← Back to team overview

kernel-packages team mailing list archive

[Bug 1509029] Re: [Hyper-V] Crash in hot-add/remove scsi devices (smp)

 

This bug was fixed in the package linux - 3.13.0-73.116

---------------
linux (3.13.0-73.116) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1522858

  [ Upstream Kernel Changes ]

  * Revert "dm: fix AB-BA deadlock in __dm_destroy()"
    - LP: #1522766
  * dm: fix AB-BA deadlock in __dm_destroy()
    - LP: #1522766

linux (3.13.0-72.115) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1521979

  [ Andy Whitcroft ]

  * [Packaging] control -- make element ordering deterministic
    - LP: #1516686
  * [Packaging] control -- prepare for new kernel-wedge semantics
    - LP: #1516686
  * [Tests] rebuild -- fix up rebuild test
    - LP: #1516686
  * [Debian] rebuild should only trigger for non-linux packages
    - LP: #1498862, #1516686
  * [Tests] gcc-multilib does not exist on ppc64el
    - LP: #1515541

  [ Craig Magina ]

  * [Config] Enable USB for arm64
    - LP: #1514971

  [ Duc Dang ]

  * SAUCE: (noup) arm64: dts: Add USB nodes for APM X-Gene v1 platforms
    - LP: #1514971

  [ Joseph Salisbury ]

  * SAUCE: scsi_sysfs: protect against double execution of
    __scsi_remove_device()
    - LP: #1509029

  [ Upstream Kernel Changes ]

