/drivers/s390/scsi/zfcp_def.h +++ b/drivers/s390/scsi/zfcp_def.h | |||
| @@ -1123,6 +1123,20 @@ zfcp_reqlist_find(struct zfcp_adapter *adapter, unsigned long req_id) | |||
| 1123 | return NULL; | 1123 | return NULL; |
| 1124 | } | 1124 | } |
| 1125 | 1125 | ||
| 1126 | static inline struct zfcp_fsf_req * | ||
| 1127 | zfcp_reqlist_find_safe(struct zfcp_adapter *adapter, struct zfcp_fsf_req *req) | ||
| 1128 | { | ||
| 1129 | struct zfcp_fsf_req *request; | ||
| 1130 | unsigned int idx; | ||
| 1131 | |||
| 1132 | for (idx = 0; idx < REQUEST_LIST_SIZE; idx++) { | ||
| 1133 | list_for_each_entry(request, &adapter->req_list[idx], list) | ||
| 1134 | if (request == req) | ||
| 1135 | return request; | ||
| 1136 | } | ||
| 1137 | return NULL; | ||
| 1138 | } | ||
| 1139 | |||
| 1126 | /* | 1140 | /* |
| 1127 | * functions needed for reference/usage counting | 1141 | * functions needed for reference/usage counting |
| 1128 | */ | 1142 | */ |
diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c index 67d74ed0f25c..76fef3f6387e 100644 --- a/drivers/s390/scsi/zfcp_erp.c +++ b/drivers/s390/scsi/zfcp_erp.c | |||
| @@ -846,7 +846,8 @@ zfcp_erp_strategy_check_fsfreq(struct zfcp_erp_action *erp_action) | |||
| 846 | if (erp_action->fsf_req) { | 846 | if (erp_action->fsf_req) { |
| 847 | /* take lock to ensure that request is not deleted meanwhile */ | 847 | /* take lock to ensure that request is not deleted meanwhile */ |
| 848 | spin_lock(&adapter->req_list_lock); | 848 | spin_lock(&adapter->req_list_lock); |
| 849 | if (zfcp_reqlist_find(adapter, erp_action->fsf_req->req_id)) { | 849 | if (zfcp_reqlist_find_safe(adapter, erp_action->fsf_req) && |
| 850 | erp_action->fsf_req->erp_action == erp_action) { | ||
| 850 | /* fsf_req still exists */ | 851 | /* fsf_req still exists */ |
| 851 | debug_text_event(adapter->erp_dbf, 3, "a_ca_req"); | 852 | debug_text_event(adapter->erp_dbf, 3, "a_ca_req"); |
| 852 | debug_event(adapter->erp_dbf, 3, &erp_action->fsf_req, | 853 | debug_event(adapter->erp_dbf, 3, &erp_action->fsf_req, |