Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2a5f07b5 authored by Tejun Heo's avatar Tejun Heo Committed by Jeff Garzik
Browse files

libata: fix NULL sdev dereference race in atapi_qc_complete() 



SCSI commands may be issued between __scsi_add_device() and dev->sdev
assignment, so it's unsafe for ata_qc_complete() to dereference
dev->sdev->locked without checking whether it's NULL or not.  Fix it.

Signed-off-by: default avatarTejun Heo <tj@kernel.org>
Cc: stable@kernel.org
Signed-off-by: default avatarJeff Garzik <jgarzik@redhat.com>
parent a0a6da1a

drivers/ata/libata-scsi.c

+4 −1
Original line number Diff line number Diff line
@@ -2552,8 +2552,11 @@ static void atapi_qc_complete(struct ata_queued_cmd *qc) 
		 *

		 * If door lock fails, always clear sdev->locked to

		 * avoid this infinite loop.

		 *

		 * This may happen before SCSI scan is complete.  Make

		 * sure qc->dev->sdev isn't NULL before dereferencing.

		 */

		if (qc->cdb[0] == ALLOW_MEDIUM_REMOVAL)

		if (qc->cdb[0] == ALLOW_MEDIUM_REMOVAL && qc->dev->sdev)

			qc->dev->sdev->locked = 0;



		qc->scsicmd->result = SAM_STAT_CHECK_CONDITION;