All of lore.kernel.org
 help / color / mirror / Atom feed
From: Luo Jiaxing <luojiaxing@huawei.com>
To: <gregkh@linuxfoundation.org>, <saravanak@google.com>,
	<jejb@linux.ibm.com>, <James.Bottomley@suse.de>,
	<James.Bottomley@HansenPartnership.com>, <john.garry@huawei.com>
Cc: <linux-kernel@vger.kernel.org>, <luojiaxing@huawei.com>,
	<linuxarm@huawei.com>
Subject: [PATCH v1] driver core: Use list_del_init to replace list_del at device_links_purge()
Date: Wed, 8 Jan 2020 19:34:04 +0800	[thread overview]
Message-ID: <1578483244-50723-1-git-send-email-luojiaxing@huawei.com> (raw)

We found that enabling kernel compilation options CONFIG_SCSI_ENCLOSURE and
CONFIG_ENCLOSURE_SERVICES, repeated initialization and deletion of the same
SCSI device will cause system panic, as follows:
[72.425705] Unable to handle kernel paging request at virtual address
dead000000000108
...
[72.595093] Call trace:
[72.597532] device_del + 0x194 / 0x3a0
[72.601012] enclosure_remove_device + 0xbc / 0xf8
[72.605445] ses_intf_remove + 0x9c / 0xd8
[72.609185] device_del + 0xf8 / 0x3a0
[72.612576] device_unregister + 0x14 / 0x30
[72.616489] __scsi_remove_device + 0xf4 / 0x140
[72.620747] scsi_remove_device + 0x28 / 0x40
[72.624745] scsi_remove_target + 0x1c8 / 0x220

After analysis, we see that in the error scenario, the ses module has the
following calling sequence:
device_register() -> device_del() -> device_add() -> device_del().
The first call to device_del() is fine, but the second call to device_del()
will cause a system panic.

Through disassembly, we locate that panic happen when device_links_purge()
call list_del() to remove device_links.needs_suppliers from list, and
list_del() will set this list entry's prev and next pointers to poison.
So if INIT_LIST_HEAD() is not re-executed before the next list_del(), It
will cause the system to access a memory address which is posioned.

Therefore, replace list_del() with list_del_init() can avoid such issue.

Fixes: e2ae9bcc4aaa ("driver core: Add support for linking devices during device addition")
Signed-off-by: Luo Jiaxing <luojiaxing@huawei.com>
Reviewed-by: John Garry <john.garry@huawei.com>
---
 drivers/base/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/base/core.c b/drivers/base/core.c
index 42a6724..7b9b0d6 100644
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -1103,7 +1103,7 @@ static void device_links_purge(struct device *dev)
 	struct device_link *link, *ln;
 
 	mutex_lock(&wfs_lock);
-	list_del(&dev->links.needs_suppliers);
+	list_del_init(&dev->links.needs_suppliers);
 	mutex_unlock(&wfs_lock);
 
 	/*
-- 
2.7.4


             reply	other threads:[~2020-01-08 11:34 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-08 11:34 Luo Jiaxing [this message]
2020-01-08 11:53 ` [PATCH v1] driver core: Use list_del_init to replace list_del at device_links_purge() John Garry
2020-01-08 12:26 ` Greg KH
2020-01-08 14:50   ` John Garry
2020-01-08 15:44     ` Greg KH
2020-01-08 15:51     ` James Bottomley
2020-01-08 15:57       ` Greg KH
2020-01-08 16:01         ` James Bottomley
2020-01-08 16:08           ` John Garry
2020-01-08 17:10             ` John Garry
2020-01-09  1:04               ` James Bottomley
2020-01-14 15:07                 ` Greg KH
2020-01-14 15:20                   ` John Garry
2020-01-14 15:28                     ` Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1578483244-50723-1-git-send-email-luojiaxing@huawei.com \
    --to=luojiaxing@huawei.com \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=James.Bottomley@suse.de \
    --cc=gregkh@linuxfoundation.org \
    --cc=jejb@linux.ibm.com \
    --cc=john.garry@huawei.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linuxarm@huawei.com \
    --cc=saravanak@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.