From: Mike Christie <michaelc@cs.wisc.edu>
To: Bart Van Assche <bvanassche@acm.org>
Cc: linux-scsi <linux-scsi@vger.kernel.org>,
James Bottomley <JBottomley@parallels.com>,
Stefan Richter <stefanr@s5r6.in-berlin.de>,
Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
Subject: Re: [PATCH v5] sd: Fix device removal NULL pointer dereference
Date: Wed, 02 May 2012 02:58:55 -0500 [thread overview]
Message-ID: <4FA0E93F.7020005@cs.wisc.edu> (raw)
In-Reply-To: <4F959CED.8000200@acm.org>
On 04/23/2012 01:18 PM, Bart Van Assche wrote:
> Since scsi_prep_fn() may be invoked concurrently with
> scsi_remove_device(), keep the queuedata pointer in
> scsi_remove_device(). This patch fixes a kernel oops that
> can be triggered by USB device removal. See also
> http://www.spinics.net/lists/linux-scsi/msg56254.html.
I think the patch make sense. After blk_cleanup_queue calls
blk_drain_queue then no more IO will be queued to us and no IO is
running. At that point it is safe to release resources and clean things
up. Before that though there is no guarantee, so we hit your oops.
> void scsi_free_queue(struct request_queue *q)
> {
> - unsigned long flags;
> -
> - WARN_ON(q->queuedata);
> -
> - /* cause scsi_request_fn() to kill all non-finished requests */
> - spin_lock_irqsave(q->queue_lock, flags);
> - q->request_fn(q);
> - spin_unlock_irqrestore(q->queue_lock, flags);
> -
> blk_cleanup_queue(q);
I think you should just remove scsi_free_queue and then call
blk_cleanup_queue directly since there is nothing in scsi_free_queue now.
> }
>
> diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
> index 04c2a27..65801e9 100644
> --- a/drivers/scsi/scsi_sysfs.c
> +++ b/drivers/scsi/scsi_sysfs.c
> @@ -971,9 +971,6 @@ void __scsi_remove_device(struct scsi_device *sdev)
> sdev->host->hostt->slave_destroy(sdev);
> transport_destroy_device(dev);
>
> - /* cause the request function to reject all I/O requests */
> - sdev->request_queue->queuedata = NULL;
> -
> /* Freeing the queue signals to block that we're done */
> scsi_free_queue(sdev->request_queue);
> put_device(dev);
I think your patch fixes your issue, but I think we have a similar one
where if a user were to remove the device through sysfs IO could be just
hitting the LLD's queuecommand function when __scsi_remove_device is
run. __scsi_remove_device could call slave_destroy and other transport
desctructors could get called. Then the LLD could try to be accessing
those resources from their queuecommand. To also fix that I think we
would want to move the scsi_free_queue/blk_cleanup_queue call to the
beginning of __scsi_remove_device. Maybe that can be another patch since
it fixes a slightly different bug.
prev parent reply other threads:[~2012-05-02 7:59 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-23 18:18 [PATCH v5] sd: Fix device removal NULL pointer dereference Bart Van Assche
2012-05-02 7:58 ` Mike Christie [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FA0E93F.7020005@cs.wisc.edu \
--to=michaelc@cs.wisc.edu \
--cc=JBottomley@parallels.com \
--cc=bvanassche@acm.org \
--cc=j-nomura@ce.jp.nec.com \
--cc=linux-scsi@vger.kernel.org \
--cc=stefanr@s5r6.in-berlin.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).