533299 – scsi device add/remove panic at sysfs_hash_and_remove

Bug 533299 - scsi device add/remove panic at sysfs_hash_and_remove

Summary: scsi device add/remove panic at sysfs_hash_and_remove

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	4.8
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	beta
Target Release:	4.9
Assignee:	Josef Bacik
QA Contact:	Gris Ge
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-11-05 23:39 UTC by Mark Goodwin
Modified:	2018-11-14 20:28 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-02-16 15:50:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
reproducer script (276 bytes, application/x-sh) 2009-11-05 23:50 UTC, Mark Goodwin	no flags	Details
fix BZ533299 crash in sysfs_hash_and_remove when scsi device is removed (2.23 KB, patch) 2009-11-06 00:23 UTC, Mark Goodwin	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:0263	0	normal	SHIPPED_LIVE	Important: Red Hat Enterprise Linux 4.9 kernel security and bug fix update	2011-02-16 15:14:55 UTC

Description Mark Goodwin 2009-11-05 23:39:27 UTC

Description of problem:
scsi hotplug add/remove panics in sysfs_hash_and_remove() due to a NULL
dentry pointer dereference when tearing down the sysfs entry for the sg
device node. We have a reliable reproducer script and a verified patch
from upstream, both (will be) attached to this BZ.

Version-Release number of selected component (if applicable):
All RHEL4 kernels. RHEL5 is not affected.

How reproducible:
The attached reproducer script can reliably reproduce this in seconds.

Steps to Reproduce:
1. boot up any RHEL4 kernel on a system with at least one unused
   scsi device. Note: cannot use qemu virtual scsi drives due to
   a different bug, but a scsi_debug device is OK and so is a real
   scsi device.
2. run the reproducer script.
3. splat
  
Actual results:
RIP: 0010:[<ffffffff801b5203>]
<ffffffff801b5203>{sysfs_hash_and_remove+14}
...
Call Trace:<ffffffff8024e2ba>{class_device_del+156}
<ffffffff8024e33e>{class_device_unregister+9}
<ffffffffa0009f3e>{:scsi_mod:scsi_remove_device+78}
<ffffffffa0009fd3>{:scsi_mod:sdev_store_delete+16}
<ffffffff8024c6a7>{dev_attr_store+29}
<ffffffff801b554f>{sysfs_write_file+194}
<ffffffff8017af0e>{vfs_write+207}
<ffffffff8017aff6>{sys_write+69}
<ffffffff8011026a>{system_call+126}

Expected results:
reproducer.sh runs forever

Comment 1 Mark Goodwin 2009-11-05 23:50:13 UTC

Created attachment 367759 [details]
reproducer script

Comment 2 Mark Goodwin 2009-11-06 00:23:48 UTC

Created attachment 367763 [details]
fix BZ533299 crash in sysfs_hash_and_remove when scsi device is removed

Patch based on three upstream commits, back-ported to RHEL4 :
32aeef605aa01e1fee45e052eceffb00e72ba2b0
b365b3daf2a9e2a8b002ea9fef877af1c71513fd
9d9307dabb3de8140fb3801bf6eb01f231dbd83d

Comment 3 RHEL Program Management 2010-11-09 20:39:33 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 5 Vivek Goyal 2010-11-15 14:09:31 UTC

Committed in 91.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/

Comment 8 Gris Ge 2011-01-13 02:44:23 UTC

Reproduced this issue on kernel-2.6.9-89.EL and got the same error with the reproduce script.

New kernel-2.6.9-95.EL have fixed this bug.

Change bug into verify status

Comment 9 errata-xmlrpc 2011-02-16 15:50:34 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0263.html

Note You need to log in before you can comment on or make changes to this bug.