linux/include/scsi
Bart Van Assche 8e6882545d scsi: Avoid that scsi_exit_rq() triggers a use-after-free
Dereferencing shost from scsi_exit_rq() is not safe because the SCSI
host may already have been freed when scsi_exit_rq() is called.
Increasing the shost reference count in scsi_init_rq() and dropping that
reference in scsi_exit_rq() is nontrivial since scsi_host_dev_release()
may sleep and since scsi_exit_rq() may be called from interrupt
context. Since scsi_exit_rq() only needs a single bit from shost, copy
that bit into struct scsi_cmnd.

Reported-by: Scott Bauer <scott.bauer@intel.com>
Fixes: e9c787e65c ("scsi: allocate scsi_cmnd structures as part of struct request")
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Scott Bauer <scott.bauer@intel.com>
Cc: Jan Kara <jack@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2017-06-12 20:55:58 -04:00
..
fc uapi: export all headers under uapi directories 2017-05-11 00:21:54 +09:00
fc_encode.h [SCSI] libfc: Add support for FDMI 2012-02-19 08:08:58 -06:00
fc_frame.h [SCSI] fcoe: remove unused ptype field in fcoe_rcv_info 2011-07-28 12:08:55 +04:00
fcoe_sysfs.h libfcoe, fcoe, bnx2fc: Add new fcoe control interface 2012-12-14 10:38:54 -08:00
iscsi_if.h scsi_transport_iscsi: Add 25G and 40G speed definition 2016-02-23 21:27:02 -05:00
iscsi_proto.h linux: drop __bitwise__ everywhere 2016-12-16 00:13:41 +02:00
iser.h IB/iser,isert: Create and use new shared header 2015-12-24 00:17:35 -05:00
libfc.h scsi: libfc: convert fc_fcp_pkt.ref_cnt from atomic_t to refcount_t 2017-03-15 18:44:02 -04:00
libfcoe.h fcoe: implement FIP VLAN responder 2016-07-20 19:49:41 -04:00
libiscsi_tcp.h iscsi_tcp: Use ahash 2016-01-27 20:36:10 +08:00
libiscsi.h SCSI misc on 20170503 2017-05-04 12:19:44 -07:00
libsas.h scsi: sas: remove sas_domain_release_transport 2017-04-04 20:16:38 -04:00
osd_attributes.h UAPI: (Scripted) Convert #include "..." to #include <path/...> in kernel system headers 2012-10-02 18:01:25 +01:00
osd_initiator.h Boaz Harrosh - Fix broken email address 2014-10-19 20:22:32 +03:00
osd_ore.h Boaz Harrosh - Fix broken email address 2014-10-19 20:22:32 +03:00
osd_protocol.h Boaz Harrosh - Fix broken email address 2014-10-19 20:22:32 +03:00
osd_sec.h Boaz Harrosh - Fix broken email address 2014-10-19 20:22:32 +03:00
osd_sense.h Boaz Harrosh - Fix broken email address 2014-10-19 20:22:32 +03:00
osd_types.h Boaz Harrosh - Fix broken email address 2014-10-19 20:22:32 +03:00
sas_ata.h [SCSI] sas: unify the pointlessly separated enums sas_dev_type and sas_device_type 2013-05-10 07:47:52 -07:00
sas.h scsi: Centralise ssp frame information units 2015-11-25 22:12:50 -05:00
scsi_bsg_iscsi.h [SCSI] iscsi class: add bsg support to iscsi class 2011-08-27 08:36:21 -06:00
scsi_cmnd.h scsi: Avoid that scsi_exit_rq() triggers a use-after-free 2017-06-12 20:55:58 -04:00
scsi_common.h scsi: add scsi_set_sense_field_pointer() 2016-04-04 12:07:42 -04:00
scsi_dbg.h scsi: remove scsi_show_sense_hdr() 2015-12-02 16:36:14 -05:00
scsi_device.h SCSI misc on 20170503 2017-05-04 12:19:44 -07:00
scsi_devinfo.h scsi_dh_alua: Add new blacklist flag 'BLIST_SYNC_ALUA' 2016-02-23 21:27:02 -05:00
scsi_dh.h scsi_dh: add 'rescan' callback 2016-02-23 21:27:02 -05:00
scsi_driver.h scsi: scsi_error: count medium access timeout only once per EH run 2017-04-06 13:07:32 -04:00
scsi_eh.h scsi: Improve scsi_get_sense_info_fld 2017-04-25 13:00:56 -04:00
scsi_host.h scsi: make asynchronous aborts mandatory 2017-04-06 13:07:33 -04:00
scsi_ioctl.h scsi: split scsi_nonblockable_ioctl 2014-11-12 11:16:11 +01:00
scsi_proto.h target: Add WRITE_VERIFY_16 2017-05-01 22:21:40 -07:00
scsi_request.h scsi: introduce a result field in struct scsi_request 2017-04-20 12:16:10 -06:00
scsi_tcq.h scsi: use host wide tags by default 2015-11-09 17:11:57 -08:00
scsi_transport_fc.h scsi: scsi_transport_fc: Add dummy initiator role to rport 2017-04-19 19:13:52 -04:00
scsi_transport_iscsi.h iSCSI: let session recovery_tmo sysfs writes persist across recovery 2015-07-30 12:43:00 -07:00
scsi_transport_sas.h scsi: sas: remove is_sas_attached() 2016-08-18 22:23:20 -04:00
scsi_transport_spi.h scsi: remove abuses of scsi_populate_tag 2014-11-12 11:19:41 +01:00
scsi_transport_srp.h scsi: remove tsk_mgmt_response and it_nexus_response transport methods 2017-02-06 19:10:41 -05:00
scsi_transport.h SCSI misc on 20170220 2017-02-21 11:51:42 -08:00
scsi.h scsi: remove useless acpi functions in the header file 2017-01-10 23:13:58 -05:00
scsicam.h
sg.h scsi: sg: disable SET_FORCE_LOW_DMA 2017-04-11 20:55:20 -04:00
srp.h IB/srp: Add 64-bit LUN support 2015-05-18 13:35:56 -04:00
viosrp.h ibmvscsis: Initial commit of IBM VSCSI Tgt Driver 2016-07-20 01:15:43 -07:00