Re: [BUG] sg.c: sleeping function called from invalid context

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

iceberg wrote:

	KERNEL_VERSION: 2.6.31
	DESCRIBE:
Driver sg.c might sleep in atomic context, because it calls scsi_device_put under lock_kernel. 

/drivers/scsi/sg.c:306:
	static int
	sg_open(struct inode *inode, struct file *filp)
	{
	...
	lock_kernel();
	...
	error_out:
	        if (retval)
	                scsi_device_put(sdp->device);
	...

Path to might_sleep macro from scsi_device_put:
1. scsi_device_put calls put_device at ./drivers/scsi/scsi.c:1111 2. put_device calls kobject_put at ./drivers/base/core.c:1038 3. kobject_put calls kref_put at ./lib/kobject.c 4. kref_put may call callback function kobject_release at ./lib/kref.c if refcount becomes zero, which might_sleep because it calls user event. Details: 
	5.1 kobject_cleanup calls kobject_uevent at ./lib/kobject.c:555
	5.2 kobject_uevent calls kobject_uevent_env at ./lib/kobject_uevent.c:282
5.3 kobject_uevent_env calls call_usermodehelper_exec at include/linux/kmod.h:83 
	5.4 call_usermodehelper_exec calls wait_for_completion at ./kernel/kmod.c:481
	5.5 wait_for_completion calls wait_for_common at ./kernel/sched.c:5710
	5.6 wait_for_common calls might_sleep at ./kernels/sched.c:5692

Found by: Linux Driver Verification


This patch to sg_open() does one (and only one) unlock_kernel()
prior to scsi_device_put(). I presume sg_put_dev() may also
sleep so the unlock_kernel() is moved before it as well.

Hopefully Tomo will comment.

Doug Gilbert


--- linux/drivers/scsi/sg.c2631	2009-09-10 06:22:34.000000000 -0400
+++ linux/drivers/scsi/sg.c	2009-10-01 15:54:30.000000000 -0400
@@ -227,8 +227,10 @@
 	Sg_fd *sfp;
 	int res;
 	int retval;
+	int locked = 0;

 	lock_kernel();
+	locked = 1;
 	nonseekable_open(inode, filp);
 	SCSI_LOG_TIMEOUT(3, printk("sg_open: dev=%d, flags=0x%x\n", dev, flags));
 	sdp = sg_get_dev(dev);
@@ -302,12 +304,16 @@
 	}
 	retval = 0;
 error_out:
-	if (retval)
+	if (retval) {
+		unlock_kernel();
+		locked = 0;
 		scsi_device_put(sdp->device);
+	}
 sg_put:
+	if (locked)
+		unlock_kernel();
 	if (sdp)
 		sg_put_dev(sdp);
-	unlock_kernel();
 	return retval;
 }

--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]
  Powered by Linux