[BUG] scsi: sg: NULL pointer dereference

Alexander Wetzel <Alexander@xxxxxxxxxxxxxx> · Tue, 5 Mar 2024 16:05:09 +0100

My new notebook is nearly always crashing when I phsically disconnect
(some?) USB devices. For testing I used a SealOne USB device. But I
have the same issue with an USB DVD rom drive.

I have the issue with quite some kernel release. Never had a working
kernel on the new system, so the issue should go back till at least
kernel 6.2. (Not tested that. When needed I'm happy to try older
versions, too.)

The attached patch avoides the null pointer dereference without
aiming to be a proper fix. (Instead I then get the Warning from the
new WARN_ON.)

Obvoiusly sdp->device->request_queue in sg_device_destroy() is
sometimes NULL. And since the system is not always crashing it looks
like some kind of cleanup race.

My "normal" kernel with the issue currently is 6.7.5-gentoo.
But since that one is tainted the kernel Oops and debug patch here is
using 6.8.0-rc6-wt. (Interestingly the BUG report below did not freeze
the system as usual, the system continued to be working.)

The kernel messages are:

usb 1-1: USB disconnect, device number 7
BUG: kernel NULL pointer dereference, address: 0000000000000370
PGD 0 P4D 0
Oops: 0002 [#1] PREEMPT SMP NOPTI
CPU: 5 PID: 683 Comm: kworker/5:11 Not tainted 6.8.0-rc6-wt+ #2
Hardware name: LENOVO 21D6CTO1WW/21D6CTO1WW, BIOS N3FET34W (1.19 ) 03/10/2023
Workqueue: events sg_remove_sfp_usercontext
RIP: 0010:mutex_lock+0x19/0x30
Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 53 48 89 fb e8 22 dd ff ff 31 c0 65 48 8b 14 25 40 fb 02 00 <f0> 48 0f b1 13 75 06 5b c3 cc cc cc cc 48 89 df 5b eb b4 0f 1f 40
RSP: 0000:ffffbb0d412bfdd0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000370 RCX: 00000000820001c6
RDX: ffff985d58152080 RSI: fffff6c0041083c0 RDI: 0000000000000370
RBP: 0000000000000000 R08: ffff985d4420fc28 R09: 00000000820001c6
R10: ffff985d4420fea8 R11: 0000000000000181 R12: 0000000000000370
R13: ffff985d400518b0 R14: ffff985dddd046c0 R15: ffff985d4ebeb328
FS:  0000000000000000(0000) GS:ffff986c6f340000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000370 CR3: 000000015887a000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
 <TASK>
 ? __die+0x1f/0x70
 ? page_fault_oops+0x171/0x4d0
 ? __slab_free+0xe1/0x320
 ? exc_page_fault+0x7b/0x180
 ? asm_exc_page_fault+0x22/0x30
 ? mutex_lock+0x19/0x30
 blk_trace_remove+0x16/0xb0
 sg_device_destroy+0x26/0xa0
 sg_remove_sfp_usercontext+0x12c/0x190
 process_one_work+0x162/0x330
 worker_thread+0x2f1/0x410
 ? __pfx_worker_thread+0x10/0x10
 kthread+0xe1/0x110
 ? __pfx_kthread+0x10/0x10
 ret_from_fork+0x2d/0x50
 ? __pfx_kthread+0x10/0x10
 ret_from_fork_asm+0x1b/0x30
 </TASK>
