scsi_dh: fix use-after-free when removing scsi device

The commit 1bab0de027 ("dm-mpath, scsi_dh: don't let dm detach device
handlers") removed reference counting of attached scsi device handler.
As a result, handler data is freed immediately via scsi_dh->detach()
in the context of scsi_remove_device() where activation request can be
still in flight.

This patch moves scsi_dh_handler_detach() to sdev releasing function,
scsi_device_dev_release_usercontext(), at that point the device
is already in quiesced state.

Fixes: 1bab0de027 ("dm-mpath, scsi_dh: don't let dm detach device handlers")
Signed-off-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
Acked-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: James Bottomley <JBottomley@Odin.com>

drivers/scsi/scsi_dh.c

@@ -232,10 +232,14 @@ int scsi_dh_add_device(struct scsi_device *sdev)
 	return err;
 }
 
-void scsi_dh_remove_device(struct scsi_device *sdev)
+void scsi_dh_release_device(struct scsi_device *sdev)
 {
 	if (sdev->handler)
 		scsi_dh_handler_detach(sdev);
+}
+
+void scsi_dh_remove_device(struct scsi_device *sdev)
+{
 	device_remove_file(&sdev->sdev_gendev, &scsi_dh_state_attr);
 }