[SCSI] fix hot unplug vs async scan race

The following crash results from cases where the end_device has been removed before scsi_sysfs_add_sdev has had a chance to run. BUG: unable to handle kernel NULL pointer dereference at 0000000000000098 IP: [<ffffffff8115e100>] sysfs_create_dir+0x32/0xb6 ... Call Trace: [<ffffffff8125e4a8>] kobject_add_internal+0x120/0x1e3 [<ffffffff81075149>] ? trace_hardirqs_on+0xd/0xf [<ffffffff8125e641>] kobject_add_varg+0x41/0x50 [<ffffffff8125e70b>] kobject_add+0x64/0x66 [<ffffffff8131122b>] device_add+0x12d/0x63a [<ffffffff814b65ea>] ? _raw_spin_unlock_irqrestore+0x47/0x56 [<ffffffff8107de15>] ? module_refcount+0x89/0xa0 [<ffffffff8132f348>] scsi_sysfs_add_sdev+0x4e/0x28a [<ffffffff8132dcbb>] do_scan_async+0x9c/0x145 ...teach scsi_sysfs_add_devices() to check for deleted devices() before trying to add them, and teach scsi_remove_target() how to remove targets that have not been added via device_add(). Cc: <stable@vger.kernel.org> Reported-by: Dariusz Majchrzak <dariusz.majchrzak@intel.com> Signed-off-by: Dan Williams <dan.j.williams@intel.com> Signed-off-by: James Bottomley <JBottomley@Parallels.com>
2025-11-04 10:40:15 +02:00 · 2012-06-21 23:47:28 -07:00 · 2012-06-21 23:47:28 -07:00 · 3b661a92e8
commit 3b661a92e8
parent b5f1758f22
2 changed files with 30 additions and 16 deletions
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@ -1717,6 +1717,9 @@ static void scsi_sysfs_add_devices(struct Scsi_Host *shost)
 {
 	struct scsi_device *sdev;
 	shost_for_each_device(sdev, shost) {
 		/* target removed before the device could be added */
 		if (sdev->sdev_state == SDEV_DEL)
 			continue;
 		if (!scsi_host_scan_allowed(shost) ||
 		    scsi_sysfs_add_sdev(sdev) != 0)
 			__scsi_remove_device(sdev);
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@ -1005,7 +1005,6 @@ static void __scsi_remove_target(struct scsi_target *starget)
 	struct scsi_device *sdev;
 	spin_lock_irqsave(shost->host_lock, flags);
 	starget->reap_ref++;
 restart:
 	list_for_each_entry(sdev, &shost->__devices, siblings) {
 		if (sdev->channel != starget->channel ||
@ -1019,14 +1018,6 @@ static void __scsi_remove_target(struct scsi_target *starget)
 		goto restart;
 	}
 	spin_unlock_irqrestore(shost->host_lock, flags);
 	scsi_target_reap(starget);
 }
 static int __remove_child (struct device * dev, void * data)
 {
 	if (scsi_is_target_device(dev))
 		__scsi_remove_target(to_scsi_target(dev));
 	return 0;
 }
 /**
@ -1039,14 +1030,34 @@ static int __remove_child (struct device * dev, void * data)
 */
 void scsi_remove_target(struct device *dev)
 {
-	if (scsi_is_target_device(dev)) {
+	struct Scsi_Host *shost = dev_to_shost(dev->parent);
-		__scsi_remove_target(to_scsi_target(dev));
+	struct scsi_target *starget, *found;
-		return;
+	unsigned long flags;
 	}
-	get_device(dev);
+ restart:
-	device_for_each_child(dev, NULL, __remove_child);
+	found = NULL;
-	put_device(dev);
+	spin_lock_irqsave(shost->host_lock, flags);
 	list_for_each_entry(starget, &shost->__targets, siblings) {
 		if (starget->state == STARGET_DEL)
 			continue;
 		if (starget->dev.parent == dev || &starget->dev == dev) {
 			found = starget;
 			found->reap_ref++;
 			break;
 		}
 	}
 	spin_unlock_irqrestore(shost->host_lock, flags);
 	if (found) {
 		__scsi_remove_target(found);
 		scsi_target_reap(found);
 		/* in the case where @dev has multiple starget children,
 		 * continue removing.
 		 *
 		 * FIXME: does such a case exist?
 		 */
 		goto restart;
 	}
 }
 EXPORT_SYMBOL(scsi_remove_target);