From patchwork Thu Jul 28 22:18:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bart Van Assche X-Patchwork-Id: 594306 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CE02DC04A68 for ; Thu, 28 Jul 2022 22:19:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231233AbiG1WT0 (ORCPT ); Thu, 28 Jul 2022 18:19:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56120 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232769AbiG1WTM (ORCPT ); Thu, 28 Jul 2022 18:19:12 -0400 Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9E54F79697 for ; Thu, 28 Jul 2022 15:19:04 -0700 (PDT) Received: by mail-pf1-f177.google.com with SMTP id w185so3097892pfb.4 for ; Thu, 28 Jul 2022 15:19:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=gLt9gE5yPo5TLuy53BACvWqAE7E7cvrEaZ3l+CvCU6Y=; b=aoF8q28O1434MDeWTphuVaoGqfCQM8SjzBWfO1x/IbMOJEiDj++T4lKVY2DjdFvz16 nLM54gFp/XUytsK4yI7tKFr9e91Wv8rGFmh8HGUe9JF9nmeHB/I4xQHqrfV/V62Nt1op P3Y45hdLGmuvb+Au/K7pUPs9NOS2/rXan5G5OTVLEPr2dnVjlHdq+/PeaydZsDN8EAxC O2fP2A347dBaleFAi3SApoIv2gAAGfulbPZH9B+nCunVHhssxdM1POt6OXDgb56CbzXq 3kLExoKm+wy2NB+vfHHiF8RPXbuSFmgJdChobMTgQYim/oyVqiM/2Ivg29+vNuMYmBtD AkKg== X-Gm-Message-State: AJIora+X/JEoi0Ox35FAza7of5CAE0lfkxsitULFXeyUT+uYxM14MUj1 ITo9sGNnRSCN6pBnqKV6is8= X-Google-Smtp-Source: AGRyM1vvhfrNGZZrXuUSRqBIL8GDoPjRKY8j9EA+TO4ceKYRBsnhhWl4FPnMwUs92DoISGRuJaJmzw== X-Received: by 2002:a05:6a00:244a:b0:52b:e9a8:cb14 with SMTP id d10-20020a056a00244a00b0052be9a8cb14mr638904pfj.32.1659046743956; Thu, 28 Jul 2022 15:19:03 -0700 (PDT) Received: from bvanassche-linux.mtv.corp.google.com ([2620:15c:211:201:9520:2952:8318:8e3e]) by smtp.gmail.com with ESMTPSA id k11-20020a170902c40b00b0016dc8932725sm1556709plk.285.2022.07.28.15.19.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 Jul 2022 15:19:03 -0700 (PDT) From: Bart Van Assche To: "Martin K . Petersen" Cc: Jaegeuk Kim , linux-scsi@vger.kernel.org, Adrian Hunter , Bart Van Assche , Mike Christie , Ming Lei , Christoph Hellwig , Hannes Reinecke , John Garry , Li Zhijian , "James E.J. Bottomley" Subject: [PATCH v5 1/4] scsi: core: Make sure that targets outlive devices Date: Thu, 28 Jul 2022 15:18:48 -0700 Message-Id: <20220728221851.1822295-2-bvanassche@acm.org> X-Mailer: git-send-email 2.37.1.455.g008518b4e5-goog In-Reply-To: <20220728221851.1822295-1-bvanassche@acm.org> References: <20220728221851.1822295-1-bvanassche@acm.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org This patch prevents that the following sequence triggers a kernel crash: * Deletion of a SCSI device is requested via sysfs. Device removal takes some time because blk_cleanup_queue() is waiting for the SCSI error handler. * The SCSI target associated with that SCSI device is removed. * scsi_remove_target() returns and its caller frees the resources associated with the SCSI target. * The error handler makes progress and invokes an LLD callback that dereferences the SCSI target pointer. Reported-by: Mike Christie Reviewed-by: Ming Lei Cc: Christoph Hellwig Cc: Mike Christie Cc: Hannes Reinecke Cc: John Garry Cc: Li Zhijian Signed-off-by: Bart Van Assche --- drivers/scsi/scsi_scan.c | 2 ++ drivers/scsi/scsi_sysfs.c | 20 +++++++++++++++++--- include/scsi/scsi_device.h | 2 ++ 3 files changed, 21 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c index 91ac901a6682..4c1efd6a3b0c 100644 --- a/drivers/scsi/scsi_scan.c +++ b/drivers/scsi/scsi_scan.c @@ -521,6 +521,8 @@ static struct scsi_target *scsi_alloc_target(struct device *parent, starget->state = STARGET_CREATED; starget->scsi_level = SCSI_2; starget->max_target_blocked = SCSI_DEFAULT_TARGET_BLOCKED; + init_waitqueue_head(&starget->sdev_wq); + retry: spin_lock_irqsave(shost->host_lock, flags); diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c index 43949798a2e4..1bc9c26fe1d4 100644 --- a/drivers/scsi/scsi_sysfs.c +++ b/drivers/scsi/scsi_sysfs.c @@ -443,7 +443,9 @@ static void scsi_device_cls_release(struct device *class_dev) static void scsi_device_dev_release_usercontext(struct work_struct *work) { - struct scsi_device *sdev; + struct scsi_device *sdev = container_of(work, struct scsi_device, + ew.work); + struct scsi_target *starget = sdev->sdev_target; struct device *parent; struct list_head *this, *tmp; struct scsi_vpd *vpd_pg80 = NULL, *vpd_pg83 = NULL; @@ -452,8 +454,6 @@ static void scsi_device_dev_release_usercontext(struct work_struct *work) unsigned long flags; struct module *mod; - sdev = container_of(work, struct scsi_device, ew.work); - mod = sdev->host->hostt->module; scsi_dh_release_device(sdev); @@ -516,6 +516,9 @@ static void scsi_device_dev_release_usercontext(struct work_struct *work) kfree(sdev->inquiry); kfree(sdev); + if (starget && atomic_dec_return(&starget->sdev_count) == 0) + wake_up(&starget->sdev_wq); + if (parent) put_device(parent); module_put(mod); @@ -1535,6 +1538,14 @@ static void __scsi_remove_target(struct scsi_target *starget) goto restart; } spin_unlock_irqrestore(shost->host_lock, flags); + + /* + * After scsi_remove_target() returns its caller can remove resources + * associated with @starget, e.g. an rport or session. Wait until all + * devices associated with @starget have been removed to prevent that + * a SCSI error handling callback function triggers a use-after-free. + */ + wait_event(starget->sdev_wq, atomic_read(&starget->sdev_count) == 0); } /** @@ -1645,6 +1656,9 @@ void scsi_sysfs_device_initialize(struct scsi_device *sdev) list_add_tail(&sdev->same_target_siblings, &starget->devices); list_add_tail(&sdev->siblings, &shost->__devices); spin_unlock_irqrestore(shost->host_lock, flags); + + atomic_inc(&starget->sdev_count); + /* * device can now only be removed via __scsi_remove_device() so hold * the target. Target will be held in CREATED state until something diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h index 7cf5f3b7589f..190d2081f4c6 100644 --- a/include/scsi/scsi_device.h +++ b/include/scsi/scsi_device.h @@ -309,6 +309,8 @@ struct scsi_target { struct list_head devices; struct device dev; struct kref reap_ref; /* last put renders target invisible */ + atomic_t sdev_count; + wait_queue_head_t sdev_wq; unsigned int channel; unsigned int id; /* target id ... replace * scsi_device.id eventually */ From patchwork Thu Jul 28 22:18:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bart Van Assche X-Patchwork-Id: 594305 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AC352C04A68 for ; Thu, 28 Jul 2022 22:19:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231925AbiG1WTa (ORCPT ); Thu, 28 Jul 2022 18:19:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56122 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232478AbiG1WTM (ORCPT ); Thu, 28 Jul 2022 18:19:12 -0400 Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com [209.85.216.46]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 737887969C for ; Thu, 28 Jul 2022 15:19:08 -0700 (PDT) Received: by mail-pj1-f46.google.com with SMTP id d65-20020a17090a6f4700b001f303a97b14so3547203pjk.1 for ; Thu, 28 Jul 2022 15:19:08 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=PK7GhXluDeO7vB7OgT+f4kVleUWpGV4FgrTIBb4orbk=; b=M8EiWhNvRjoSy50/4sZtukSWyjnldfsIl1Pm9foTdFyAyiivI9Syr3Z2yTzmiSxOCj C13cO7ALWMbaykzkNDI0drE5VFde0L4PSSLlW0fFqcHhOn+8d/YCOD4hlJyy6yDqSwxC