On 05/24/2017 02:33 AM, Bart Van Assche wrote:
> Dereferencing shost from scsi_exit_rq() is not safe because the
> SCSI host may already have been freed when scsi_exit_rq() is
> called. Increasing the shost reference count in scsi_init_rq()
> and dropping that reference in scsi_exit_rq() is nontrivial since
> scsi_host_dev_release() may sleep and since scsi_exit_rq() may
> be called from interrupt context. Since scsi_exit_rq() only needs
> a single bit from shost, copy that bit into struct scsi_cmnd.
>
> Reported-by: Scott Bauer <scott.ba...@intel.com>
> Fixes: e9c787e65c0c ("scsi: allocate scsi_cmnd structures as part of struct
> request")
> Signed-off-by: Bart Van Assche <bart.vanass...@sandisk.com>
> Cc: Scott Bauer <scott.ba...@intel.com>
> Cc: Christoph Hellwig <h...@lst.de>
> Cc: Jan Kara <j...@suse.cz>
> Cc: Hannes Reinecke <h...@suse.com>
> Cc: <sta...@vger.kernel.org>
> ---
> drivers/scsi/scsi_lib.c | 43 +++++++++++++++++++++++++------------------
> include/scsi/scsi_cmnd.h | 1 +
> 2 files changed, 26 insertions(+), 18 deletions(-)
>
Reviewed-by: Hannes Reinecke <h...@suse.com>
Cheers,
Hannes
--
Dr. Hannes Reinecke Teamlead Storage & Networking
h...@suse.de +49 911 74053 688
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: F. Imendörffer, J. Smithard, J. Guild, D. Upmanyu, G. Norton
HRB 21284 (AG Nürnberg)