  * Revert "ARM64: unwind: Fix PC calculation"
    - LP: #1520264
  * [SCSI] hpsa: allow SCSI mid layer to handle unit attention
    - LP: #1512415
  * usb: make xhci platform driver use 64 bit or 32 bit DMA
    - LP: #1514971
  * usb: Add support for ACPI identification to xhci-platform
    - LP: #1514971
  * xhci: Workaround to get Intel xHCI reset working more reliably
  * isdn_ppp: Add checks for allocation failure in isdn_ppp_open()
    - LP: #1520264
  * ppp, slip: Validate VJ compression slot parameters completely
    - LP: #1520264
  * staging/dgnc: fix info leak in ioctl
    - LP: #1520264
  * regmap: debugfs: Ensure we don't underflow when printing access masks
    - LP: #1520264
  * regmap: debugfs: Don't bother actually printing when calculating max
    length
    - LP: #1520264
  * tools lib traceevent: Fix string handling in heterogeneous arch
    environments
    - LP: #1520264
  * perf tools: Fix copying of /proc/kcore
    - LP: #1520264
  * ASoC: db1200: Fix DAI link format for db1300 and db1550
    - LP: #1520264
  * m68k: Define asmlinkage_protect
    - LP: #1520264
  * x86/xen: Support kexec/kdump in HVM guests by doing a soft reset
    - LP: #1520264
  * x86/xen: Do not clip xen_e820_map to xen_e820_map_entries when
    sanitizing map
    - LP: #1520264
  * UBI: return ENOSPC if no enough space available
    - LP: #1520264
  * s390/boot: fix boot of compressed kernel built with gcc 4.9
    - LP: #1520264
  * s390/boot/decompression: disable floating point in decompressor
    - LP: #1520264
  * MIPS: dma-default: Fix 32-bit fall back to GFP_DMA
    - LP: #1520264
  * drm/qxl: recreate the primary surface when the bo is not primary
    - LP: #1520264
  * genirq: Fix race in register_irq_proc()
    - LP: #1520264
  * KVM: nSVM: Check for NRIPS support before updating control field
    - LP: #1520264
  * Use WARN_ON_ONCE for missing X86_FEATURE_NRIPS
    - LP: #1520264
  * dm: fix AB-BA deadlock in __dm_destroy()
    - LP: #1520264
  * mm: hugetlbfs: skip shared VMAs when unmapping private pages to satisfy
    a fault
    - LP: #1520264
  * [SMB3] Do not fall back to SMBWriteX in set_file_size error cases
    - LP: #1520264
  * x86/mm: Set NX on gap between __ex_table and rodata
    - LP: #1520264
  * ASoC: dwc: correct irq clear method
    - LP: #1520264
  * dm raid: fix round up of default region size
    - LP: #1520264
  * clocksource: Fix abs() usage w/ 64bit values
    - LP: #1520264
  * ALSA: hda - Apply SPDIF pin ctl to MacBookPro 12,1
    - LP: #1520264
  * USB: Add reset-resume quirk for two Plantronics usb headphones.
    - LP: #1520264
  * usb: Add device quirk for Logitech PTZ cameras
    - LP: #1520264
  * staging: speakup: fix speakup-r regression
    - LP: #1520264
  * ALSA: synth: Fix conflicting OSS device registration on AWE32
    - LP: #1520264
  * arm64: readahead: fault retry breaks mmap file read random detection
    - LP: #1520264
  * dm cache: fix NULL pointer when switching from cleaner policy
    - LP: #1520264
  * dmaengine: dw: properly read DWC_PARAMS register
    - LP: #1520264
  * 3w-9xxx: don't unmap bounce buffered commands
    - LP: #1520264
  * mm/slab: fix unexpected index mapping result of
    kmalloc_size(INDEX_NODE+1)
    - LP: #1520264
  * workqueue: make sure delayed work run in local cpu
    - LP: #1520264
  * crypto: sparc - initialize blkcipher.ivsize
    - LP: #1520264
  * drm/nouveau/fbcon: take runpm reference when userspace has an open fd
    - LP: #1520264
  * crypto: ahash - ensure statesize is non-zero
    - LP: #1520264
  * dm thin: fix missing pool reference count decrement in pool_ctr error
    path
    - LP: #1520264
  * btrfs: fix use after free iterating extrefs
    - LP: #1520264
  * i2c: rcar: enable RuntimePM before registering to the core
    - LP: #1520264
  * i2c: s3c2410: enable RuntimePM before registering to the core
    - LP: #1520264
  * i2c: designware-platdrv: enable RuntimePM before registering to the
    core
    - LP: #1520264
  * i2c: designware: Do not use parameters from ACPI on Dell Inspiron 7348
    - LP: #1520264
  * l2tp: protect tunnel->del_work by ref_count
    - LP: #1520264
  * af_unix: Convert the unix_sk macro to an inline function for type
    safety
    - LP: #1520264
  * af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag
    - LP: #1520264
  * net/unix: fix logic about sk_peek_offset
    - LP: #1520264
  * skbuff: Fix skb checksum flag on skb pull
    - LP: #1520264
  * skbuff: Fix skb checksum partial check.
    - LP: #1520264
  * net: add pfmemalloc check in sk_add_backlog()
    - LP: #1520264
  * ppp: don't override sk->sk_state in pppoe_flush_dev()
    - LP: #1520264
  * ethtool: Use kcalloc instead of kmalloc for ethtool_get_strings
    - LP: #1520264
  * asix: Don't reset PHY on if_up for ASIX 88772
    - LP: #1520264
  * asix: Do full reset during ax88772_bind
    - LP: #1520264
  * ath9k: declare required extra tx headroom
    - LP: #1520264
  * iio: accel: sca3000: memory corruption in sca3000_read_first_n_hw_rb()
    - LP: #1520264
  * iwlwifi: dvm: fix D3 firmware PN programming
    - LP: #1520264
  * iwlwifi: mvm: fix D3 firmware PN programming
    - LP: #1520264
  * iwlwifi: fix firmware filename for 3160
    - LP: #1520264
  * ARM: orion: Fix DSA platform device after mvmdio conversion
    - LP: #1520264
  * xen-blkfront: check for null drvdata in blkback_changed
    (XenbusStateClosing)
    - LP: #1520264
  * ALSA: hda - Fix inverted internal mic on Lenovo G50-80
    - LP: #1504778, #1520264
  * ASoC: Add info callback for SX_TLV controls
    - LP: #1520264
  * xhci: don't finish a TD if we get a short transfer event mid TD
    - LP: #1520264
  * xhci: handle no ping response error properly
    - LP: #1520264
  * xhci: Add spurious wakeup quirk for LynxPoint-LP controllers
    - LP: #1520264
  * ASoC: wm8904: Correct number of EQ registers
    - LP: #1520264
  * drm/nouveau/gem: return only valid domain when there's only one
    - LP: #1520264
  * powerpc/rtas: Validate rtas.entry before calling enter_rtas()
    - LP: #1520264
  * mm: make sendfile(2) killable
    - LP: #1520264
  * rbd: fix double free on rbd_dev->header_name
    - LP: #1520264
  * rbd: don't leak parent_spec in rbd_dev_probe_parent()
    - LP: #1520264
  * rbd: prevent kernel stack blow up on rbd map
    - LP: #1520264
  * dm btree remove: fix a bug when rebalancing nodes after removal
    - LP: #1520264
  * dm btree: fix leak of bufio-backed block in btree_split_beneath error
    path
    - LP: #1520264
  * IB/cm: Fix rb-tree duplicate free and use-after-free
    - LP: #1520264
  * module: Fix locking in symbol_put_addr()
    - LP: #1520264
  * crypto: api - Only abort operations on fatal signal
    - LP: #1520264
  * md/raid1: submit_bio_wait() returns 0 on success
    - LP: #1520264
  * md/raid10: submit_bio_wait() returns 0 on success
    - LP: #1520264
  * iommu/amd: Don't clear DTE flags when modifying it
    - LP: #1520264
  * mvsas: Fix NULL pointer dereference in mvs_slot_task_free
    - LP: #1520264
  * drm/radeon: move bl encoder assignment into bl init
    - LP: #1520264
  * rbd: require stable pages if message data CRCs are enabled
    - LP: #1520264
  * md/raid5: fix locking in handle_stripe_clean_event()
    - LP: #1520264
  * net/mlx4: Copy/set only sizeof struct mlx4_eqe bytes
    - LP: #1520264
  * ipv6: Fix IPsec pre-encap fragmentation check
    - LP: #1520264
  * ipv6: gre: support SIT encapsulation
    - LP: #1520264
  * ppp: fix pppoe_dev deletion condition in pppoe_release()
    - LP: #1520264
  * Linux 3.13.11-ckt30
    - LP: #1520264
  * KVM: svm: unconditionally intercept #DB
    - LP: #1520184
    - CVE-2015-8104

