summaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorSwen Schillig <swen@vnet.ibm.com>2008-11-26 18:07:39 +0100
committerJames Bottomley <James.Bottomley@HansenPartnership.com>2008-12-01 17:17:50 +0100
commit0ac55aa90f2c3bd08e57e52a513b82b18ce0a5bc (patch)
tree0899a1087c0c4cde4d44cdcd651a6a36e6dbee96 /drivers
parent[SCSI] zfcp: verify for correct rport state before scanning for SCSI devs (diff)
downloadlinux-0ac55aa90f2c3bd08e57e52a513b82b18ce0a5bc.tar.xz
linux-0ac55aa90f2c3bd08e57e52a513b82b18ce0a5bc.zip
[SCSI] zfcp: eliminate race between validation and locking
The check of having a valid pointer was performed before the processing was secured by the lock. Between those two steps the pointer can turn invalid. During further processing another value is used (referenced by the pointer described above) as a function pointer which is never verified to be valid either, resulting under some circumstances in an invalid function call. This patch is fixing both issues. Signed-off-by: Swen Schillig <swen@vnet.ibm.com> Signed-off-by: Christof Schmitt <christof.schmitt@de.ibm.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/s390/scsi/zfcp_fsf.c11
1 files changed, 7 insertions, 4 deletions
diff --git a/drivers/s390/scsi/zfcp_fsf.c b/drivers/s390/scsi/zfcp_fsf.c
index 0343d881babd..dc0367690405 100644
--- a/drivers/s390/scsi/zfcp_fsf.c
+++ b/drivers/s390/scsi/zfcp_fsf.c
@@ -2116,18 +2116,21 @@ static inline void zfcp_fsf_trace_latency(struct zfcp_fsf_req *fsf_req)
static void zfcp_fsf_send_fcp_command_task_handler(struct zfcp_fsf_req *req)
{
- struct scsi_cmnd *scpnt = req->data;
+ struct scsi_cmnd *scpnt;
struct fcp_rsp_iu *fcp_rsp_iu = (struct fcp_rsp_iu *)
&(req->qtcb->bottom.io.fcp_rsp);
u32 sns_len;
char *fcp_rsp_info = (unsigned char *) &fcp_rsp_iu[1];
unsigned long flags;
- if (unlikely(!scpnt))
- return;
-
read_lock_irqsave(&req->adapter->abort_lock, flags);
+ scpnt = req->data;
+ if (unlikely(!scpnt)) {
+ read_unlock_irqrestore(&req->adapter->abort_lock, flags);
+ return;
+ }
+
if (unlikely(req->status & ZFCP_STATUS_FSFREQ_ABORTED)) {
set_host_byte(scpnt, DID_SOFT_ERROR);
set_driver_byte(scpnt, SUGGEST_RETRY);