From 0bc7df17290acb52d9b80f2474a0cff2c3c2e38a Mon Sep 17 00:00:00 2001 From: Bart Van Assche Date: Wed, 2 Sep 2015 11:54:38 -0700 Subject: [PATCH] scst_lib: Fix a locking bug Avoid that the tgt_dev list can be modified after the spin_lock(&tgt_dev->tgt_dev_lock) statement and before the spin_unlock(&tgt_dev->tgt_dev_lock) statement. See also patch "scst: Rework sess_tgt_dev_list locking" (commit ID 5af7d9277ddfe895625f4347aa0b9643def04c59). Reported-by: Kurt Reddew --- scst/src/scst_lib.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/scst/src/scst_lib.c b/scst/src/scst_lib.c index 1a1bfad65..d09101381 100644 --- a/scst/src/scst_lib.c +++ b/scst/src/scst_lib.c @@ -11617,7 +11617,6 @@ again: spin_lock(&tgt_dev->tgt_dev_lock); } } - rcu_read_unlock(); #endif first = false; @@ -11647,7 +11646,6 @@ again: list_del(&UA_entry->UA_list_entry); if (UA_entry->global_UA) { - rcu_read_lock(); for (i = 0; i < SESS_TGT_DEV_LIST_HASH_SIZE; i++) { struct list_head *head = &sess->sess_tgt_dev_list[i]; struct scst_tgt_dev *tgt_dev; @@ -11671,7 +11669,6 @@ again: } } } - rcu_read_unlock(); } mempool_free(UA_entry, scst_ua_mempool); @@ -11684,7 +11681,6 @@ again: out_unlock: if (global_unlock) { #if !defined(__CHECKER__) - rcu_read_lock(); for (i = SESS_TGT_DEV_LIST_HASH_SIZE-1; i >= 0; i--) { struct list_head *head = &sess->sess_tgt_dev_list[i]; struct scst_tgt_dev *tgt_dev;