[SCSI] zfcp: fix use after free bug.
authorHeiko Carstens <heiko.carstens@de.ibm.com>
Thu, 20 Dec 2007 11:30:22 +0000 (12:30 +0100)
committerJames Bottomley <James.Bottomley@HansenPartnership.com>
Sat, 12 Jan 2008 00:29:00 +0000 (18:29 -0600)
commitd1ad09db2fd551d49d65ef040591cb9298e70fb6
treee26e31c96068ce3ab58ed14d4e51d68a308d3891
parentbfd90dce248a49ced2b7419ecf78af9f7f37039e
[SCSI] zfcp: fix use after free bug.

zfcp_erp_strategy_check_fsfreq() checks if it is safe to access the
fsf_req associated with the erp_action that gets passed. To test if
it is safe it accesses the fsf_req in order to get its index into
the hash list. This is broken since the fsf_req might be freed already
and the read index has no meaning. It could lead to memory corruption.
Fix this by introducing a new zfcp_reqlist_find_safe() method which
just checks if addresses are equal. This is slower, but only gets
called in case of error recovery.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Christof Schmitt <christof.schmitt@de.ibm.com>
Signed-off-by: Martin Peschke <mp3@de.ibm.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
drivers/s390/scsi/zfcp_def.h
drivers/s390/scsi/zfcp_erp.c