From patchwork Tue May  9 09:08:14 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dashi DS1 Cao <caods1@lenovo.com>
X-Patchwork-Id: 9717371
Return-Path: <linux-scsi-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	7651560365 for <patchwork-linux-scsi@patchwork.kernel.org>;
	Tue,  9 May 2017 09:10:55 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5F52C26E96
	for <patchwork-linux-scsi@patchwork.kernel.org>;
	Tue,  9 May 2017 09:10:55 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 53F79283F2; Tue,  9 May 2017 09:10:55 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0A27026E96
	for <patchwork-linux-scsi@patchwork.kernel.org>;
	Tue,  9 May 2017 09:10:55 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752559AbdEIJKm convert rfc822-to-8bit (ORCPT
	<rfc822;patchwork-linux-scsi@patchwork.kernel.org>);
	Tue, 9 May 2017 05:10:42 -0400
Received: from mail1.bemta12.messagelabs.com ([216.82.251.10]:10962 "EHLO
	mail1.bemta12.messagelabs.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1752478AbdEIJKk (ORCPT
	<rfc822; linux-scsi@vger.kernel.org>); Tue, 9 May 2017 05:10:40 -0400
Received: from [216.82.251.41] by server-10.bemta-12.messagelabs.com id
	7A/C1-01749-D8781195; Tue, 09 May 2017 09:10:37 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrKIsWRWlGSWpSXmKPExsWSLvdKR7e3XTD
	SYO5jaYvLu+awWXRf38HmwOTxeZNcAGMUa2ZeUn5FAmvG/h83mQses1b8/vKLuYHxMEsXIyeH
	kMATRokPjx0h7LmMErveq3QxcnCwCahL/D7BBxIWEbCV+HN8MTOIzSzgKHF771smEFtYwF7ix
	b7LLBA1LhIrNl9iB2kVEdCTWPMxDcRkEVCReH7UH6SCV8BHYseta6wgNqOArMS0R/eZICaKS8
	ydNgssLiEgILFkz3lmCFtU4uXjf6wgYyQE5CW2zBKEKNeRWLD7ExuErS2xbOFrZojxghInZz5
	hmcAoNAvJ1FlIWmYhaZmFpGUBI8sqRo3i1KKy1CJdIzO9pKLM9IyS3MTMHF1DQyO93NTi4sT0
	1JzEpGK95PzcTYzAIK9nYGDcwbiq0esQoyQHk5Ior0+xQKQQX1J+SmVGYnFGfFFpTmrxIUYZD
	g4lCd7KNsFIIcGi1PTUirTMHGC8waQlOHiURHj/tgKleYsLEnOLM9MhUqcYdTnm3Pv6nkmIJS
	8/L1VKnNcJZIYASFFGaR7cCFjsX2KUlRLmZWRgYBDiKUgtys0sQZV/xSjOwagkzLsDZApPZl4
	J3KZXQEcwAR0RyCAAckRJIkJKqoGRa+mi+xO9fGYwWhmLB2/XlSg2VP2aEqz0LDn/v3DwoXlv
	tjcsODKN8VHRpGZ+u/zWzyE35nVFrNm7/tqTBHHN/xvKf4r2pd5MNFv//UZ4+wt+9WtnHA7MX
	RHPfWzR5dwgrWu71sx6suL8x53H7z+9NSk2L3rruQ0ejjbeVWGzysK9rkWvuV1hp8RSnJFoqM
	VcVJwIAGTtkDv4AgAA
X-Env-Sender: caods1@lenovo.com
X-Msg-Ref: server-3.tower-143.messagelabs.com!1494321033!45100370!1
X-Originating-IP: [103.30.234.44]
X-StarScan-Received: 
X-StarScan-Version: 9.4.12; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 13526 invoked from network); 9 May 2017 09:10:37 -0000
Received: from unknown (HELO mapsmtp02.lenovo.com) (103.30.234.44)
	by server-3.tower-143.messagelabs.com with DHE-RSA-AES256-GCM-SHA384
	encrypted SMTP; 9 May 2017 09:10:37 -0000
Received: from CNMAILEX01.lenovo.com (unknown [10.96.80.1]) by
	mapsmtp02.lenovo.com with smtp
	(TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA)
	id 7408_027d_8dbb3340_c393_4ff0_bb87_bc82cf49e986;
	Tue, 09 May 2017 17:10:32 +0800
Received: from CNMAILEX03.lenovo.com ([169.254.11.100]) by
	CNMAILEX01.lenovo.com ([10.96.80.1]) with mapi id 14.03.0248.002;
	Tue, 9 May 2017 17:08:16 +0800
From: Dashi DS1 Cao <caods1@lenovo.com>
To: "linux-scsi@vger.kernel.org" <linux-scsi@vger.kernel.org>
CC: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: A bug in scsi_alloc_target of drivers/scsi/scsi_scan.c
Thread-Topic: A bug in scsi_alloc_target of drivers/scsi/scsi_scan.c
Thread-Index: AdLIowZWTlLDuh+1Spuiqj3rmP2EmA==
Date: Tue, 9 May 2017 09:08:14 +0000
Message-ID: <23B7B563BA4E9446B962B142C86EF24A02D029C9@CNMAILEX03.lenovo.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.96.19.89]
MIME-Version: 1.0
Sender: linux-scsi-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-scsi.vger.kernel.org>
X-Mailing-List: linux-scsi@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

When debugging a race condition in scsi_remove_target of 3.12, I ran into this possible bug within scsi_alloc_target.
When an existing "struct scsi_target" is found and used, the starget just got through kzmalloc should be freed, rather than dong a "put_device(dev)".
---

Dashi Cao

diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
index 81d4151..96795d4 100644
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -483,7 +483,7 @@ static struct scsi_target *scsi_alloc_target(struct device *parent,

        spin_unlock_irqrestore(shost->host_lock, flags);
        if (ref_got) {
-               put_device(dev);
+               kfree(starget);
                return found_target;
        }
        /*