linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org, jejb@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
	Zwane Mwaikambo <zwane@arm.linux.org.uk>,
	"Theodore Ts'o" <tytso@mit.edu>,
	Randy Dunlap <rdunlap@xenotime.net>,
	Dave Jones <davej@redhat.com>,
	Chuck Wolber <chuckw@quantumlinux.com>,
	Chris Wedgwood <reviews@ml.cw.f00f.org>,
	Michael Krufky <mkrufky@linuxtv.org>,
	Chuck Ebbert <cebbert@redhat.com>,
	Domenico Andreoli <cavokz@gmail.com>,
	torvalds@linux-foundation.org, akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk,
	James Bottomley <James.Bottomley@HansenPartnership.com>
Subject: [patch 34/37] SCSI: aha152x: Fix oops on module removal
Date: Tue, 13 May 2008 13:12:49 -0700	[thread overview]
Message-ID: <20080513201249.GI31167@suse.de> (raw)
In-Reply-To: <20080513201053.GA31167@suse.de>

[-- Attachment #1: scsi-aha152x-fix-oops-on-module-removal.patch --]
[-- Type: text/plain, Size: 2484 bytes --]

2.6.25-stable review patch.  If anyone has any objections, please let us
know.

------------------
From: James Bottomley <James.Bottomley@HansenPartnership.com>

commit 64976a0387835a7ac61bbe2a99b27ccae34eac5d upstream

Reported-by: Frank de Jong <frapex@xs4all.nl>
> after trying to unload the module:
> BUG: unable to handle kernel paging request at 00100100
> IP: [<fb9ff667>] :aha152x:aha152x_exit+0x47/0x6a
> *pde = 00000000
> Oops: 0000 [#1] PREEMPT SMP
> Modules linked in: aha152x(-) w83781d hwmon_vid tun ne 8390 bonding
> usb_storage snd_usb_audio snd_usb_lib snd_rawmidi pwc snd_seq_device
> compat_ioctl32 snd_hwdep videodev v4l1_compat 3c59x mii intel_agp
> agpgart snd_pcm_oss snd_pcm snd_timer snd_page_alloc snd_mixer_oss snd
>
> Pid: 2837, comm: rmmod Not tainted (2.6.25.3 #1)
> EIP: 0060:[<fb9ff667>] EFLAGS: 00210212 CPU: 0
> EIP is at aha152x_exit+0x47/0x6a [aha152x]
> EAX: 00000001 EBX: 000ffdc4 ECX: f7c517a8 EDX: 00000001
> ESI: 00000000 EDI: 00000003 EBP: e7880000 ESP: e7881f58
>   DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
> Process rmmod (pid: 2837, ti=e7880000 task=f27eb580 task.ti=e7880000)
> Stack: fba03700 c01419d2 31616861 00783235 e795ee70 c0157709 b7f24000 e79ae000
>         c0158271 ffffffff b7f25000 e79ae004 e795e370 b7f25000 e795e37c e795e370
>         009ae000 fba03700 00000880 e7881fa8 00000000 bf93ec20 bf93ec20 c0102faa
> Call Trace:
>   [<c01419d2>] sys_delete_module+0x112/0x1a0
>   [<c0157709>] remove_vma+0x39/0x50
>   [<c0158271>] do_munmap+0x181/0x1f0
>   [<c0102faa>] sysenter_past_esp+0x5f/0x85
>   [<c0490000>] rsc_parse+0x0/0x3c0

The problem is that the driver calls aha152x_release() under a
list_for_each_entry().  Unfortunately, aha152x_release() deletes from
the list in question.  Fix this by using list_for_each_entry_safe().

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/scsi/aha152x.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/scsi/aha152x.c
+++ b/drivers/scsi/aha152x.c
@@ -3919,9 +3919,9 @@ static int __init aha152x_init(void)
 
 static void __exit aha152x_exit(void)
 {
-	struct aha152x_hostdata *hd;
+	struct aha152x_hostdata *hd, *tmp;
 
-	list_for_each_entry(hd, &aha152x_host_list, host_list) {
+	list_for_each_entry_safe(hd, tmp, &aha152x_host_list, host_list) {
 		struct Scsi_Host *shost = container_of((void *)hd, struct Scsi_Host, hostdata);
 
 		aha152x_release(shost);

-- 

  parent reply	other threads:[~2008-05-13 20:25 UTC|newest]

