From: Anthoine Bourgeois <[email protected]>
The function scsi_device_dev_release_usercontext calls blk_put_queue
with request_queue then set request_queue to NULL. If the function
scsi_device_dev_release_usercontext is racy then the next call to
blk_put_queue will trigger the NULL pointer dereference below.
As the function __scsi_remove_device already does a call to
blk_put_queue through blk_cleanup_queue, I guess that the usercontext
call is deprecated and I remove it.
[100192.621568] BUG: unable to handle kernel NULL pointer dereference at
0000000000000204
[100192.629477] IP: kobject_put+0x9/0x1a0
[100192.633221] PGD 0 P4D 0
[100192.635838] Oops: 0000 [#1] SMP
[100192.639062] Modules linked in: xt_mark iptable_mangle cls_fw sch_htb xt_nat
xt_multiport xt_NFLOG xt_conntrack ipt_MASQUERADE nf_nat_masquerade_ipv4 ip
table_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack
vfio_pci vfio_virqfd vfio_iommu_type1 vfio binfmt_misc team_mode_activebackup te
am 8021q garp stp mrp llc nfnetlink_log nfnetlink ext4 crc16 mbcache jbd2
fscrypto sd_mod sg intel_rapl x86_pkg_temp_thermal intel_powerclamp kvm_intel
kvm
irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel
aesni_intel aes_x86_64 ixgbe crypto_simd xt_tcpudp ptp cryptd ahci ehci_pci
pps_c
ore glue_helper iTCO_wdt mdio ehci_hcd libahci intel_cstate iTCO_vendor_support
dca mei_me intel_uncore lpc_ich intel_rapl_perf pcspkr libata usbcore mfd_c
ore wmi mei shpchp evdev ipmi_si iptable_filter
[100192.710510] button ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp
libiscsi_tcp libiscsi scsi_transport_iscsi ipmi_devintf ipmi_msghandler acpi
_power_meter vhost_net tun vhost tap sunrpc ip_tables x_tables autofs4
[100192.730210] CPU: 6 PID: 27002 Comm: kworker/u64:1 Tainted: G W
4.14.13+ #17
[100192.738371] Hardware name: GIGABYTE MG50-G20-XX/MG50-G20-XX, BIOS R05
04/19/2017
[100192.745845] Workqueue: scsi_wq_7 __iscsi_unbind_session
[scsi_transport_iscsi]
[100192.753141] task: ffff9b87601fd0c0 task.stack: ffffa99586b58000
[100192.759138] RIP: 0010:kobject_put+0x9/0x1a0
[100192.763400] RSP: 0018:ffffa99586b5bd48 EFLAGS: 00010202
[100192.768705] RAX: ffff9b876fd31938 RBX: ffff9b876fd31938 RCX:
0000000000000000
[100192.775917] RDX: 0000000080000000 RSI: 0000000000000000 RDI:
00000000000001c8
[100192.783126] RBP: ffff9b876fd31f38 R08: 0000000000000006 R09:
0000000000000d7c
[100192.790337] R10: 0000000000000131 R11: ffffffff82792a6e R12:
ffff9b876fd31800
[100192.797549] R13: dead000000000200 R14: dead000000000100 R15:
ffff9b876fd31938
[100192.804760] FS: 0000000000000000(0000) GS:ffff9b8d9fb80000(0000)
knlGS:0000000000000000
[100192.812922] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[100192.818747] CR2: 0000000000000204 CR3: 0000000b9ac09001 CR4:
00000000003626e0
[100192.825956] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[100192.833176] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[100192.840385] Call Trace:
[100192.842919] scsi_device_dev_release_usercontext+0x1ad/0x260
[100192.848657] execute_in_process_context+0x5e/0x70
[100192.853438] device_release+0x2d/0x80
[100192.857198] kobject_put+0xa5/0x1a0
[100192.860772] scsi_remove_target+0x171/0x1b0
[100192.865038] __iscsi_unbind_session+0xb3/0x160 [scsi_transport_iscsi]
[100192.871552] process_one_work+0x181/0x370
[100192.875642] worker_thread+0x4d/0x3c0
[100192.879385] kthread+0xfc/0x130
[100192.882611] ? process_one_work+0x370/0x370
[100192.875642] worker_thread+0x4d/0x3c0
[100192.879385] kthread+0xfc/0x130
[100192.882611] ? process_one_work+0x370/0x370
[100192.886874] ? kthread_create_on_node+0x70/0x70
[100192.891485] ret_from_fork+0x1f/0x30
[100192.895142] Code: c2 8d 48 01 c1 e8 1f 81 fa ff ff ff 7f 40 0f 94 c7 40 08
c7 75 04 39 d1 7d d3 e9 ac 19 01 00 eb 99 90 48 85 ff 74 21 41 54 55 53 <f6>
47 3c 01 48 89 fb 0f 84 66 01 00 00 f0 ff 4b 38 0f 88 8e 19
[100192.914071] RIP: kobject_put+0x9/0x1a0 RSP: ffffa99586b5bd48
[100192.919807] CR2: 0000000000000204
[100192.923206] ---[ end trace f019b942eafc9961 ]---
---
drivers/scsi/scsi_sysfs.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
index 7943b762c12d..b65e1c98a492 100644
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -454,10 +454,6 @@ static void scsi_device_dev_release_usercontext(struct
work_struct *work)
kfree(evt);
}
- blk_put_queue(sdev->request_queue);
- /* NULL queue means the device can't be used */
- sdev->request_queue = NULL;
-
mutex_lock(&sdev->inquiry_mutex);
rcu_swap_protected(sdev->vpd_pg80, vpd_pg80,
lockdep_is_held(&sdev->inquiry_mutex));
--
2.14.1