dQWD8APH6c9KZxv+EEQfpCYjWmV5TO6XCFgSuWmLHV5sVgGKkN/R+IP2ZF4c8FLotmh/ teDzDSvjq6sB6dsUhzoJmasyiASyM0BLWS1DpB6l23aTeITKvDYSYrFiAK7yfQ6Rvgmx ti4k+NWC84JOWQt1GrMMzdLeN5PI+usLt/S9Q8+ZY6icFBF2+J3KqpF69NWjLNVbJXMP IIlg== X-Gm-Message-State: ACgBeo2M6rCEurZC/+DZZgN17LkESBkJdwDxEUL7tsBnVmVArXuFrwgx i+x6KAbaqQEhKqvQqUvQmPo= X-Google-Smtp-Source: AA6agR58mpL41mCLsbAQnLzAhqaKW+kMOnUE0nd2Rrnf9jCoTK+YrEv14D2+ezHdmMtCd9/4X6or9A== X-Received: by 2002:a17:902:8f92:b0:16c:e485:7cd2 with SMTP id z18-20020a1709028f9200b0016ce4857cd2mr930299plo.50.1659046747894; Thu, 28 Jul 2022 15:19:07 -0700 (PDT) Received: from bvanassche-linux.mtv.corp.google.com ([2620:15c:211:201:9520:2952:8318:8e3e]) by smtp.gmail.com with ESMTPSA id k11-20020a170902c40b00b0016dc8932725sm1556709plk.285.2022.07.28.15.19.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 Jul 2022 15:19:07 -0700 (PDT) From: Bart Van Assche To: "Martin K . Petersen" Cc: Jaegeuk Kim , linux-scsi@vger.kernel.org, Adrian Hunter , Bart Van Assche , Ming Lei , Christoph Hellwig , Mike Christie , Hannes Reinecke , John Garry , "James E.J. Bottomley" Subject: [PATCH v5 3/4] scsi: core: Simplify LLD module reference counting Date: Thu, 28 Jul 2022 15:18:50 -0700 Message-Id: <20220728221851.1822295-4-bvanassche@acm.org> X-Mailer: git-send-email 2.37.1.455.g008518b4e5-goog In-Reply-To: <20220728221851.1822295-1-bvanassche@acm.org> References: <20220728221851.1822295-1-bvanassche@acm.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org From: Ming Lei Swap two statements in scsi_device_put() now that it is guaranteed that SCSI hosts outlive SCSI devices. Remove the reference counting code from scsi_sysfs.c that became superfluous because SCSI hosts now outlive SCSI devices. Cc: Christoph Hellwig Cc: Ming Lei Cc: Mike Christie Cc: Hannes Reinecke Cc: John Garry Signed-off-by: Ming Lei Signed-off-by: Bart Van Assche [ bvanassche: Extracted this patch from a larger patch ] --- drivers/scsi/scsi.c | 9 ++++++--- drivers/scsi/scsi_sysfs.c | 9 --------- 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c index c59eac7a32f2..086ec5b5862d 100644 --- a/drivers/scsi/scsi.c +++ b/drivers/scsi/scsi.c @@ -586,10 +586,13 @@ EXPORT_SYMBOL(scsi_device_get); */ void scsi_device_put(struct scsi_device *sdev) { - struct module *mod = sdev->host->hostt->module; - + /* + * Decreasing the module reference count before the device reference + * count is safe since scsi_remove_host() only returns after all + * devices have been removed. + */ + module_put(sdev->host->hostt->module); put_device(&sdev->sdev_gendev); - module_put(mod); } EXPORT_SYMBOL(scsi_device_put); diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c index 1bc9c26fe1d4..213ebc88f76a 100644 --- a/drivers/scsi/scsi_sysfs.c +++ b/drivers/scsi/scsi_sysfs.c @@ -452,9 +452,6 @@ static void scsi_device_dev_release_usercontext(struct work_struct *work) struct scsi_vpd *vpd_pg0 = NULL, *vpd_pg89 = NULL; struct scsi_vpd *vpd_pgb0 = NULL, *vpd_pgb1 = NULL, *vpd_pgb2 = NULL; unsigned long flags; - struct module *mod; - - mod = sdev->host->hostt->module; scsi_dh_release_device(sdev); @@ -521,17 +518,11 @@ static void scsi_device_dev_release_usercontext(struct work_struct *work) if (parent) put_device(parent); - module_put(mod); } static void scsi_device_dev_release(struct device *dev) { struct scsi_device *sdp = to_scsi_device(dev); - - /* Set module pointer as NULL in case of module unloading */ - if (!try_module_get(sdp->host->hostt->module)) - sdp->host->hostt->module = NULL; - execute_in_process_context(scsi_device_dev_release_usercontext, &sdp->ew); }