leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
f9279c968c
linux/include/scsi
History
Ewan D. Milne f9279c968c scsi: Add STARGET_CREATED_REMOVE state to scsi_target_state 
The addition of the STARGET_REMOVE state had the side effect of
introducing a race condition that can cause a crash.

scsi_target_reap_ref_release() checks the starget->state to
see if it still in STARGET_CREATED, and if so, skips calling
transport_remove_device() and device_del(), because the starget->state
is only set to STARGET_RUNNING after scsi_target_add() has called
device_add() and transport_add_device().

However, if an rport loss occurs while a target is being scanned,
it can happen that scsi_remove_target() will be called while the
starget is still in the STARGET_CREATED state.  In this case, the
starget->state will be set to STARGET_REMOVE, and as a result,
scsi_target_reap_ref_release() will take the wrong path.  The end
result is a panic:

[ 1255.356653] Oops: 0000 [#1] SMP
[ 1255.360154] Modules linked in: x86_pkg_temp_thermal kvm_intel kvm irqbypass crc32c_intel ghash_clmulni_i
[ 1255.393234] CPU: 5 PID: 149 Comm: kworker/u96:4 Tainted: G        W       4.11.0+ #8
[ 1255.401879] Hardware name: Dell Inc. PowerEdge R320/08VT7V, BIOS 2.0.22 11/19/2013
[ 1255.410327] Workqueue: scsi_wq_6 fc_scsi_scan_rport [scsi_transport_fc]
[ 1255.417720] task: ffff88060ca8c8c0 task.stack: ffffc900048a8000
[ 1255.424331] RIP: 0010:kernfs_find_ns+0x13/0xc0
[ 1255.429287] RSP: 0018:ffffc900048abbf0 EFLAGS: 00010246
[ 1255.435123] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 1255.443083] RDX: 0000000000000000 RSI: ffffffff8188d659 RDI: 0000000000000000
[ 1255.451043] RBP: ffffc900048abc10 R08: 0000000000000000 R09: 0000012433fe0025
[ 1255.459005] R10: 0000000025e5a4b5 R11: 0000000025e5a4b5 R12: ffffffff8188d659
[ 1255.466972] R13: 0000000000000000 R14: ffff8805f55e5088 R15: 0000000000000000
[ 1255.474931] FS:  0000000000000000(0000) GS:ffff880616b40000(0000) knlGS:0000000000000000
[ 1255.483959] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1255.490370] CR2: 0000000000000068 CR3: 0000000001c09000 CR4: 00000000000406e0
[ 1255.498332] Call Trace:
[ 1255.501058]  kernfs_find_and_get_ns+0x31/0x60
[ 1255.505916]  sysfs_unmerge_group+0x1d/0x60
[ 1255.510498]  dpm_sysfs_remove+0x22/0x60
[ 1255.514783]  device_del+0xf4/0x2e0
[ 1255.518577]  ? device_remove_file+0x19/0x20
[ 1255.523241]  attribute_container_class_device_del+0x1a/0x20
[ 1255.529457]  transport_remove_classdev+0x4e/0x60
[ 1255.534607]  ? transport_add_class_device+0x40/0x40
[ 1255.540046]  attribute_container_device_trigger+0xb0/0xc0
[ 1255.546069]  transport_remove_device+0x15/0x20
[ 1255.551025]  scsi_target_reap_ref_release+0x25/0x40
[ 1255.556467]  scsi_target_reap+0x2e/0x40
[ 1255.560744]  __scsi_scan_target+0xaa/0x5b0
[ 1255.565312]  scsi_scan_target+0xec/0x100
[ 1255.569689]  fc_scsi_scan_rport+0xb1/0xc0 [scsi_transport_fc]
[ 1255.576099]  process_one_work+0x14b/0x390
[ 1255.580569]  worker_thread+0x4b/0x390
[ 1255.584651]  kthread+0x109/0x140
[ 1255.588251]  ? rescuer_thread+0x330/0x330
[ 1255.592730]  ? kthread_park+0x60/0x60
[ 1255.596815]  ret_from_fork+0x29/0x40
[ 1255.600801] Code: 24 08 48 83 42 40 01 5b 41 5c 5d c3 66 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90
[ 1255.621876] RIP: kernfs_find_ns+0x13/0xc0 RSP: ffffc900048abbf0
[ 1255.628479] CR2: 0000000000000068
[ 1255.632756] ---[ end trace 34a69ba0477d036f ]---

Fix this by adding another scsi_target state STARGET_CREATED_REMOVE
to distinguish this case.

