On 05/24/2017 02:33 AM, Bart Van Assche wrote: > Dereferencing shost from scsi_exit_rq() is not safe because the > SCSI host may already have been freed when scsi_exit_rq() is > called. Increasing the shost reference count in scsi_init_rq() > and dropping that reference in scsi_exit_rq() is nontrivial since > scsi_host_dev_release() may sleep and since scsi_exit_rq() may > be called from interrupt context. Since scsi_exit_rq() only needs > a single bit from shost, copy that bit into struct scsi_cmnd. > > Reported-by: Scott Bauer <[email protected]> > Fixes: e9c787e65c0c ("scsi: allocate scsi_cmnd structures as part of struct > request") > Signed-off-by: Bart Van Assche <[email protected]> > Cc: Scott Bauer <[email protected]> > Cc: Christoph Hellwig <[email protected]> > Cc: Jan Kara <[email protected]> > Cc: Hannes Reinecke <[email protected]> > Cc: <[email protected]> > --- > drivers/scsi/scsi_lib.c | 43 +++++++++++++++++++++++++------------------ > include/scsi/scsi_cmnd.h | 1 + > 2 files changed, 26 insertions(+), 18 deletions(-) > Reviewed-by: Hannes Reinecke <[email protected]>
Cheers, Hannes -- Dr. Hannes Reinecke Teamlead Storage & Networking [email protected] +49 911 74053 688 SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg GF: F. Imendörffer, J. Smithard, J. Guild, D. Upmanyu, G. Norton HRB 21284 (AG Nürnberg)
