Hello Dashi,
On Tue, May 09, 2017 at 09:08:14AM +0000, Dashi DS1 Cao wrote:
> When debugging a race condition in scsi_remove_target of 3.12, I ran into this possible bug within scsi_alloc_target.
> When an existing "struct scsi_target" is found and used, the starget just got through kzmalloc should be freed, rather than dong a "put_device(dev)".
But that is exactly what is done when put_device is called and the
internal ref-count drops below 1. It will go through the kobj-core and
end up in scsi_target_dev_release().
Also this specific code was changed in 12fb8c1574d7d in 2010, see the
commit message there.
Beste Grüße / Best regards,
- Benjamin Block
>
> diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
> index 81d4151..96795d4 100644
> --- a/drivers/scsi/scsi_scan.c
> +++ b/drivers/scsi/scsi_scan.c
> @@ -483,7 +483,7 @@ static struct scsi_target *scsi_alloc_target(struct device *parent,
>
> spin_unlock_irqrestore(shost->host_lock, flags);
> if (ref_got) {
> - put_device(dev);
> + kfree(starget);
> return found_target;
> }
> /*
> --
>
> Dashi Cao
>
--
Linux on z Systems Development / IBM Systems & Technology Group
IBM Deutschland Research & Development GmbH
Vorsitz. AufsR.: Martina Koederitz / Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen / Registergericht: AmtsG Stuttgart, HRB 243294
