From: Mike Christie <michaelc@cs.wisc.edu>
To: Hannes Reinecke <hare@suse.de>, linux-scsi@vger.kernel.org
Subject: Re: [PATCH 1/1] [PATCH REGRESSION] alua: fix bus detach oops
Date: Thu, 29 Jan 2015 02:59:12 -0600 [thread overview]
Message-ID: <54C9F660.8030704@cs.wisc.edu> (raw)
In-Reply-To: <54C9F324.1020102@suse.de>
On 01/29/2015 02:45 AM, Hannes Reinecke wrote:
> On 01/28/2015 10:46 AM, michaelc@cs.wisc.edu wrote:
>> From: Mike Christie <michaelc@cs.wisc.edu>
>>
>> This fixes a regression caused by commit
>> 1d5203284d8acbdfdf9b478d434450b34f338f28
>>
>> The bug is that the alua detach() callout will try to access the
>> sddev->scsi_dh_data, but we have already set it to NULL. This patch
>> moves the clearing of that field to after detach() is called.
>>
>> It looks like the regression was added during 3.19 development,
>> so it has not been in a released kernel, and so I did not cc
>> stable.
>>
>> Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
>>
>> ---
>> drivers/scsi/device_handler/scsi_dh.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/scsi/device_handler/scsi_dh.c b/drivers/scsi/device_handler/scsi_dh.c
>> index 1dba62c..1efebc9 100644
>> --- a/drivers/scsi/device_handler/scsi_dh.c
>> +++ b/drivers/scsi/device_handler/scsi_dh.c
>> @@ -136,11 +136,12 @@ static void __detach_handler (struct kref *kref)
>> struct scsi_device_handler *scsi_dh = scsi_dh_data->scsi_dh;
>> struct scsi_device *sdev = scsi_dh_data->sdev;
>>
>> + scsi_dh->detach(sdev);
>> +
>> spin_lock_irq(sdev->request_queue->queue_lock);
>> sdev->scsi_dh_data = NULL;
>> spin_unlock_irq(sdev->request_queue->queue_lock);
>>
>> - scsi_dh->detach(sdev);
>> sdev_printk(KERN_NOTICE, sdev, "%s: Detached\n", scsi_dh->name);
>> module_put(scsi_dh->module);
>> }
>>
> Errm.
>
> We save the contents first:
>
>> struct scsi_device_handler *scsi_dh = scsi_dh_data->scsi_dh;
>
> Then set the pointer to NULL:
>
>> sdev->scsi_dh_data = NULL;
>
> and then call 'detach':
>
>> scsi_dh->detach(sdev);
>
> So scsi_dh is _not_ NULL, hence it shouldn't oops.
>
The problem is the actual detach() functions are the ones that are
accessing the NULL'd scsi_dh_data->scsi_dh pointer.
So above we have set sdev->scsi_dh_data to NULL and then are calling
detach(). In scsi_dh_alua.c, get_alua_data() we will then access the
NULL'd pointer.
static void alua_bus_detach(struct scsi_device *sdev)
{
struct alua_dh_data *h = get_alua_data(sdev);
if (h->buff && h->inq != h->buff)
kfree(h->buff);
kfree(h);
prev parent reply other threads:[~2015-01-29 8:59 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-28 9:46 [PATCH 1/1] [PATCH REGRESSION] alua: fix bus detach oops michaelc
2015-01-29 8:45 ` Hannes Reinecke
2015-01-29 8:56 ` Christoph Hellwig
2015-01-29 8:59 ` Mike Christie [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54C9F660.8030704@cs.wisc.edu \
--to=michaelc@cs.wisc.edu \
--cc=hare@suse.de \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).