 -- Luis Henriques <luis.henriques@xxxxxxxxxxxxx>  Fri, 04 Dec 2015
14:13:28 +0000

** Changed in: linux (Ubuntu Trusty)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-8104

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1509029

Title:
  [Hyper-V] Crash in hot-add/remove scsi devices (smp)

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux source package in Vivid:
  Fix Committed
Status in linux source package in Wily:
  Fix Committed
Status in linux source package in Xenial:
  Fix Released

Bug description:
  On some host errors storvsc module tries to remove sdev by scheduling a job
  which does the following:

     sdev = scsi_device_lookup(wrk->host, 0, 0, wrk->lun);
     if (sdev) {
         scsi_remove_device(sdev);
         scsi_device_put(sdev);
     }

  While this code seems correct the following crash is observed:

   general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC
   RIP: 0010:[<ffffffff81169979>]  [<ffffffff81169979>] bdi_destroy+0x39/0x220
   ...
   [<ffffffff814aecdc>] ? _raw_spin_unlock_irq+0x2c/0x40
   [<ffffffff8127b7db>] blk_cleanup_queue+0x17b/0x270
   [<ffffffffa00b54c4>] __scsi_remove_device+0x54/0xd0 [scsi_mod]
   [<ffffffffa00b556b>] scsi_remove_device+0x2b/0x40 [scsi_mod]
   [<ffffffffa00ec47d>] storvsc_remove_lun+0x3d/0x60 [hv_storvsc]
   [<ffffffff81080791>] process_one_work+0x1b1/0x530
   ...

  The problem comes with the fact that many such jobs (for the same device)
  are being scheduled simultaneously. While scsi_remove_device() uses
  shost->scan_mutex and scsi_device_lookup() will fail for a device in
  SDEV_DEL state there is no protection against someone who did
  scsi_device_lookup() before we actually entered __scsi_remove_device(). So
  the whole scenario looks like that: two callers do simultaneous (or
  preemption happens) calls to scsi_device_lookup() ant these calls succeed
  for all of them, after that both callers try doing scsi_remove_device().
  shost->scan_mutex only serializes their calls to __scsi_remove_device()
  and we end up doing the cleanup path twice.

  Signed-off-by: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>
  ---
   drivers/scsi/scsi_sysfs.c | 8 ++++++++
   1 file changed, 8 insertions(+)

  diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
  index b333389..e0d2707 100644
  --- a/drivers/scsi/scsi_sysfs.c
  +++ b/drivers/scsi/scsi_sysfs.c
  @@ -1076,6 +1076,14 @@ void __scsi_remove_device(struct scsi_device *sdev)
   {
          struct device *dev = &sdev->sdev_gendev;

  +       /*
  +        * This cleanup path is not reentrant and while it is impossible
  +        * to get a new reference with scsi_device_get() someone can still
  +        * hold a previously acquired one.
  +        */
  +       if (sdev->sdev_state == SDEV_DEL)
  +               return;
  +
          if (sdev->is_visible) {
                  if (scsi_device_set_state(sdev, SDEV_CANCEL) != 0)
                          return;

  
  --
  2.4.3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1509029/+subscriptions


References