kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #151734
[Bug 1509029] Re: [Hyper-V] Crash in hot-add/remove scsi devices (smp)
This bug was fixed in the package linux - 3.13.0-73.116
---------------
linux (3.13.0-73.116) trusty; urgency=low
[ Luis Henriques ]
* Release Tracking Bug
- LP: #1522858
[ Upstream Kernel Changes ]
* Revert "dm: fix AB-BA deadlock in __dm_destroy()"
- LP: #1522766
* dm: fix AB-BA deadlock in __dm_destroy()
- LP: #1522766
linux (3.13.0-72.115) trusty; urgency=low
[ Luis Henriques ]
* Release Tracking Bug
- LP: #1521979
[ Andy Whitcroft ]
* [Packaging] control -- make element ordering deterministic
- LP: #1516686
* [Packaging] control -- prepare for new kernel-wedge semantics
- LP: #1516686
* [Tests] rebuild -- fix up rebuild test
- LP: #1516686
* [Debian] rebuild should only trigger for non-linux packages
- LP: #1498862, #1516686
* [Tests] gcc-multilib does not exist on ppc64el
- LP: #1515541
[ Craig Magina ]
* [Config] Enable USB for arm64
- LP: #1514971
[ Duc Dang ]
* SAUCE: (noup) arm64: dts: Add USB nodes for APM X-Gene v1 platforms
- LP: #1514971
[ Joseph Salisbury ]
* SAUCE: scsi_sysfs: protect against double execution of
__scsi_remove_device()
- LP: #1509029
[ Upstream Kernel Changes ]
* Revert "ARM64: unwind: Fix PC calculation"
- LP: #1520264
* [SCSI] hpsa: allow SCSI mid layer to handle unit attention
- LP: #1512415
* usb: make xhci platform driver use 64 bit or 32 bit DMA
- LP: #1514971
* usb: Add support for ACPI identification to xhci-platform
- LP: #1514971
* xhci: Workaround to get Intel xHCI reset working more reliably
* isdn_ppp: Add checks for allocation failure in isdn_ppp_open()
- LP: #1520264
* ppp, slip: Validate VJ compression slot parameters completely
- LP: #1520264
* staging/dgnc: fix info leak in ioctl
- LP: #1520264
* regmap: debugfs: Ensure we don't underflow when printing access masks
- LP: #1520264
* regmap: debugfs: Don't bother actually printing when calculating max
length
- LP: #1520264
* tools lib traceevent: Fix string handling in heterogeneous arch
environments
- LP: #1520264
* perf tools: Fix copying of /proc/kcore
- LP: #1520264
* ASoC: db1200: Fix DAI link format for db1300 and db1550
- LP: #1520264
* m68k: Define asmlinkage_protect
- LP: #1520264
* x86/xen: Support kexec/kdump in HVM guests by doing a soft reset
- LP: #1520264
* x86/xen: Do not clip xen_e820_map to xen_e820_map_entries when
sanitizing map
- LP: #1520264
* UBI: return ENOSPC if no enough space available
- LP: #1520264
* s390/boot: fix boot of compressed kernel built with gcc 4.9
- LP: #1520264
* s390/boot/decompression: disable floating point in decompressor
- LP: #1520264
* MIPS: dma-default: Fix 32-bit fall back to GFP_DMA
- LP: #1520264
* drm/qxl: recreate the primary surface when the bo is not primary
- LP: #1520264
* genirq: Fix race in register_irq_proc()
- LP: #1520264
* KVM: nSVM: Check for NRIPS support before updating control field
- LP: #1520264
* Use WARN_ON_ONCE for missing X86_FEATURE_NRIPS
- LP: #1520264
* dm: fix AB-BA deadlock in __dm_destroy()
- LP: #1520264
* mm: hugetlbfs: skip shared VMAs when unmapping private pages to satisfy
a fault
- LP: #1520264
* [SMB3] Do not fall back to SMBWriteX in set_file_size error cases
- LP: #1520264
* x86/mm: Set NX on gap between __ex_table and rodata
- LP: #1520264
* ASoC: dwc: correct irq clear method
- LP: #1520264
* dm raid: fix round up of default region size
- LP: #1520264
* clocksource: Fix abs() usage w/ 64bit values
- LP: #1520264
* ALSA: hda - Apply SPDIF pin ctl to MacBookPro 12,1
- LP: #1520264
* USB: Add reset-resume quirk for two Plantronics usb headphones.
- LP: #1520264
* usb: Add device quirk for Logitech PTZ cameras
- LP: #1520264
* staging: speakup: fix speakup-r regression
- LP: #1520264
* ALSA: synth: Fix conflicting OSS device registration on AWE32
- LP: #1520264
* arm64: readahead: fault retry breaks mmap file read random detection
- LP: #1520264
* dm cache: fix NULL pointer when switching from cleaner policy
- LP: #1520264
* dmaengine: dw: properly read DWC_PARAMS register
- LP: #1520264
* 3w-9xxx: don't unmap bounce buffered commands
- LP: #1520264
* mm/slab: fix unexpected index mapping result of
kmalloc_size(INDEX_NODE+1)
- LP: #1520264
* workqueue: make sure delayed work run in local cpu
- LP: #1520264
* crypto: sparc - initialize blkcipher.ivsize
- LP: #1520264
* drm/nouveau/fbcon: take runpm reference when userspace has an open fd
- LP: #1520264
* crypto: ahash - ensure statesize is non-zero
- LP: #1520264
* dm thin: fix missing pool reference count decrement in pool_ctr error
path
- LP: #1520264
* btrfs: fix use after free iterating extrefs
- LP: #1520264
* i2c: rcar: enable RuntimePM before registering to the core
- LP: #1520264
* i2c: s3c2410: enable RuntimePM before registering to the core
- LP: #1520264
* i2c: designware-platdrv: enable RuntimePM before registering to the
core
- LP: #1520264
* i2c: designware: Do not use parameters from ACPI on Dell Inspiron 7348
- LP: #1520264
* l2tp: protect tunnel->del_work by ref_count
- LP: #1520264
* af_unix: Convert the unix_sk macro to an inline function for type
safety
- LP: #1520264
* af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag
- LP: #1520264
* net/unix: fix logic about sk_peek_offset
- LP: #1520264
* skbuff: Fix skb checksum flag on skb pull
- LP: #1520264
* skbuff: Fix skb checksum partial check.
- LP: #1520264
* net: add pfmemalloc check in sk_add_backlog()
- LP: #1520264
* ppp: don't override sk->sk_state in pppoe_flush_dev()
- LP: #1520264
* ethtool: Use kcalloc instead of kmalloc for ethtool_get_strings
- LP: #1520264
* asix: Don't reset PHY on if_up for ASIX 88772
- LP: #1520264
* asix: Do full reset during ax88772_bind
- LP: #1520264
* ath9k: declare required extra tx headroom
- LP: #1520264
* iio: accel: sca3000: memory corruption in sca3000_read_first_n_hw_rb()
- LP: #1520264
* iwlwifi: dvm: fix D3 firmware PN programming
- LP: #1520264
* iwlwifi: mvm: fix D3 firmware PN programming
- LP: #1520264
* iwlwifi: fix firmware filename for 3160
- LP: #1520264
* ARM: orion: Fix DSA platform device after mvmdio conversion
- LP: #1520264
* xen-blkfront: check for null drvdata in blkback_changed
(XenbusStateClosing)
- LP: #1520264
* ALSA: hda - Fix inverted internal mic on Lenovo G50-80
- LP: #1504778, #1520264
* ASoC: Add info callback for SX_TLV controls
- LP: #1520264
* xhci: don't finish a TD if we get a short transfer event mid TD
- LP: #1520264
* xhci: handle no ping response error properly
- LP: #1520264
* xhci: Add spurious wakeup quirk for LynxPoint-LP controllers
- LP: #1520264
* ASoC: wm8904: Correct number of EQ registers
- LP: #1520264
* drm/nouveau/gem: return only valid domain when there's only one
- LP: #1520264
* powerpc/rtas: Validate rtas.entry before calling enter_rtas()
- LP: #1520264
* mm: make sendfile(2) killable
- LP: #1520264
* rbd: fix double free on rbd_dev->header_name
- LP: #1520264
* rbd: don't leak parent_spec in rbd_dev_probe_parent()
- LP: #1520264
* rbd: prevent kernel stack blow up on rbd map
- LP: #1520264
* dm btree remove: fix a bug when rebalancing nodes after removal
- LP: #1520264
* dm btree: fix leak of bufio-backed block in btree_split_beneath error
path
- LP: #1520264
* IB/cm: Fix rb-tree duplicate free and use-after-free
- LP: #1520264
* module: Fix locking in symbol_put_addr()
