Commit 0ac55aa9 authored by Swen Schillig's avatar Swen Schillig Committed by James Bottomley

[SCSI] zfcp: eliminate race between validation and locking

The check of having a valid pointer was performed before the
processing was secured by the lock. Between those two steps the
pointer can turn invalid.  During further processing another value is
used (referenced by the pointer described above) as a function pointer
which is never verified to be valid either, resulting under some
circumstances in an invalid function call.  This patch is fixing both
issues.
Signed-off-by: default avatarSwen Schillig <swen@vnet.ibm.com>
Signed-off-by: default avatarChristof Schmitt <christof.schmitt@de.ibm.com>
Signed-off-by: default avatarJames Bottomley <James.Bottomley@HansenPartnership.com>
parent 26871c97
...@@ -2116,18 +2116,21 @@ static inline void zfcp_fsf_trace_latency(struct zfcp_fsf_req *fsf_req) ...@@ -2116,18 +2116,21 @@ static inline void zfcp_fsf_trace_latency(struct zfcp_fsf_req *fsf_req)
static void zfcp_fsf_send_fcp_command_task_handler(struct zfcp_fsf_req *req) static void zfcp_fsf_send_fcp_command_task_handler(struct zfcp_fsf_req *req)
{ {
struct scsi_cmnd *scpnt = req->data; struct scsi_cmnd *scpnt;
struct fcp_rsp_iu *fcp_rsp_iu = (struct fcp_rsp_iu *) struct fcp_rsp_iu *fcp_rsp_iu = (struct fcp_rsp_iu *)
&(req->qtcb->bottom.io.fcp_rsp); &(req->qtcb->bottom.io.fcp_rsp);
u32 sns_len; u32 sns_len;
char *fcp_rsp_info = (unsigned char *) &fcp_rsp_iu[1]; char *fcp_rsp_info = (unsigned char *) &fcp_rsp_iu[1];
unsigned long flags; unsigned long flags;
if (unlikely(!scpnt))
return;
read_lock_irqsave(&req->adapter->abort_lock, flags); read_lock_irqsave(&req->adapter->abort_lock, flags);
scpnt = req->data;
if (unlikely(!scpnt)) {
read_unlock_irqrestore(&req->adapter->abort_lock, flags);
return;
}
if (unlikely(req->status & ZFCP_STATUS_FSFREQ_ABORTED)) { if (unlikely(req->status & ZFCP_STATUS_FSFREQ_ABORTED)) {
set_host_byte(scpnt, DID_SOFT_ERROR); set_host_byte(scpnt, DID_SOFT_ERROR);
set_driver_byte(scpnt, SUGGEST_RETRY); set_driver_byte(scpnt, SUGGEST_RETRY);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment