From patchwork Wed Apr 11 16:23:30 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jens Axboe X-Patchwork-Id: 10335749 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 945A360540 for ; Wed, 11 Apr 2018 16:23:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8434520453 for ; Wed, 11 Apr 2018 16:23:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 78B8E20499; Wed, 11 Apr 2018 16:23:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,URIBL_SBL autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 109B9204BA for ; Wed, 11 Apr 2018 16:23:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752735AbeDKQXf (ORCPT ); Wed, 11 Apr 2018 12:23:35 -0400 Received: from mail-it0-f65.google.com ([209.85.214.65]:54714 "EHLO mail-it0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751491AbeDKQXd (ORCPT ); Wed, 11 Apr 2018 12:23:33 -0400 Received: by mail-it0-f65.google.com with SMTP id h143-v6so3500452ita.4 for ; Wed, 11 Apr 2018 09:23:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20150623.gappssmtp.com; s=20150623; h=to:cc:from:subject:message-id:date:user-agent:mime-version :content-language:content-transfer-encoding; bh=7d6NizMsCQgrC8GXjuXDhEAebt+Q10x2ijRK1Bw4AlQ=; b=X7MaZAjnvtEIvw+pkTW7ypyPdAkTmfeIBlwHl76yjD9FDr9huGdIyggSzuTnCcvUST DpafwPhP+F9/he5xggzA5h5DflV4sZSr9ss1it8TlbYA8wt0cfafITRBa8LILHrM9Rm2 ELLlSwWAplGx7ElA0umcvaDKL0Yv+P3q6sYNXKKQK7b/lqZJPCSk2IL6o0mYBMZJnlDT PWmNY9gHq7Ub3V64kS7ZdDqgb0VJO4jjmYM/EpJ50c++LlpfswceRvLYP1XZzPzwoKGs fXG8t+x1aXRmwDM1jAI3GcB7hrHwtniwJUIwt+rDCpM2DxDv8NWjdaLxb8jCp89KNux5 cYXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:cc:from:subject:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=7d6NizMsCQgrC8GXjuXDhEAebt+Q10x2ijRK1Bw4AlQ=; b=A3lF4zRD0SIxn7Bg94N0+pLaq26h4fvMtaC1+AuZPyq4wE5Nxe2RBot0Bn4MhT2EcJ ekUuhC+Wr/QaZoWBt6bT5U4XaKbsLPTqbPfLwC3oIWe1/hKIQBkvZjKUhV0/UCLLieWc Xh1okrgwhEdiv2ZjV3fNaYQbfbIKGwftg29kh+j5jNAGJ1Yx5RFr6IXUIR2sSHoQG99i 3+dP6bDB7SUdf1DP52nusP4lcVnvYHkaUi/dfm87FpNY0hKlyUrk6rpiCPh0wXPeRgE0 qk6dJdFAHzY2dYuthTlvExb7CRDhSq1J7NsWz+eMMSYChxTyMF1SQiCB0NW+fTiKEtmh 8LSQ== X-Gm-Message-State: ALQs6tBhCq/S1f40Oay8mT/V8/o6fyiV9dc0wWLuZzLoI/vtO74hC6vV x8Nit3BUsYJUPjmHMUmQOyLYuA== X-Google-Smtp-Source: AIpwx49bbi3HTOV323fLRTW37lBSRWdJEwlyZe9kwNYdmfNIb+ENseiuu8pGmNYMW1Z4xteR/T3pIg== X-Received: by 2002:a24:2903:: with SMTP id p3-v6mr4674456itp.10.1523463812934; Wed, 11 Apr 2018 09:23:32 -0700 (PDT) Received: from [192.168.1.180] (107.191.0.158.static.utbb.net. [107.191.0.158]) by smtp.gmail.com with ESMTPSA id b72-v6sm848898iti.17.2018.04.11.09.23.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 11 Apr 2018 09:23:31 -0700 (PDT) To: linux-scsi , "linux-block@vger.kernel.org" Cc: Jan Kara From: Jens Axboe Subject: sr: get/drop reference to device in revalidate and check_events Message-ID: Date: Wed, 11 Apr 2018 10:23:30 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.0 MIME-Version: 1.0 Content-Language: en-US Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP We can't just use scsi_cd() to get the scsi_cd structure, we have to grab a live reference to the device. For both callbacks, we're not inside an open where we already hold a reference to the device. This fixes device removal/addition under concurrent device