From d1ad09db2fd551d49d65ef040591cb9298e70fb6 Mon Sep 17 00:00:00 2001 From: Heiko Carstens Date: Thu, 20 Dec 2007 12:30:22 +0100 Subject: [SCSI] zfcp: fix use after free bug. zfcp_erp_strategy_check_fsfreq() checks if it is safe to access the fsf_req associated with the erp_action that gets passed. To test if it is safe it accesses the fsf_req in order to get its index into the hash list. This is broken since the fsf_req might be freed already and the read index has no meaning. It could lead to memory corruption. Fix this by introducing a new zfcp_reqlist_find_safe() method which just checks if addresses are equal. This is slower, but only gets called in case of error recovery. Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky Signed-off-by: Christof Schmitt Signed-off-by: Martin Peschke Signed-off-by: James Bottomley --- drivers/s390/scsi/zfcp_def.h | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'drivers/s390/scsi/zfcp_def.h') diff --git a/drivers/s390/scsi/zfcp_def.h b/drivers/s390/scsi/zfcp_def.h index 294d0792e82b..9e9f6c1e4e5d 100644 --- a/drivers/s390/scsi/zfcp_def.h +++ b/drivers/s390/scsi/zfcp_def.h @@ -1123,6 +1123,20 @@ zfcp_reqlist_find(struct zfcp_adapter *adapter, unsigned long req_id) return NULL; } +static inline struct zfcp_fsf_req * +zfcp_reqlist_find_safe(struct zfcp_adapter *adapter, struct zfcp_fsf_req *req) +{ + struct zfcp_fsf_req *request; + unsigned int idx; + + for (idx = 0; idx < REQUEST_LIST_SIZE; idx++) { + list_for_each_entry(request, &adapter->req_list[idx], list) + if (request == req) + return request; + } + return NULL; +} + /* * functions needed for reference/usage counting */ -- cgit v1.2.3-55-g7522