-
Bart Van Assche authored
This patch fixes the following two complaints: WARNING: CPU: 3 PID: 1326 at kernel/locking/mutex-debug.c:103 mutex_destroy+0x74/0x80 Modules linked in: scsi_debug sd_mod t10_pi brd scsi_transport_iscsi af_packet crct10dif_pclmul sg aesni_intel glue_helper virtio_balloon button crypto_simd cryptd intel_agp intel_gtt agpgart ip_tables x_tables ipv6 nf_defrag_ipv6 autofs4 ext4 crc16 mbcache jbd2 hid_generic usbhid hid sr_mod cdrom ata_generic pata_acpi virtio_blk virtio_net net_failover failover ata_piix xhci_pci ahci libahci xhci_hcd i2c_piix4 libata virtio_pci usbcore i2c_core virtio_ring scsi_mod usb_common virtio [last unloaded: scsi_debug] CPU: 3 PID: 1326 Comm: systemd-udevd Not tainted 5.6.0-rc1-dbg+ #1 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 RIP: 0010:mutex_destroy+0x74/0x80 Call Trace: sr_kref_release+0xb9/0xd0 [sr_mod] scsi_cd_put+0x79/0x90 [sr_mod] sr_block_release+0x54/0x70 [sr_mod] __blkdev_put+0x2ce/0x3c0 blkdev_put+0x68/0x220 blkdev_close+0x4d/0x60 __fput+0x170/0x3b0 ____fput+0x12/0x20 task_work_run+0xa2/0xf0 exit_to_usermode_loop+0xeb/0xf0 do_syscall_64+0x2be/0x300 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7fa16d40aab7 BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0x98/0x420 Read of size 8 at addr ffff8881c6e4f4b0 by task systemd-udevd/1326 CPU: 3 PID: 1326 Comm: systemd-udevd Tainted: G W 5.6.0-rc1-dbg+ #1 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Call Trace: dump_stack+0xa5/0xe6 print_address_description.constprop.0+0x46/0x60 __kasan_report.cold+0x7b/0x94 kasan_report+0x16/0x20 check_memory_region+0x140/0x1b0 __kasan_check_read+0x15/0x20 __mutex_unlock_slowpath+0x98/0x420 mutex_unlock+0x16/0x20 sr_block_release+0x5c/0x70 [sr_mod] __blkdev_put+0x2ce/0x3c0 hardirqs last enabled at (1875522): [<ffffffff81bb0696>] _raw_spin_unlock_irqrestore+0x56/0x70 blkdev_put+0x68/0x220 blkdev_close+0x4d/0x60 __fput+0x170/0x3b0 ____fput+0x12/0x20 task_work_run+0xa2/0xf0 exit_to_usermode_loop+0xeb/0xf0 do_syscall_64+0x2be/0x300 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7fa16d40aab7 Allocated by task 3201: save_stack+0x23/0x90 __kasan_kmalloc.constprop.0+0xcf/0xe0 kasan_kmalloc+0xd/0x10 kmem_cache_alloc_trace+0x161/0x3c0 sr_probe+0x12f/0xb60 [sr_mod] really_probe+0x183/0x5d0 driver_probe_device+0x13f/0x1a0 __device_attach_driver+0xe6/0x150 bus_for_each_drv+0x101/0x160 __device_attach+0x183/0x230 device_initial_probe+0x17/0x20 bus_probe_device+0x110/0x130 device_add+0xb7b/0xd40 scsi_sysfs_add_sdev+0xe8/0x360 [scsi_mod] scsi_probe_and_add_lun+0xdc4/0x14c0 [scsi_mod] __scsi_scan_target+0x12d/0x850 [scsi_mod] scsi_scan_channel+0xcd/0xe0 [scsi_mod] scsi_scan_host_selected+0x182/0x190 [scsi_mod] store_scan+0x1e9/0x200 [scsi_mod] dev_attr_store+0x42/0x60 sysfs_kf_write+0x8b/0xb0 kernfs_fop_write+0x158/0x250 __vfs_write+0x4c/0x90 vfs_write+0x145/0x2c0 ksys_write+0xd7/0x180 __x64_sys_write+0x47/0x50 do_syscall_64+0x6f/0x300 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 1326: save_stack+0x23/0x90 __kasan_slab_free+0x13a/0x190 kasan_slab_free+0x12/0x20 kfree+0x109/0x410 sr_kref_release+0xc1/0xd0 [sr_mod] scsi_cd_put+0x79/0x90 [sr_mod] sr_block_release+0x54/0x70 [sr_mod] __blkdev_put+0x2ce/0x3c0 blkdev_put+0x68/0x220 blkdev_close+0x4d/0x60 __fput+0x170/0x3b0 ____fput+0x12/0x20 task_work_run+0xa2/0xf0 exit_to_usermode_loop+0xeb/0xf0 do_syscall_64+0x2be/0x300 entry_SYSCALL_64_after_hwframe+0x49/0xbe Link: https://lore.kernel.org/r/20200330025151.10535-1-bvanassche@acm.org Fixes: 51a85881 ("scsi: sr: get rid of sr global mutex") Cc: Merlijn Wajer <merlijn@archive.org> Cc: Arnd Bergmann <arnd@arndb.de> Cc: <stable@kernel.org> Acked-by:
Merlijn Wajer <merlijn@archive.org> Signed-off-by:
Bart Van Assche <bvanassche@acm.org> Signed-off-by:
Martin K. Petersen <martin.petersen@oracle.com>
72655c0e