- LP: #1520264
* crypto: api - Only abort operations on fatal signal
- LP: #1520264
* md/raid1: submit_bio_wait() returns 0 on success
- LP: #1520264
* md/raid10: submit_bio_wait() returns 0 on success
- LP: #1520264
* iommu/amd: Don't clear DTE flags when modifying it
- LP: #1520264
* mvsas: Fix NULL pointer dereference in mvs_slot_task_free
- LP: #1520264
* drm/radeon: move bl encoder assignment into bl init
- LP: #1520264
* rbd: require stable pages if message data CRCs are enabled
- LP: #1520264
* md/raid5: fix locking in handle_stripe_clean_event()
- LP: #1520264
* net/mlx4: Copy/set only sizeof struct mlx4_eqe bytes
- LP: #1520264
* ipv6: Fix IPsec pre-encap fragmentation check
- LP: #1520264
* ipv6: gre: support SIT encapsulation
- LP: #1520264
* ppp: fix pppoe_dev deletion condition in pppoe_release()
- LP: #1520264
* Linux 3.13.11-ckt30
- LP: #1520264
* KVM: svm: unconditionally intercept #DB
- LP: #1520184
- CVE-2015-8104
-- Luis Henriques <luis.henriques@xxxxxxxxxxxxx> Fri, 04 Dec 2015
14:13:28 +0000
** Changed in: linux (Ubuntu Trusty)
Status: Fix Committed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-8104
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1509029
Title:
[Hyper-V] Crash in hot-add/remove scsi devices (smp)
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Trusty:
Fix Released
Status in linux source package in Vivid:
Fix Committed
Status in linux source package in Wily:
Fix Committed
Status in linux source package in Xenial:
Fix Released
Bug description:
On some host errors storvsc module tries to remove sdev by scheduling a job
which does the following:
sdev = scsi_device_lookup(wrk->host, 0, 0, wrk->lun);
if (sdev) {
scsi_remove_device(sdev);
scsi_device_put(sdev);
}
While this code seems correct the following crash is observed:
general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC
RIP: 0010:[<ffffffff81169979>] [<ffffffff81169979>] bdi_destroy+0x39/0x220
...
[<ffffffff814aecdc>] ? _raw_spin_unlock_irq+0x2c/0x40
[<ffffffff8127b7db>] blk_cleanup_queue+0x17b/0x270
[<ffffffffa00b54c4>] __scsi_remove_device+0x54/0xd0 [scsi_mod]
[<ffffffffa00b556b>] scsi_remove_device+0x2b/0x40 [scsi_mod]
[<ffffffffa00ec47d>] storvsc_remove_lun+0x3d/0x60 [hv_storvsc]
[<ffffffff81080791>] process_one_work+0x1b1/0x530
...
The problem comes with the fact that many such jobs (for the same device)
are being scheduled simultaneously. While scsi_remove_device() uses
shost->scan_mutex and scsi_device_lookup() will fail for a device in
SDEV_DEL state there is no protection against someone who did
scsi_device_lookup() before we actually entered __scsi_remove_device(). So
the whole scenario looks like that: two callers do simultaneous (or
preemption happens) calls to scsi_device_lookup() ant these calls succeed
for all of them, after that both callers try doing scsi_remove_device().
shost->scan_mutex only serializes their calls to __scsi_remove_device()
and we end up doing the cleanup path twice.
Signed-off-by: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>
---
drivers/scsi/scsi_sysfs.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
index b333389..e0d2707 100644
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -1076,6 +1076,14 @@ void __scsi_remove_device(struct scsi_device *sdev)
{
struct device *dev = &sdev->sdev_gendev;
+ /*
+ * This cleanup path is not reentrant and while it is impossible
+ * to get a new reference with scsi_device_get() someone can still
+ * hold a previously acquired one.
+ */
+ if (sdev->sdev_state == SDEV_DEL)
+ return;
+
if (sdev->is_visible) {
if (scsi_device_set_state(sdev, SDEV_CANCEL) != 0)
return;
--
2.4.3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1509029/+subscriptions
References