lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1257240996-23118-1-git-send-email-den@openvz.org>
Date:	Tue, 3 Nov 2009 12:36:35 +0300
From:	"Denis V. Lunev" <den@...nvz.org>
To:	<akpm@...ux-foundation.org>
CC:	<linux-kernel@...r.kernel.org>, <linux-scsi@...r.kernel.org>,
	Alexey Kuznetsov <kuznet@....inr.ac.ru>,
	"James E.J. Bottomley" <James.Bottomley@...e.de>,
	"Denis V. Lunev" <den@...nvz.org>
Subject: [PATCH 1/2] Crash in linux kernel when disconnecting usb storage

From: Alexey Kuznetsov <kuznet@....inr.ac.ru>

__scsi_remove_device() in scsi_forget_host() is executed out of scan_mutex
and races with scsi_destroy_sdev() <- scsi_sysfs_add_devices()
<- scsi_finish_async_scan(). The result is use after free and/or
double free, oops.

The fix is simple, move scsi_forget_host() under scan_mutex.

scsi_forget_host() is just sequence of __scsi_remove_device().
All another calls of __scsi_remove_device() are made under scan_mutex.
So that it is safe.

Signed-off-by: Alexey Kuznetsov <kuznet@....inr.ac.ru>
CC: James E.J. Bottomley <James.Bottomley@...e.de>
Signed-off-by: Denis V. Lunev <den@...nvz.org>
---
 drivers/scsi/hosts.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
index 5fd2da4..c968cc3 100644
--- a/drivers/scsi/hosts.c
+++ b/drivers/scsi/hosts.c
@@ -164,8 +164,8 @@ void scsi_remove_host(struct Scsi_Host *shost)
 			return;
 		}
 	spin_unlock_irqrestore(shost->host_lock, flags);
-	mutex_unlock(&shost->scan_mutex);
 	scsi_forget_host(shost);
+	mutex_unlock(&shost->scan_mutex);
 	scsi_proc_host_rm(shost);
 
 	spin_lock_irqsave(shost->host_lock, flags);
-- 
1.6.4.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