[SCSI] sg: checking sdp->detached isn't protected when open
@detached is set under the protection of sg_index_lock. Without getting the lock, new sfp will be added during sg removal and there is no chance for it to be picked out. So check with sg_index_lock held in sg_add_sfp(). Signed-off-by: Vaughan Cao <vaughan.cao@oracle.com> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: James Bottomley <JBottomley@Parallels.com>
This commit is contained in:
parent
00b2d9d6d0
commit
e32c9e6300
|
@ -295,23 +295,20 @@ sg_open(struct inode *inode, struct file *filp)
|
||||||
if (flags & O_EXCL)
|
if (flags & O_EXCL)
|
||||||
sdp->exclude = 1; /* used by release lock */
|
sdp->exclude = 1; /* used by release lock */
|
||||||
|
|
||||||
if (sdp->detached) {
|
|
||||||
retval = -ENODEV;
|
|
||||||
goto sem_out;
|
|
||||||
}
|
|
||||||
if (sfds_list_empty(sdp)) { /* no existing opens on this device */
|
if (sfds_list_empty(sdp)) { /* no existing opens on this device */
|
||||||
sdp->sgdebug = 0;
|
sdp->sgdebug = 0;
|
||||||
q = sdp->device->request_queue;
|
q = sdp->device->request_queue;
|
||||||
sdp->sg_tablesize = queue_max_segments(q);
|
sdp->sg_tablesize = queue_max_segments(q);
|
||||||
}
|
}
|
||||||
if ((sfp = sg_add_sfp(sdp, dev)))
|
sfp = sg_add_sfp(sdp, dev);
|
||||||
|
if (!IS_ERR(sfp))
|
||||||
filp->private_data = sfp;
|
filp->private_data = sfp;
|
||||||
/* retval is already provably zero at this point because of the
|
/* retval is already provably zero at this point because of the
|
||||||
* check after retval = scsi_autopm_get_device(sdp->device))
|
* check after retval = scsi_autopm_get_device(sdp->device))
|
||||||
*/
|
*/
|
||||||
else {
|
else {
|
||||||
retval = -ENOMEM;
|
retval = PTR_ERR(sfp);
|
||||||
sem_out:
|
|
||||||
if (flags & O_EXCL) {
|
if (flags & O_EXCL) {
|
||||||
sdp->exclude = 0; /* undo if error */
|
sdp->exclude = 0; /* undo if error */
|
||||||
up_write(&sdp->o_sem);
|
up_write(&sdp->o_sem);
|
||||||
|
@ -2045,7 +2042,7 @@ sg_add_sfp(Sg_device * sdp, int dev)
|
||||||
|
|
||||||
sfp = kzalloc(sizeof(*sfp), GFP_ATOMIC | __GFP_NOWARN);
|
sfp = kzalloc(sizeof(*sfp), GFP_ATOMIC | __GFP_NOWARN);
|
||||||
if (!sfp)
|
if (!sfp)
|
||||||
return NULL;
|
return ERR_PTR(-ENOMEM);
|
||||||
|
|
||||||
init_waitqueue_head(&sfp->read_wait);
|
init_waitqueue_head(&sfp->read_wait);
|
||||||
rwlock_init(&sfp->rq_list_lock);
|
rwlock_init(&sfp->rq_list_lock);
|
||||||
|
@ -2060,6 +2057,10 @@ sg_add_sfp(Sg_device * sdp, int dev)
|
||||||
sfp->keep_orphan = SG_DEF_KEEP_ORPHAN;
|
sfp->keep_orphan = SG_DEF_KEEP_ORPHAN;
|
||||||
sfp->parentdp = sdp;
|
sfp->parentdp = sdp;
|
||||||
write_lock_irqsave(&sg_index_lock, iflags);
|
write_lock_irqsave(&sg_index_lock, iflags);
|
||||||
|
if (sdp->detached) {
|
||||||
|
write_unlock_irqrestore(&sg_index_lock, iflags);
|
||||||
|
return ERR_PTR(-ENODEV);
|
||||||
|
}
|
||||||
list_add_tail(&sfp->sfd_siblings, &sdp->sfds);
|
list_add_tail(&sfp->sfd_siblings, &sdp->sfds);
|
||||||
write_unlock_irqrestore(&sg_index_lock, iflags);
|
write_unlock_irqrestore(&sg_index_lock, iflags);
|
||||||
SCSI_LOG_TIMEOUT(3, printk("sg_add_sfp: sfp=0x%p\n", sfp));
|
SCSI_LOG_TIMEOUT(3, printk("sg_add_sfp: sfp=0x%p\n", sfp));
|
||||||
|
|
Loading…
Reference in New Issue