Fixes: f05795d3d7 ("scsi: Add intermediate STARGET_REMOVE state to scsi_target_state")
Reported-by: David Jeffery <djeffery@redhat.com>
Signed-off-by: Ewan D. Milne <emilne@redhat.com>
Cc: <stable@vger.kernel.org>
Reviewed-by: Laurence Oberman <loberman@redhat.com>
Tested-by: Laurence Oberman <loberman@redhat.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2017-07-01 16:54:44 -04:00
..
fc uapi: export all headers under uapi directories 2017-05-11 00:21:54 +09:00
fc_encode.h [SCSI] libfc: Add support for FDMI 2012-02-19 08:08:58 -06:00
fc_frame.h [SCSI] fcoe: remove unused ptype field in fcoe_rcv_info 2011-07-28 12:08:55 +04:00
fcoe_sysfs.h libfcoe, fcoe, bnx2fc: Add new fcoe control interface 2012-12-14 10:38:54 -08:00
iscsi_if.h scsi_transport_iscsi: Add 25G and 40G speed definition 2016-02-23 21:27:02 -05:00
iscsi_proto.h linux: drop __bitwise__ everywhere 2016-12-16 00:13:41 +02:00
iser.h IB/iser,isert: Create and use new shared header 2015-12-24 00:17:35 -05:00
libfc.h scsi: libfc: convert fc_fcp_pkt.ref_cnt from atomic_t to refcount_t 2017-03-15 18:44:02 -04:00
libfcoe.h fcoe: implement FIP VLAN responder 2016-07-20 19:49:41 -04:00
libiscsi_tcp.h iscsi_tcp: Use ahash 2016-01-27 20:36:10 +08:00
libiscsi.h SCSI misc on 20170503 2017-05-04 12:19:44 -07:00
libsas.h scsi: sas: scsi_queue_work can fail, so make callers aware 2017-06-27 21:28:04 -04:00
osd_attributes.h UAPI: (Scripted) Convert #include "..." to #include <path/...> in kernel system headers 2012-10-02 18:01:25 +01:00
osd_initiator.h Boaz Harrosh - Fix broken email address 2014-10-19 20:22:32 +03:00
osd_ore.h Boaz Harrosh - Fix broken email address 2014-10-19 20:22:32 +03:00
osd_protocol.h Boaz Harrosh - Fix broken email address 2014-10-19 20:22:32 +03:00
osd_sec.h Boaz Harrosh - Fix broken email address 2014-10-19 20:22:32 +03:00
osd_sense.h Boaz Harrosh - Fix broken email address 2014-10-19 20:22:32 +03:00
osd_types.h Boaz Harrosh - Fix broken email address 2014-10-19 20:22:32 +03:00
sas_ata.h [SCSI] sas: unify the pointlessly separated enums sas_dev_type and sas_device_type 2013-05-10 07:47:52 -07:00
sas.h scsi: Centralise ssp frame information units 2015-11-25 22:12:50 -05:00
scsi_bsg_iscsi.h [SCSI] iscsi class: add bsg support to iscsi class 2011-08-27 08:36:21 -06:00
scsi_cmnd.h scsi: Avoid that scsi_exit_rq() triggers a use-after-free 2017-06-12 20:55:58 -04:00
scsi_common.h scsi: add scsi_set_sense_field_pointer() 2016-04-04 12:07:42 -04:00
scsi_dbg.h scsi: remove scsi_show_sense_hdr() 2015-12-02 16:36:14 -05:00
scsi_device.h scsi: Add STARGET_CREATED_REMOVE state to scsi_target_state 2017-07-01 16:54:44 -04:00
scsi_devinfo.h scsi: remove various unused blist flags 2017-06-26 12:44:27 -04:00
scsi_dh.h scsi_dh: add 'rescan' callback 2016-02-23 21:27:02 -05:00
scsi_driver.h scsi: scsi_error: count medium access timeout only once per EH run 2017-04-06 13:07:32 -04:00
scsi_eh.h scsi: Improve scsi_get_sense_info_fld 2017-04-25 13:00:56 -04:00
scsi_host.h scsi: make asynchronous aborts mandatory 2017-04-06 13:07:33 -04:00
scsi_ioctl.h scsi: split scsi_nonblockable_ioctl 2014-11-12 11:16:11 +01:00
scsi_proto.h scsi: Remove the definition of VLC_SA_RECEIVE_CREDENTIAL 2017-06-26 15:01:04 -04:00
scsi_request.h scsi: introduce a result field in struct scsi_request 2017-04-20 12:16:10 -06:00
scsi_tcq.h scsi: use host wide tags by default 2015-11-09 17:11:57 -08:00
scsi_transport_fc.h scsi: fc: drop residual tsk_mgmt_response and it_nexus_response 2017-06-26 15:00:59 -04:00
scsi_transport_iscsi.h iSCSI: let session recovery_tmo sysfs writes persist across recovery 2015-07-30 12:43:00 -07:00
scsi_transport_sas.h scsi: sas: remove is_sas_attached() 2016-08-18 22:23:20 -04:00
scsi_transport_spi.h scsi: remove abuses of scsi_populate_tag 2014-11-12 11:19:41 +01:00
scsi_transport_srp.h scsi: remove tsk_mgmt_response and it_nexus_response transport methods 2017-02-06 19:10:41 -05:00
scsi_transport.h SCSI misc on 20170220 2017-02-21 11:51:42 -08:00
scsi.h scsi: remove useless acpi functions in the header file 2017-01-10 23:13:58 -05:00
scsicam.h
sg.h scsi: sg: disable SET_FORCE_LOW_DMA 2017-04-11 20:55:20 -04:00
srp.h IB/srp: Add 64-bit LUN support 2015-05-18 13:35:56 -04:00
viosrp.h ibmvscsis: Initial commit of IBM VSCSI Tgt Driver 2016-07-20 01:15:43 -07:00