From: Alexey Kuznetsov <[email protected]>
__scsi_remove_device() in scsi_forget_host() is executed out of scan_mutex
and races with scsi_destroy_sdev() <- scsi_sysfs_add_devices()
<- scsi_finish_async_scan(). The result is use after free and/or
double free, oops.
The fix is simple, move scsi_forget_host() under scan_mutex.
scsi_forget_host() is just sequence of __scsi_remove_device().
All another calls of __scsi_remove_device() are made under scan_mutex.
So that it is safe.
Signed-off-by: Alexey Kuznetsov <[email protected]>
CC: James E.J. Bottomley <[email protected]>
Signed-off-by: Denis V. Lunev <[email protected]>
---
drivers/scsi/hosts.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
index 5fd2da4..c968cc3 100644
--- a/drivers/scsi/hosts.c
+++ b/drivers/scsi/hosts.c
@@ -164,8 +164,8 @@ void scsi_remove_host(struct Scsi_Host *shost)
return;
}
spin_unlock_irqrestore(shost->host_lock, flags);
- mutex_unlock(&shost->scan_mutex);
scsi_forget_host(shost);
+ mutex_unlock(&shost->scan_mutex);
scsi_proc_host_rm(shost);
spin_lock_irqsave(shost->host_lock, flags);
--
1.6.4.4
From: Alexey Kuznetsov <[email protected]>
Asynchronous scan (scsi_add_lun()) sets state to SDEV_RUNNING,
but the device is not registered in sysfs.
Before async scan it was OK, because before releasing scan_mutex
old code called either scsi_sysfs_add_sdev() or scsi_destroy_sdev()
and, therefore, completed the work or discarded it.
With async scan the invariant is broken and scsi crashes
in __scsi_remove_device() when trying to unregister not registered
devices.
The fix could be introducing new state(s), which is equivalent
to SDEV_RUNNING, except for one thing, we know that scsi_sysfs_add_sdev()
has not been called yet. Or a separate flag, because the state
can be SDEV_BLOCK or even something else.
Simpler way is just to check that the device is regstered in sysfs
before unregistering. Another operations in __scsi_remove_device()
seem to be idempotent or even required, because scsi_add_lun()
makes some part of work duplicated in scsi_sysfs_add_sdev().
Signed-off-by: Alexey Kuznetsov <[email protected]>
CC: James E.J. Bottomley <[email protected]>
Signed-off-by: Denis V. Lunev <[email protected]>
---
drivers/scsi/scsi_sysfs.c | 12 ++++++++++--
1 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
index 5c7eb63..ea02e9b 100644
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -927,9 +927,17 @@ void __scsi_remove_device(struct scsi_device *sdev)
return;
bsg_unregister_queue(sdev->request_queue);
- device_unregister(&sdev->sdev_dev);
+ /* Asynchronous scan violates invariant that SDEV_RUNNING
+ * implies that device is registered in sysfs.
+ * We could introduce new state flag or extend set of state,
+ * but just plain checking that device is registered already
+ * before trying to unregister it is enough.
+ */
+ if (sdev->sdev_dev.kobj.parent)
+ device_unregister(&sdev->sdev_dev);
transport_remove_device(dev);
- device_del(dev);
+ if (dev->kobj.parent)
+ device_del(dev);
scsi_device_set_state(sdev, SDEV_DEL);
if (sdev->host->hostt->slave_destroy)
sdev->host->hostt->slave_destroy(sdev);
--
1.6.4.4