From: Anthoine Bourgeois <anthoine.bourgeois@xxxxxxxxxxxxxxx> The function scsi_device_dev_release_usercontext calls blk_put_queue with request_queue then set request_queue to NULL. If the function scsi_device_dev_release_usercontext is racy then the next call to blk_put_queue will trigger the NULL pointer dereference below. As the function __scsi_remove_device already does a call to blk_put_queue through blk_cleanup_queue, I guess that the usercontext call is deprecated and I remove it. [100192.621568] BUG: unable to handle kernel NULL pointer dereference at 0000000000000204 [100192.629477] IP: kobject_put+0x9/0x1a0 [100192.633221] PGD 0 P4D 0 [100192.635838] Oops: 0000 [#1] SMP [100192.639062] Modules linked in: xt_mark iptable_mangle cls_fw sch_htb xt_nat xt_multiport xt_NFLOG xt_conntrack ipt_MASQUERADE nf_nat_masquerade_ipv4 ip table_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack vfio_pci vfio_virqfd vfio_iommu_type1 vfio binfmt_misc team_mode_activebackup te am 8021q garp stp mrp llc nfnetlink_log nfnetlink ext4 crc16 mbcache jbd2 fscrypto sd_mod sg intel_rapl x86_pkg_temp_thermal intel_powerclamp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel aes_x86_64 ixgbe crypto_simd xt_tcpudp ptp cryptd ahci ehci_pci pps_c ore glue_helper iTCO_wdt mdio ehci_hcd libahci intel_cstate iTCO_vendor_support dca mei_me intel_uncore lpc_ich intel_rapl_perf pcspkr libata usbcore mfd_c ore wmi mei shpchp evdev ipmi_si iptable_filter [100192.710510] button ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ipmi_devintf ipmi_msghandler acpi _power_meter vhost_net tun vhost tap sunrpc ip_tables x_tables autofs4 [100192.730210] CPU: 6 PID: 27002 Comm: kworker/u64:1 Tainted: G W 4.14.13+ #17 [100192.738371] Hardware name: GIGABYTE MG50-G20-XX/MG50-G20-XX, BIOS R05 04/19/2017 [100192.745845] Workqueue: scsi_wq_7 __iscsi_unbind_session [scsi_transport_iscsi] [100192.753141] task: ffff9b87601fd0c0 task.stack: ffffa99586b58000 [100192.759138] RIP: 0010:kobject_put+0x9/0x1a0 [100192.763400] RSP: 0018:ffffa99586b5bd48 EFLAGS: 00010202 [100192.768705] RAX: ffff9b876fd31938 RBX: ffff9b876fd31938 RCX: 0000000000000000 [100192.775917] RDX: 0000000080000000 RSI: 0000000000000000 RDI: 00000000000001c8 [100192.783126] RBP: ffff9b876fd31f38 R08: 0000000000000006 R09: 0000000000000d7c [100192.790337] R10: 0000000000000131 R11: ffffffff82792a6e R12: ffff9b876fd31800 [100192.797549] R13: dead000000000200 R14: dead000000000100 R15: ffff9b876fd31938 [100192.804760] FS: 0000000000000000(0000) GS:ffff9b8d9fb80000(0000) knlGS:0000000000000000 [100192.812922] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [100192.818747] CR2: 0000000000000204 CR3: 0000000b9ac09001 CR4: 00000000003626e0 [100192.825956] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [100192.833176] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [100192.840385] Call Trace: [100192.842919] scsi_device_dev_release_usercontext+0x1ad/0x260 [100192.848657] execute_in_process_context+0x5e/0x70 [100192.853438] device_release+0x2d/0x80 [100192.857198] kobject_put+0xa5/0x1a0 [100192.860772] scsi_remove_target+0x171/0x1b0 [100192.865038] __iscsi_unbind_session+0xb3/0x160 [scsi_transport_iscsi] [100192.871552] process_one_work+0x181/0x370 [100192.875642] worker_thread+0x4d/0x3c0 [100192.879385] kthread+0xfc/0x130 [100192.882611] ? process_one_work+0x370/0x370 [100192.875642] worker_thread+0x4d/0x3c0 [100192.879385] kthread+0xfc/0x130 [100192.882611] ? process_one_work+0x370/0x370 [100192.886874] ? kthread_create_on_node+0x70/0x70 [100192.891485] ret_from_fork+0x1f/0x30 [100192.895142] Code: c2 8d 48 01 c1 e8 1f 81 fa ff ff ff 7f 40 0f 94 c7 40 08 c7 75 04 39 d1 7d d3 e9 ac 19 01 00 eb 99 90 48 85 ff 74 21 41 54 55 53 <f6> 47 3c 01 48 89 fb 0f 84 66 01 00 00 f0 ff 4b 38 0f 88 8e 19 [100192.914071] RIP: kobject_put+0x9/0x1a0 RSP: ffffa99586b5bd48 [100192.919807] CR2: 0000000000000204 [100192.923206] ---[ end trace f019b942eafc9961 ]--- --- drivers/scsi/scsi_sysfs.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c index 7943b762c12d..b65e1c98a492 100644 --- a/drivers/scsi/scsi_sysfs.c +++ b/drivers/scsi/scsi_sysfs.c @@ -454,10 +454,6 @@ static void scsi_device_dev_release_usercontext(struct work_struct *work) kfree(evt); } - blk_put_queue(sdev->request_queue); - /* NULL queue means the device can't be used */ - sdev->request_queue = NULL; - mutex_lock(&sdev->inquiry_mutex); rcu_swap_protected(sdev->vpd_pg80, vpd_pg80, lockdep_is_held(&sdev->inquiry_mutex)); -- 2.14.1
