← Back to team overview

kernel-packages team mailing list archive

[Bug 1509029] Re: [Hyper-V] Crash in hot-add/remove scsi devices (smp)

 

This bug was fixed in the package linux - 4.2.0-21.25

---------------
linux (4.2.0-21.25) wily; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1522108

  [ Upstream Kernel Changes ]

  * staging/dgnc: fix info leak in ioctl
    - LP: #1509565
    - CVE-2015-7885
  * [media] media/vivid-osd: fix info leak in ioctl
    - LP: #1509564
    - CVE-2015-7884
  * KEYS: Fix race between key destruction and finding a keyring by name
    - LP: #1508856
    - CVE-2015-7872
  * KEYS: Fix crash when attempt to garbage collect an uninstantiated
    keyring
    - LP: #1508856
    - CVE-2015-7872
  * KEYS: Don't permit request_key() to construct a new keyring
    - LP: #1508856
    - CVE-2015-7872
  * isdn_ppp: Add checks for allocation failure in isdn_ppp_open()
    - LP: #1508329
    - CVE-2015-7799
  * ppp, slip: Validate VJ compression slot parameters completely
    - LP: #1508329
    - CVE-2015-7799

linux (4.2.0-20.24) wily; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1521753

  [ Andy Whitcroft ]

  * [Tests] gcc-multilib does not exist on ppc64el
    - LP: #1515541

  [ Joseph Salisbury ]

  * SAUCE: scsi_sysfs: protect against double execution of
    __scsi_remove_device()
    - LP: #1509029

  [ Manoj Kumar ]

  * SAUCE: (noup) cxlflash: Fix to escalate LINK_RESET also on port 1
    - LP: #1513583

  [ Matthew R. Ochs ]

  * SAUCE: (noup) cxlflash: Fix to avoid virtual LUN failover failure
    - LP: #1513583

  [ Oren Givon ]

  * SAUCE: (noup) iwlwifi: Add new PCI IDs for the 8260 series
    - LP: #1517375

  [ Seth Forshee ]

  * [Config] CONFIG_DRM_AMDGPU_CIK=n
    - LP: #1510405

  [ Upstream Kernel Changes ]

  * net/mlx5e: Disable VLAN filter in promiscuous mode
    - LP: #1514861
  * drivers: net: xgene: fix RGMII 10/100Mb mode
    - LP: #1433290
  * HID: rmi: Disable scanning if the device is not a wake source
    - LP: #1515503
  * HID: rmi: Set F01 interrupt enable register when not set
    - LP: #1515503
  * net/mlx5e: Ethtool link speed setting fixes
    - LP: #1517919
  * scsi_scan: don't dump trace when scsi_prep_async_scan() is called twice
    - LP: #1517942
  * x86/ioapic: Disable interrupts when re-routing legacy IRQs
    - LP: #1508593
  * xhci: Workaround to get Intel xHCI reset working more reliably
  * megaraid_sas: Do not use PAGE_SIZE for max_sectors
    - LP: #1475166
  * net: usb: cdc_ether: add Dell DW5580 as a mobile broadband adapter
    - LP: #1513847
  * KVM: svm: unconditionally intercept #DB
    - LP: #1520184
    - CVE-2015-8104

 -- Luis Henriques <luis.henriques@xxxxxxxxxxxxx>  Wed, 02 Dec 2015
17:30:58 +0000

** Changed in: linux (Ubuntu Wily)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7799

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7872

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7884

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7885

** Changed in: linux (Ubuntu Vivid)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1509029

Title:
  [Hyper-V] Crash in hot-add/remove scsi devices (smp)

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux source package in Vivid:
  Fix Released
Status in linux source package in Wily:
  Fix Released
Status in linux source package in Xenial:
  Fix Released

Bug description:
  On some host errors storvsc module tries to remove sdev by scheduling a job
  which does the following:

     sdev = scsi_device_lookup(wrk->host, 0, 0, wrk->lun);
     if (sdev) {
         scsi_remove_device(sdev);
         scsi_device_put(sdev);
     }

  While this code seems correct the following crash is observed:

   general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC
   RIP: 0010:[<ffffffff81169979>]  [<ffffffff81169979>] bdi_destroy+0x39/0x220
   ...
   [<ffffffff814aecdc>] ? _raw_spin_unlock_irq+0x2c/0x40
   [<ffffffff8127b7db>] blk_cleanup_queue+0x17b/0x270
   [<ffffffffa00b54c4>] __scsi_remove_device+0x54/0xd0 [scsi_mod]
   [<ffffffffa00b556b>] scsi_remove_device+0x2b/0x40 [scsi_mod]
   [<ffffffffa00ec47d>] storvsc_remove_lun+0x3d/0x60 [hv_storvsc]
   [<ffffffff81080791>] process_one_work+0x1b1/0x530
   ...

  The problem comes with the fact that many such jobs (for the same device)
  are being scheduled simultaneously. While scsi_remove_device() uses
  shost->scan_mutex and scsi_device_lookup() will fail for a device in
  SDEV_DEL state there is no protection against someone who did
  scsi_device_lookup() before we actually entered __scsi_remove_device(). So
  the whole scenario looks like that: two callers do simultaneous (or
  preemption happens) calls to scsi_device_lookup() ant these calls succeed
  for all of them, after that both callers try doing scsi_remove_device().
  shost->scan_mutex only serializes their calls to __scsi_remove_device()
  and we end up doing the cleanup path twice.

  Signed-off-by: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>
  ---
   drivers/scsi/scsi_sysfs.c | 8 ++++++++
   1 file changed, 8 insertions(+)

  diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
  index b333389..e0d2707 100644
  --- a/drivers/scsi/scsi_sysfs.c
  +++ b/drivers/scsi/scsi_sysfs.c
  @@ -1076,6 +1076,14 @@ void __scsi_remove_device(struct scsi_device *sdev)
   {
          struct device *dev = &sdev->sdev_gendev;

  +       /*
  +        * This cleanup path is not reentrant and while it is impossible
  +        * to get a new reference with scsi_device_get() someone can still
  +        * hold a previously acquired one.
  +        */
  +       if (sdev->sdev_state == SDEV_DEL)
  +               return;
  +
          if (sdev->is_visible) {
                  if (scsi_device_set_state(sdev, SDEV_CANCEL) != 0)
                          return;

  
  --
  2.4.3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1509029/+subscriptions


References