Patch "scsi: sg: Avoid sg device teardown race" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 7 Apr 2024 08:54:28 -0400

This is a note to let you know that I've just added the patch titled

    scsi: sg: Avoid sg device teardown race

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     scsi-sg-avoid-sg-device-teardown-race.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 735728cdaa3444338a870da6701fa0e8b82b9c88
Author: Alexander Wetzel <Alexander@xxxxxxxxxxxxxx>
Date:   Wed Mar 20 22:30:32 2024 +0100

    scsi: sg: Avoid sg device teardown race
    
    [ Upstream commit 27f58c04a8f438078583041468ec60597841284d ]
    
    sg_remove_sfp_usercontext() must not use sg_device_destroy() after calling
    scsi_device_put().
    
    sg_device_destroy() is accessing the parent scsi_device request_queue which
    will already be set to NULL when the preceding call to scsi_device_put()
    removed the last reference to the parent scsi_device.
    
    The resulting NULL pointer exception will then crash the kernel.
    
    Link: https://lore.kernel.org/r/20240305150509.23896-1-Alexander@xxxxxxxxxxxxxx
    Fixes: db59133e9279 ("scsi: sg: fix blktrace debugfs entries leakage")
    Cc: stable@xxxxxxxxxxxxxxx
    Signed-off-by: Alexander Wetzel <Alexander@xxxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20240320213032.18221-1-Alexander@xxxxxxxxxxxxxx
    Reviewed-by: Bart Van Assche <bvanassche@xxxxxxx>
    Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 0d8afffd1683b..8bd95ee1825a6 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -2208,6 +2208,7 @@ sg_remove_sfp_usercontext(struct work_struct *work)
 {
 	struct sg_fd *sfp = container_of(work, struct sg_fd, ew.work);
 	struct sg_device *sdp = sfp->parentdp;
+	struct scsi_device *device = sdp->device;
 	Sg_request *srp;
 	unsigned long iflags;
 
@@ -2233,8 +2234,9 @@ sg_remove_sfp_usercontext(struct work_struct *work)
 			"sg_remove_sfp: sfp=0x%p\n", sfp));
 	kfree(sfp);
 
-	scsi_device_put(sdp->device);
+	WARN_ON_ONCE(kref_read(&sdp->d_ref) != 1);
 	kref_put(&sdp->d_ref, sg_device_destroy);
+	scsi_device_put(device);
 	module_put(THIS_MODULE);
 }
 







