[PATCH 1/2] Crash in linux kernel when disconnecting usb storage

[PATCH 1/2] Crash in linux kernel when disconnecting usb storage

[Denis V. Lunev]

From: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>

__scsi_remove_device() in scsi_forget_host() is executed out of scan_mutex
and races with scsi_destroy_sdev() <- scsi_sysfs_add_devices()
<- scsi_finish_async_scan(). The result is use after free and/or
double free, oops.

The fix is simple, move scsi_forget_host() under scan_mutex.

scsi_forget_host() is just sequence of __scsi_remove_device().
All another calls of __scsi_remove_device() are made under scan_mutex.
So that it is safe.

Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
CC: James E.J. Bottomley <James.Bottomley@suse.de>
Signed-off-by: Denis V. Lunev <den@openvz.org>
---
 drivers/scsi/hosts.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
index 5fd2da4..c968cc3 100644
--- a/drivers/scsi/hosts.c
+++ b/drivers/scsi/hosts.c
@@ -164,8 +164,8 @@ void scsi_remove_host(struct Scsi_Host *shost)
 			return;
 		}
 	spin_unlock_irqrestore(shost->host_lock, flags);
-	mutex_unlock(&shost->scan_mutex);
 	scsi_forget_host(shost);
+	mutex_unlock(&shost->scan_mutex);
 	scsi_proc_host_rm(shost);
 
 	spin_lock_irqsave(shost->host_lock, flags);
-- 
1.6.4.4

[PATCH 1/2] Crash in linux kernel when disconnecting usb storage

[Denis V. Lunev]

From: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>

__scsi_remove_device() in scsi_forget_host() is executed out of scan_mutex
and races with scsi_destroy_sdev() <- scsi_sysfs_add_devices()
<- scsi_finish_async_scan(). The result is use after free and/or
double free, oops.

The fix is simple, move scsi_forget_host() under scan_mutex.

scsi_forget_host() is just sequence of __scsi_remove_device().
All another calls of __scsi_remove_device() are made under scan_mutex.
So that it is safe.

Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
CC: James E.J. Bottomley <James.Bottomley@suse.de>
Signed-off-by: Denis V. Lunev <den@openvz.org>
---
 drivers/scsi/hosts.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
index 5fd2da4..c968cc3 100644
--- a/drivers/scsi/hosts.c
+++ b/drivers/scsi/hosts.c
@@ -164,8 +164,8 @@ void scsi_remove_host(struct Scsi_Host *shost)
 			return;
 		}
 	spin_unlock_irqrestore(shost->host_lock, flags);
-	mutex_unlock(&shost->scan_mutex);
 	scsi_forget_host(shost);
+	mutex_unlock(&shost->scan_mutex);
 	scsi_proc_host_rm(shost);
 
 	spin_lock_irqsave(shost->host_lock, flags);
-- 
1.6.4.4

[PATCH 2/2] Another crash in linux kernel at diconnect of usb strorage

[Denis V. Lunev]

From: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>

Asynchronous scan (scsi_add_lun()) sets state to SDEV_RUNNING,
but the device is not registered in sysfs.
Before async scan it was OK, because before releasing scan_mutex
old code called either scsi_sysfs_add_sdev() or scsi_destroy_sdev()
and, therefore, completed the work or discarded it.

With async scan the invariant is broken and scsi crashes
in __scsi_remove_device() when trying to unregister not registered
devices.

The fix could be introducing new state(s), which is equivalent
to SDEV_RUNNING, except for one thing, we know that scsi_sysfs_add_sdev()
has not been called yet. Or a separate flag, because the state
can be SDEV_BLOCK or even something else.

Simpler way is just to check that the device is regstered in sysfs
before unregistering. Another operations in __scsi_remove_device()
seem to be idempotent or even required, because  scsi_add_lun()
makes some part of work duplicated in scsi_sysfs_add_sdev().

Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
CC: James E.J. Bottomley <James.Bottomley@suse.de>
Signed-off-by: Denis V. Lunev <den@openvz.org>
---
 drivers/scsi/scsi_sysfs.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
index 5c7eb63..ea02e9b 100644
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -927,9 +927,17 @@ void __scsi_remove_device(struct scsi_device *sdev)
 		return;
 
 	bsg_unregister_queue(sdev->request_queue);
-	device_unregister(&sdev->sdev_dev);
+	/* Asynchronous scan violates invariant that SDEV_RUNNING
+	 * implies that device is registered in sysfs.
+	 * We could introduce new state flag or extend set of state,
+	 * but just plain checking that device is registered already
+	 * before trying to unregister it is enough.
+	 */
+	if (sdev->sdev_dev.kobj.parent)
+		device_unregister(&sdev->sdev_dev);
 	transport_remove_device(dev);
-	device_del(dev);
+	if (dev->kobj.parent)
+		device_del(dev);
 	scsi_device_set_state(sdev, SDEV_DEL);
 	if (sdev->host->hostt->slave_destroy)
 		sdev->host->hostt->slave_destroy(sdev);
-- 
1.6.4.4

[PATCH 2/2] Another crash in linux kernel at diconnect of usb strorage

[Denis V. Lunev]

From: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>

Asynchronous scan (scsi_add_lun()) sets state to SDEV_RUNNING,
but the device is not registered in sysfs.
Before async scan it was OK, because before releasing scan_mutex
old code called either scsi_sysfs_add_sdev() or scsi_destroy_sdev()
and, therefore, completed the work or discarded it.

With async scan the invariant is broken and scsi crashes
in __scsi_remove_device() when trying to unregister not registered
devices.

The fix could be introducing new state(s), which is equivalent
to SDEV_RUNNING, except for one thing, we know that scsi_sysfs_add_sdev()
has not been called yet. Or a separate flag, because the state
can be SDEV_BLOCK or even something else.

Simpler way is just to check that the device is regstered in sysfs
before unregistering. Another operations in __scsi_remove_device()
seem to be idempotent or even required, because  scsi_add_lun()
makes some part of work duplicated in scsi_sysfs_add_sdev().

Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
CC: James E.J. Bottomley <James.Bottomley@suse.de>
Signed-off-by: Denis V. Lunev <den@openvz.org>
---
 drivers/scsi/scsi_sysfs.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
index 5c7eb63..ea02e9b 100644
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -927,9 +927,17 @@ void __scsi_remove_device(struct scsi_device *sdev)
 		return;
 
 	bsg_unregister_queue(sdev->request_queue);
-	device_unregister(&sdev->sdev_dev);
+	/* Asynchronous scan violates invariant that SDEV_RUNNING
+	 * implies that device is registered in sysfs.
+	 * We could introduce new state flag or extend set of state,
+	 * but just plain checking that device is registered already
+	 * before trying to unregister it is enough.
+	 */
+	if (sdev->sdev_dev.kobj.parent)
+		device_unregister(&sdev->sdev_dev);
 	transport_remove_device(dev);
-	device_del(dev);
+	if (dev->kobj.parent)
+		device_del(dev);
 	scsi_device_set_state(sdev, SDEV_DEL);
 	if (sdev->host->hostt->slave_destroy)
 		sdev->host->hostt->slave_destroy(sdev);
-- 
1.6.4.4