Modules linked in: uas usb_storage rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter ip_tables bridge stp llc bnep snd_ctl_led ledtrig_audio snd_soc_skl_hda_dsp snd_soc_hdac_hdmi snd_sof_probes snd_soc_intel_hda_dsp_common snd_hda_codec_realtek snd_hda_codec_generic snd_soc_dmic snd_sof_pci_intel_tgl snd_sof_intel_hda_common soundwire_intel soundwire_generic_allocation snd_sof_intel_hda_mlink soundwire_cadence snd_sof_intel_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof snd_sof_utils snd_soc_hdac_hda intel_uncore_frequency snd_hda_ext_core intel_uncore_frequency_common snd_soc_acpi_intel_match intel_tcc_cooling snd_soc_acpi soundwire_bus x86_pkg_temp_thermal snd_hda_codec_hdmi intel_powerclamp snd_soc_core snd_compress ac97_bus snd_pcm_dmaengine coretemp snd_hda_intel kvm_intel uvcvideo
 snd_intel_dspcfg snd_intel_sdw_acpi uvc videobuf2_vmalloc snd_hda_codec videobuf2_memops kvm iwlmvm processor_thermal_device_pci snd_hda_core videobuf2_v4l2 btusb processor_thermal_device iTCO_wdt btrtl snd_hwdep irqbypass videobuf2_common intel_pmc_bxt processor_thermal_wt_hint btintel mac80211 snd_pcm nxp_nci_i2c processor_thermal_rfim iTCO_vendor_support btbcm rapl nxp_nci snd_timer processor_thermal_rapl mei_wdt videodev vfat btmtk fat libarc4 intel_rapl_msr intel_rapl_common bluetooth mc nci intel_cstate processor_thermal_wt_req iwlwifi snd mei_me processor_thermal_power_floor i2c_i801 think_lmi intel_uncore pcspkr firmware_attributes_class i2c_smbus wmi_bmof mei idma64 soundcore processor_thermal_mbox nfc intel_pmc_core cfg80211 rfkill intel_vsec int3403_thermal int3400_thermal int340x_thermal_zone pmt_telemetry intel_hid acpi_thermal_rel pmt_class sparse_keymap acpi_tad acpi_pad joydev loop fuse nfnetlink mmc_block nvme nvme_core crct10dif_pclmul crc32_pclmul crc32c_intel polyval_clmulni
 rtsx_pci_sdmmc polyval_generic ghash_clmulni_intel sha512_ssse3 mmc_core sha256_ssse3 ucsi_acpi hid_multitouch sha1_ssse3 thunderbolt typec_ucsi rtsx_pci vmd typec i2c_hid_acpi i2c_hid pinctrl_alderlake serio_raw
CR2: 0000000000000370
---[ end trace 0000000000000000 ]---
RIP: 0010:mutex_lock+0x19/0x30
Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 53 48 89 fb e8 22 dd ff ff 31 c0 65 48 8b 14 25 40 fb 02 00 <f0> 48 0f b1 13 75 06 5b c3 cc cc cc cc 48 89 df 5b eb b4 0f 1f 40
RSP: 0000:ffffbb0d412bfdd0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000370 RCX: 00000000820001c6
RDX: ffff985d58152080 RSI: fffff6c0041083c0 RDI: 0000000000000370
RBP: 0000000000000000 R08: ffff985d4420fc28 R09: 00000000820001c6
R10: ffff985d4420fea8 R11: 0000000000000181 R12: 0000000000000370
R13: ffff985d400518b0 R14: ffff985dddd046c0 R15: ffff985d4ebeb328
FS:  0000000000000000(0000) GS:ffff986c6f340000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000370 CR3: 000000015887a000 CR4: 0000000000750ef0
PKRU: 55555554
note: kworker/5:11[683] exited with irqs disabled
---
 drivers/scsi/sg.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 86210e4dd0d3..94c07cd318a0 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1575,8 +1575,10 @@ sg_device_destroy(struct kref *kref)
 	 * any other cleanup.
 	 */
 
-	blk_trace_remove(q);
-	blk_put_queue(q);
+	if (!WARN_ON(!q)) {
+		blk_trace_remove(q);
+		blk_put_queue(q);
+	}
 
 	write_lock_irqsave(&sg_index_lock, flags);
 	idr_remove(&sg_index_idr, sdp->index);
-- 
2.43.2