access, which otherwise could result in the below oops. NULL pointer dereference at 0000000000000010 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP Modules linked in: sr 12:0:0:0: [sr2] scsi-1 drive scsi_debug crc_t10dif crct10dif_generic crct10dif_common nvme nvme_core sb_edac xl sr 12:0:0:0: Attached scsi CD-ROM sr2 sr_mod cdrom btrfs xor zstd_decompress zstd_compress xxhash lzo_compress zlib_defc sr 12:0:0:0: Attached scsi generic sg7 type 5 igb ahci libahci i2c_algo_bit libata dca [last unloaded: crc_t10dif] CPU: 43 PID: 4629 Comm: systemd-udevd Not tainted 4.16.0+ #650 Hardware name: Dell Inc. PowerEdge T630/0NT78X, BIOS 2.3.4 11/09/2016 RIP: 0010:sr_block_revalidate_disk+0x23/0x190 [sr_mod] RSP: 0018:ffff883ff357bb58 EFLAGS: 00010292 RAX: ffffffffa00b07d0 RBX: ffff883ff3058000 RCX: ffff883ff357bb66 RDX: 0000000000000003 RSI: 0000000000007530 RDI: ffff881fea631000 RBP: 0000000000000000 R08: ffff881fe4d38400 R09: 0000000000000000 R10: 0000000000000000 R11: 00000000000001b6 R12: 000000000800005d R13: 000000000800005d R14: ffff883ffd9b3790 R15: 0000000000000000 FS: 00007f7dc8e6d8c0(0000) GS:ffff883fff340000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000003ffda98005 CR4: 00000000003606e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __invalidate_device+0x48/0x60 check_disk_change+0x4c/0x60 sr_block_open+0x16/0xd0 [sr_mod] __blkdev_get+0xb9/0x450 ? iget5_locked+0x1c0/0x1e0 blkdev_get+0x11e/0x320 ? bdget+0x11d/0x150 ? _raw_spin_unlock+0xa/0x20 ? bd_acquire+0xc0/0xc0 do_dentry_open+0x1b0/0x320 ? inode_permission+0x24/0xc0 path_openat+0x4e6/0x1420 ? cpumask_any_but+0x1f/0x40 ? flush_tlb_mm_range+0xa0/0x120 do_filp_open+0x8c/0xf0 ? __seccomp_filter+0x28/0x230 ? _raw_spin_unlock+0xa/0x20 ? __handle_mm_fault+0x7d6/0x9b0 ? list_lru_add+0xa8/0xc0 ? _raw_spin_unlock+0xa/0x20 ? __alloc_fd+0xaf/0x160 ? do_sys_open+0x1a6/0x230 do_sys_open+0x1a6/0x230 do_syscall_64+0x5a/0x100 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Signed-off-by: Jens Axboe Reviewed-by: Lee Duncan Reviewed-by: Jan Kara diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c index 0cf25d789d05..3f3cb72e0c0c 100644 --- a/drivers/scsi/sr.c +++ b/drivers/scsi/sr.c @@ -587,18 +587,28 @@ static int sr_block_ioctl(struct block_device *bdev, fmode_t mode, unsigned cmd, static unsigned int sr_block_check_events(struct gendisk *disk, unsigned int clearing) { - struct scsi_cd *cd = scsi_cd(disk); + unsigned int ret = 0; + struct scsi_cd *cd; - if (atomic_read(&cd->device->disk_events_disable_depth)) + cd = scsi_cd_get(disk); + if (!cd) return 0; - return cdrom_check_events(&cd->cdi, clearing); + if (!atomic_read(&cd->device->disk_events_disable_depth)) + ret = cdrom_check_events(&cd->cdi, clearing); + + scsi_cd_put(cd); + return ret; } static int sr_block_revalidate_disk(struct gendisk *disk) { - struct scsi_cd *cd = scsi_cd(disk); struct scsi_sense_hdr sshdr; + struct scsi_cd *cd; + + cd = scsi_cd_get(disk); + if (!cd) + return -ENXIO; /* if the unit is not ready, nothing more to do */ if (scsi_test_unit_ready(cd->device, SR_TIMEOUT, MAX_RETRIES, &sshdr)) @@ -607,6 +617,7 @@ static int sr_block_revalidate_disk(struct gendisk *disk) sr_cd_check(&cd->cdi); get_sectorsize(cd); out: + scsi_cd_put(cd); return 0; }