From 2280521719e81919283b82902ac24058f87dfc1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C4=81vis=20Mos=C4=81ns?= Date: Fri, 21 Aug 2015 07:29:22 +0300 Subject: mvsas: Fix NULL pointer dereference in mvs_slot_task_free MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When pci_pool_alloc fails in mvs_task_prep then task->lldd_task stays NULL but it's later used in mvs_abort_task as slot which is passed to mvs_slot_task_free causing NULL pointer dereference. Just return from mvs_slot_task_free when passed with NULL slot. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=101891 Signed-off-by: Dāvis Mosāns Reviewed-by: Tomas Henzl Reviewed-by: Johannes Thumshirn Cc: stable@vger.kernel.org Signed-off-by: James Bottomley --- drivers/scsi/mvsas/mv_sas.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/scsi/mvsas/mv_sas.c b/drivers/scsi/mvsas/mv_sas.c index 454536c49315..9c780740fb82 100644 --- a/drivers/scsi/mvsas/mv_sas.c +++ b/drivers/scsi/mvsas/mv_sas.c @@ -887,6 +887,8 @@ static void mvs_slot_free(struct mvs_info *mvi, u32 rx_desc) static void mvs_slot_task_free(struct mvs_info *mvi, struct sas_task *task, struct mvs_slot_info *slot, u32 slot_idx) { + if (!slot) + return; if (!slot->task) return; if (!sas_protocol_ata(task->task_proto)) -- cgit v1.2.3 From 23695e41a1cac017edad2b38607f33678a31b877 Mon Sep 17 00:00:00 2001 From: Junichi Nomura Date: Tue, 6 Oct 2015 04:32:57 +0000 Subject: scsi_dh: fix use-after-free when removing scsi device The commit 1bab0de0274f ("dm-mpath, scsi_dh: don't let dm detach device handlers") removed reference counting of attached scsi device handler. As a result, handler data is freed immediately via scsi_dh->detach() in the context of scsi_remove_device() where activation request can be still in flight. This patch moves scsi_dh_handler_detach() to sdev releasing function, scsi_device_dev_release_usercontext(), at that point the device is already in quiesced state. Fixes: 1bab0de0274f ("dm-mpath, scsi_dh: don't let dm detach device handlers") Signed-off-by: Jun'ichi Nomura Acked-by: Christoph Hellwig Signed-off-by: James Bottomley --- drivers/scsi/scsi_dh.c | 6 +++++- drivers/scsi/scsi_priv.h | 2 ++ drivers/scsi/scsi_sysfs.c | 2 ++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/scsi_dh.c b/drivers/scsi/scsi_dh.c index 0a2168e69bbc..cb78388de3fc 100644 --- a/drivers/scsi/scsi_dh.c +++ b/drivers/scsi/scsi_dh.c @@ -232,10 +232,14 @@ int scsi_dh_add_device(struct scsi_device *sdev) return err; } -void scsi_dh_remove_device(struct scsi_device *sdev) +void scsi_dh_release_device(struct scsi_device *sdev) { if (sdev->handler) scsi_dh_handler_detach(sdev); +} + +void scsi_dh_remove_device(struct scsi_device *sdev) +{ device_remove_file(&sdev->sdev_gendev, &scsi_dh_state_attr); } diff --git a/drivers/scsi/scsi_priv.h b/drivers/scsi/scsi_priv.h index 644bb7339b55..4d01cdb1b348 100644 --- a/drivers/scsi/scsi_priv.h +++ b/drivers/scsi/scsi_priv.h @@ -173,9 +173,11 @@ extern struct async_domain scsi_sd_probe_domain; /* scsi_dh.c */ #ifdef CONFIG_SCSI_DH int scsi_dh_add_device(struct scsi_device *sdev); +void scsi_dh_release_device(struct scsi_device *sdev); void scsi_dh_remove_device(struct scsi_device *sdev); #else static inline int scsi_dh_add_device(struct scsi_device *sdev) { return 0; } +static inline void scsi_dh_release_device(struct scsi_device *sdev) { } static inline void scsi_dh_remove_device(struct scsi_device *sdev) { } #endif diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c index b333389f248f..dff8fafb741c 100644 --- a/drivers/scsi/scsi_sysfs.c +++ b/drivers/scsi/scsi_sysfs.c @@ -399,6 +399,8 @@ static void scsi_device_dev_release_usercontext(struct work_struct *work) sdev = container_of(work, struct scsi_device, ew.work); + scsi_dh_release_device(sdev); + parent = sdev->sdev_gendev.parent; spin_lock_irqsave(sdev->host->host_lock, flags); -- cgit v1.2.3 From d6a32b98099fb6b257e9b4f7b3febb5aae6f7408 Mon Sep 17 00:00:00 2001 From: Christoph Hellwig Date: Thu, 8 Oct 2015 09:25:32 +0100 Subject: scsi_dh: don't try to load a device handler during async probing Request_module gets really unhappy when called from async probing, so revert to not auto load device handler modules during the SCSI bus scan. While autoloading would be really useful we never did this until 4.3-rc and it turns out that functionality doesn't actually work. Fixes: 566079 ("dm-mpath, scsi_dh: request scsi_dh modules in scsi_dh, not dm-mpath") Signed-off-by: Christoph Hellwig Reported-by: Paul Mackerras Tested-by: Paul Mackerras Signed-off-by: James Bottomley --- drivers/scsi/scsi_dh.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/scsi_dh.c b/drivers/scsi/scsi_dh.c index cb78388de3fc..e7649ed3f667 100644 --- a/drivers/scsi/scsi_dh.c +++ b/drivers/scsi/scsi_dh.c @@ -226,7 +226,7 @@ int scsi_dh_add_device(struct scsi_device *sdev) drv = scsi_dh_find_driver(sdev); if (drv) - devinfo = scsi_dh_lookup(drv); + devinfo = __scsi_dh_lookup(drv); if (devinfo) err = scsi_dh_handler_attach(sdev, devinfo); return err; -- cgit v1.2.3