kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #151833
[Bug 1509029] Re: [Hyper-V] Crash in hot-add/remove scsi devices (smp)
This bug was fixed in the package linux - 4.2.0-21.25
---------------
linux (4.2.0-21.25) wily; urgency=low
[ Luis Henriques ]
* Release Tracking Bug
- LP: #1522108
[ Upstream Kernel Changes ]
* staging/dgnc: fix info leak in ioctl
- LP: #1509565
- CVE-2015-7885
* [media] media/vivid-osd: fix info leak in ioctl
- LP: #1509564
- CVE-2015-7884
* KEYS: Fix race between key destruction and finding a keyring by name
- LP: #1508856
- CVE-2015-7872
* KEYS: Fix crash when attempt to garbage collect an uninstantiated
keyring
- LP: #1508856
- CVE-2015-7872
* KEYS: Don't permit request_key() to construct a new keyring
- LP: #1508856
- CVE-2015-7872
* isdn_ppp: Add checks for allocation failure in isdn_ppp_open()
- LP: #1508329
- CVE-2015-7799
* ppp, slip: Validate VJ compression slot parameters completely
- LP: #1508329
- CVE-2015-7799
linux (4.2.0-20.24) wily; urgency=low
[ Brad Figg ]
* Release Tracking Bug
- LP: #1521753
[ Andy Whitcroft ]
* [Tests] gcc-multilib does not exist on ppc64el
- LP: #1515541
[ Joseph Salisbury ]
* SAUCE: scsi_sysfs: protect against double execution of
__scsi_remove_device()
- LP: #1509029
[ Manoj Kumar ]
* SAUCE: (noup) cxlflash: Fix to escalate LINK_RESET also on port 1
- LP: #1513583
[ Matthew R. Ochs ]
* SAUCE: (noup) cxlflash: Fix to avoid virtual LUN failover failure
- LP: #1513583
[ Oren Givon ]
* SAUCE: (noup) iwlwifi: Add new PCI IDs for the 8260 series
- LP: #1517375
[ Seth Forshee ]
* [Config] CONFIG_DRM_AMDGPU_CIK=n
- LP: #1510405
[ Upstream Kernel Changes ]
* net/mlx5e: Disable VLAN filter in promiscuous mode
- LP: #1514861
* drivers: net: xgene: fix RGMII 10/100Mb mode
- LP: #1433290
* HID: rmi: Disable scanning if the device is not a wake source
- LP: #1515503
* HID: rmi: Set F01 interrupt enable register when not set
- LP: #1515503
* net/mlx5e: Ethtool link speed setting fixes
- LP: #1517919
* scsi_scan: don't dump trace when scsi_prep_async_scan() is called twice
- LP: #1517942
* x86/ioapic: Disable interrupts when re-routing legacy IRQs
- LP: #1508593
* xhci: Workaround to get Intel xHCI reset working more reliably
* megaraid_sas: Do not use PAGE_SIZE for max_sectors
- LP: #1475166
* net: usb: cdc_ether: add Dell DW5580 as a mobile broadband adapter
- LP: #1513847
* KVM: svm: unconditionally intercept #DB
- LP: #1520184
- CVE-2015-8104
-- Luis Henriques <luis.henriques@xxxxxxxxxxxxx> Wed, 02 Dec 2015
17:30:58 +0000
** Changed in: linux (Ubuntu Wily)
Status: Fix Committed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7799
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7872
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7884
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7885
** Changed in: linux (Ubuntu Vivid)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1509029
Title:
[Hyper-V] Crash in hot-add/remove scsi devices (smp)
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Trusty:
Fix Released
Status in linux source package in Vivid:
Fix Released
Status in linux source package in Wily:
Fix Released
Status in linux source package in Xenial:
Fix Released
Bug description:
On some host errors storvsc module tries to remove sdev by scheduling a job
which does the following:
sdev = scsi_device_lookup(wrk->host, 0, 0, wrk->lun);
if (sdev) {
scsi_remove_device(sdev);
scsi_device_put(sdev);
}
While this code seems correct the following crash is observed:
general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC
RIP: 0010:[<ffffffff81169979>] [<ffffffff81169979>] bdi_destroy+0x39/0x220
...
[<ffffffff814aecdc>] ? _raw_spin_unlock_irq+0x2c/0x40
[<ffffffff8127b7db>] blk_cleanup_queue+0x17b/0x270
[<ffffffffa00b54c4>] __scsi_remove_device+0x54/0xd0 [scsi_mod]
[<ffffffffa00b556b>] scsi_remove_device+0x2b/0x40 [scsi_mod]
[<ffffffffa00ec47d>] storvsc_remove_lun+0x3d/0x60 [hv_storvsc]
[<ffffffff81080791>] process_one_work+0x1b1/0x530
...
The problem comes with the fact that many such jobs (for the same device)
are being scheduled simultaneously. While scsi_remove_device() uses
shost->scan_mutex and scsi_device_lookup() will fail for a device in
SDEV_DEL state there is no protection against someone who did
scsi_device_lookup() before we actually entered __scsi_remove_device(). So
the whole scenario looks like that: two callers do simultaneous (or
preemption happens) calls to scsi_device_lookup() ant these calls succeed
for all of them, after that both callers try doing scsi_remove_device().
shost->scan_mutex only serializes their calls to __scsi_remove_device()
and we end up doing the cleanup path twice.
Signed-off-by: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>
---
drivers/scsi/scsi_sysfs.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
index b333389..e0d2707 100644
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -1076,6 +1076,14 @@ void __scsi_remove_device(struct scsi_device *sdev)
{
struct device *dev = &sdev->sdev_gendev;
+ /*
+ * This cleanup path is not reentrant and while it is impossible
+ * to get a new reference with scsi_device_get() someone can still
+ * hold a previously acquired one.
+ */
+ if (sdev->sdev_state == SDEV_DEL)
+ return;
+
if (sdev->is_visible) {
if (scsi_device_set_state(sdev, SDEV_CANCEL) != 0)
return;
--
2.4.3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1509029/+subscriptions
References