Thread overview: 57+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20080513200453.064446337@mini.kroah.org>
2008-05-13 20:10 ` [patch 00/37] 2.6.25.4 -stable review Greg KH
2008-05-13 20:11   ` [patch 01/37] V4L/DVB (7473): PATCH for various Dibcom based devices Greg KH
2008-05-14  1:27     ` Michael Krufky
2008-05-14  2:03       ` Greg KH
2008-05-14  2:34         ` Michael Krufky
2008-05-14  2:59           ` Greg KH
2008-05-13 20:11   ` [patch 02/37] vt: fix canonical input in UTF-8 mode Greg KH
2008-05-13 20:11   ` [patch 03/37] serial: access after NULL check in uart_flush_buffer() Greg KH
2008-05-13 20:11   ` [patch 04/37] OHCI: fix regression upon awakening from hibernation Greg KH
2008-05-13 20:11   ` [patch 05/37] XFRM: AUDIT: Fix flowlabel text format ambibuity Greg KH
2008-05-13 20:11   ` [patch 06/37] sparc: sunzilog uart order Greg KH
2008-05-13 20:11   ` [patch 07/37] sparc: Fix SA_ONSTACK signal handling Greg KH
2008-05-13 20:11   ` [patch 08/37] sparc: Fix fork/clone/vfork system call restart Greg KH
2008-05-13 20:11   ` [patch 09/37] sparc64: Stop creating dummy root PCI host controller devices Greg KH
2008-05-13 20:11   ` [patch 10/37] sparc64: Fix wedged irq regression Greg KH
2008-05-13 20:11   ` [patch 11/37] SPARC64: Fix args to 64-bit sys_semctl() via sys_ipc() Greg KH
2008-05-13 20:11   ` [patch 12/37] serial: Fix sparc driver name strings Greg KH
2008-05-13 20:12   ` [patch 13/37] sch_htb: remove from event queue in htb_parent_to_leaf() Greg KH
2008-05-13 20:12   ` [patch 14/37] macvlan: Fix memleak on device removal/crash on module removal Greg KH
2008-05-13 20:12   ` [patch 15/37] ipvs: fix oops in backup for fwmark conn templates Greg KH
2008-05-13 20:12   ` [patch 16/37] dccp: return -EINVAL on invalid feature length Greg KH
2008-05-13 20:12   ` [patch 17/37] can: Fix can_send() handling on dev_queue_xmit() failures Greg KH
2008-05-13 20:12   ` [patch 18/37] x86: use defconfigs from x86/configs/* Greg KH
2008-05-13 20:12   ` [patch 19/37] nf_conntrack: padding breaks conntrack hash on ARM Greg KH
2008-05-13 20:12   ` [patch 20/37] {nfnetlink, ip, ip6}_queue: fix skb_over_panic when enlarging packets Greg KH
2008-05-13 23:45     ` Arnaud Ebalard
2008-05-13 22:06       ` Greg KH
2008-05-14 16:45         ` Gustavo Guillermo Perez
2008-05-14 17:08           ` Patrick McHardy
2008-05-13 20:12   ` [patch 21/37] ata_piix: verify SIDPR access before enabling it Greg KH
2008-05-13 20:12   ` [patch 22/37] x86: sysfs cpu?/topology is empty in 2.6.25 (32-bit Intel system) Greg KH
2008-05-15 18:06     ` Vaidyanathan Srinivasan
2008-05-15 20:07       ` Greg KH
2008-05-13 20:12   ` [patch 23/37] i2c-piix4: Blacklist two mainboards Greg KH
2008-05-14 19:52     ` Hardware designt to prevent Damages... [WAS: [patch 23/37] i2c-piix4: Blacklist two mainboards] Michelle Konzack
2008-05-15 17:57       ` linux-os (Dick Johnson)
2008-05-16  9:55         ` Michelle Konzack
2008-05-15 18:49       ` Jean Delvare
2008-05-16 15:22         ` Michelle Konzack
2008-05-13 20:12   ` [patch 24/37] sparc: Fix ptrace() detach Greg KH
2008-05-13 20:12   ` [patch 25/37] sparc: Fix mremap address range validation Greg KH
2008-05-13 20:28     ` Linus Torvalds
2008-05-13 20:37       ` Greg KH
2008-05-14  1:04         ` David Miller
2008-05-14  1:03       ` David Miller
2008-05-13 20:12   ` [patch 26/37] sparc: Fix debugger syscall restart interactions Greg KH
2008-05-13 20:12   ` [patch 27/37] sparc32: Dont twiddle PT_DTRACE in exec Greg KH
2008-05-13 20:12   ` [patch 28/37] USB: airprime: unlock mutex instead of trying to lock it again Greg KH
2008-05-13 20:12   ` [patch 29/37] r8169: fix past rtl_chip_info array size for unknown chipsets Greg KH
2008-05-13 20:12   ` [patch 30/37] r8169: fix oops in r8169_get_mac_version Greg KH
2008-05-13 20:12   ` [patch 31/37] SCSI: qla1280: Fix queue depth problem Greg KH
2008-05-13 20:12   ` [patch 32/37] SCSI: libiscsi regression in 2.6.25: fix nop timer handling Greg KH
2008-05-13 20:12   ` [patch 33/37] SCSI: libiscsi regression in 2.6.25: fix setting of recv timer Greg KH
2008-05-13 20:12   ` Greg KH [this message]
2008-05-13 20:12   ` [patch 35/37] SCSI: aha152x: fix init suspiciously returned 1, it should follow 0/-E convention Greg KH
2008-05-13 20:12   ` [patch 36/37] rtc: rtc_time_to_tm: use unsigned arithmetic Greg KH
2008-05-13 20:12   ` [patch 37/37] md: fix raid5 repair operations Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080513201249.GI31167@suse.de \
    --to=gregkh@suse.de \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=cavokz@gmail.com \
    --cc=cebbert@redhat.com \
    --cc=chuckw@quantumlinux.com \
    --cc=davej@redhat.com \
    --cc=jejb@kernel.org \
    --cc=jmforbes@linuxtx.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mkrufky@linuxtv.org \
    --cc=rdunlap@xenotime.net \
    --cc=reviews@ml.cw.f00f.org \
    --cc=stable@kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=tytso@mit.edu \
    --cc=zwane@arm.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).