• H
    [SCSI] scsi_scan: Fix 'Poison overwritten' warning caused by using freed 'shost' · 267a6ad4
    Huajun Li 提交于
    In do_scan_async(), calling scsi_autopm_put_host(shost) may reference
    freed shost, and cause Posison overwitten warning.
    Yes, this case can happen, for example, an USB is disconnected just
    when do_scan_async() thread starts to run, then scsi_host_put() called
    in scsi_finish_async_scan() will lead to shost be freed(because the
    refcount of shost->shost_gendev decreases to 1 after USB disconnects),
    at this point, if references shost again, system will show following
    warning msg.
    
    To make scsi_autopm_put_host(shost) always reference a valid shost,
    put it just before scsi_host_put() in function
    scsi_finish_async_scan().
    
    [  299.281565] =============================================================================
    [  299.281634] BUG kmalloc-4096 (Tainted: G          I ): Poison overwritten
    [  299.281682] -----------------------------------------------------------------------------
    [  299.281684]
    [  299.281752] INFO: 0xffff880056c305d0-0xffff880056c305d0. First byte
    0x6a instead of 0x6b
    [  299.281816] INFO: Allocated in scsi_host_alloc+0x4a/0x490 age=1688
    cpu=1 pid=2004
    [  299.281870] 	__slab_alloc+0x617/0x6c1
    [  299.281901] 	__kmalloc+0x28c/0x2e0
    [  299.281931] 	scsi_host_alloc+0x4a/0x490
    [  299.281966] 	usb_stor_probe1+0x5b/0xc40 [usb_storage]
    [  299.282010] 	storage_probe+0xa4/0xe0 [usb_storage]
    [  299.282062] 	usb_probe_interface+0x172/0x330 [usbcore]
    [  299.282105] 	driver_probe_device+0x257/0x3b0
    [  299.282138] 	__driver_attach+0x103/0x110
    [  299.282171] 	bus_for_each_dev+0x8e/0xe0
    [  299.282201] 	driver_attach+0x26/0x30
    [  299.282230] 	bus_add_driver+0x1c4/0x430
    [  299.282260] 	driver_register+0xb6/0x230
    [  299.282298] 	usb_register_driver+0xe5/0x270 [usbcore]
    [  299.282337] 	0xffffffffa04ab03d
    [  299.282364] 	do_one_initcall+0x47/0x230
    [  299.282396] 	sys_init_module+0xa0f/0x1fe0
    [  299.282429] INFO: Freed in scsi_host_dev_release+0x18a/0x1d0 age=85
    cpu=0 pid=2008
    [  299.282482] 	__slab_free+0x3c/0x2a1
    [  299.282510] 	kfree+0x296/0x310
    [  299.282536] 	scsi_host_dev_release+0x18a/0x1d0
    [  299.282574] 	device_release+0x74/0x100
    [  299.282606] 	kobject_release+0xc7/0x2a0
    [  299.282637] 	kobject_put+0x54/0xa0
    [  299.282668] 	put_device+0x27/0x40
    [  299.282694] 	scsi_host_put+0x1d/0x30
    [  299.282723] 	do_scan_async+0x1fc/0x2b0
    [  299.282753] 	kthread+0xdf/0xf0
    [  299.282782] 	kernel_thread_helper+0x4/0x10
    [  299.282817] INFO: Slab 0xffffea00015b0c00 objects=7 used=7 fp=0x
          (null) flags=0x100000000004080
    [  299.282882] INFO: Object 0xffff880056c30000 @offset=0 fp=0x          (null)
    [  299.282884]
    ...
    Signed-off-by: NHuajun Li <huajun.li.lee@gmail.com>
    Cc: stable@kernel.org
    Acked-by: NAlan Stern <stern@rowland.harvard.edu>
    Signed-off-by: NJames Bottomley <JBottomley@Parallels.com>
    267a6ad4
scsi_scan.c 54.3 KB