On Wed, 2017-11-29 at 17:39 +0000, gregkh@xxxxxxxxxxxxxxxxxxx wrote: > On Wed, Nov 29, 2017 at 04:18:30PM +0000, Bart Van Assche wrote: > > As the above patch description shows it can happen that the SCSI core calls > > get_device() after the device reference count has reached zero and before > > the memory for struct device is freed. Although the above patch looks fine > > to me, would you consider it acceptable to modify get_device() such that it > > uses kobject_get_unless_zero() instead of kobject_get()? I'm asking this > > because that change would help to reduce the complexity of the already too > > complicated SCSI core. > > Shouldn't there be a bus lock somewhere preventing this race? Having an > open-coded put call isn't good, as you see here. Hello Greg, The get_device() call occurs with the SCSI host lock held. The SCSI host lock serializes iteration over the sibling list by the get_device() caller and removal of the SCSI host from the SCSI device sibling list by scsi_device_dev_release_usercontext(). If you have a look at __scsi_remove_target() then you will see that the host lock has to be released after a matching SCSI target has been found and before scsi_remove_device() is called. The latter function namely may sleep. Bart.
