Commit f60c4d00 authored by Dan Williams's avatar Dan Williams Committed by Ben Hutchings

fix hot unplug vs async scan race

commit 3b661a92 upstream.

The following crash results from cases where the end_device has been
removed before scsi_sysfs_add_sdev has had a chance to run.

 BUG: unable to handle kernel NULL pointer dereference at 0000000000000098
 IP: [<ffffffff8115e100>] sysfs_create_dir+0x32/0xb6
 ...
 Call Trace:
  [<ffffffff8125e4a8>] kobject_add_internal+0x120/0x1e3
  [<ffffffff81075149>] ? trace_hardirqs_on+0xd/0xf
  [<ffffffff8125e641>] kobject_add_varg+0x41/0x50
  [<ffffffff8125e70b>] kobject_add+0x64/0x66
  [<ffffffff8131122b>] device_add+0x12d/0x63a
  [<ffffffff814b65ea>] ? _raw_spin_unlock_irqrestore+0x47/0x56
  [<ffffffff8107de15>] ? module_refcount+0x89/0xa0
  [<ffffffff8132f348>] scsi_sysfs_add_sdev+0x4e/0x28a
  [<ffffffff8132dcbb>] do_scan_async+0x9c/0x145

...teach scsi_sysfs_add_devices() to check for deleted devices() before
trying to add them, and teach scsi_remove_target() how to remove targets
that have not been added via device_add().
Reported-by: default avatarDariusz Majchrzak <dariusz.majchrzak@intel.com>
Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
Signed-off-by: default avatarJames Bottomley <JBottomley@Parallels.com>
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
parent 09411e42
......@@ -1710,6 +1710,9 @@ static void scsi_sysfs_add_devices(struct Scsi_Host *shost)
{
struct scsi_device *sdev;
shost_for_each_device(sdev, shost) {
/* target removed before the device could be added */
if (sdev->sdev_state == SDEV_DEL)
continue;
if (!scsi_host_scan_allowed(shost) ||
scsi_sysfs_add_sdev(sdev) != 0)
__scsi_remove_device(sdev);
......
......@@ -997,7 +997,6 @@ static void __scsi_remove_target(struct scsi_target *starget)
struct scsi_device *sdev;
spin_lock_irqsave(shost->host_lock, flags);
starget->reap_ref++;
restart:
list_for_each_entry(sdev, &shost->__devices, siblings) {
if (sdev->channel != starget->channel ||
......@@ -1011,14 +1010,6 @@ static void __scsi_remove_target(struct scsi_target *starget)
goto restart;
}
spin_unlock_irqrestore(shost->host_lock, flags);
scsi_target_reap(starget);
}
static int __remove_child (struct device * dev, void * data)
{
if (scsi_is_target_device(dev))
__scsi_remove_target(to_scsi_target(dev));
return 0;
}
/**
......@@ -1031,14 +1022,34 @@ static int __remove_child (struct device * dev, void * data)
*/
void scsi_remove_target(struct device *dev)
{
if (scsi_is_target_device(dev)) {
__scsi_remove_target(to_scsi_target(dev));
return;
struct Scsi_Host *shost = dev_to_shost(dev->parent);
struct scsi_target *starget, *found;
unsigned long flags;
restart:
found = NULL;
spin_lock_irqsave(shost->host_lock, flags);
list_for_each_entry(starget, &shost->__targets, siblings) {
if (starget->state == STARGET_DEL)
continue;
if (starget->dev.parent == dev || &starget->dev == dev) {
found = starget;
found->reap_ref++;
break;
}
}
spin_unlock_irqrestore(shost->host_lock, flags);
get_device(dev);
device_for_each_child(dev, NULL, __remove_child);
put_device(dev);
if (found) {
__scsi_remove_target(found);
scsi_target_reap(found);
/* in the case where @dev has multiple starget children,
* continue removing.
*
* FIXME: does such a case exist?
*/
goto restart;
}
}
EXPORT_SYMBOL(scsi_remove_target);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment