SCSI: fix hot unplug vs async scan race
authorDan Williams <dan.j.williams@intel.com>
Fri, 22 Jun 2012 06:47:28 +0000 (23:47 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 9 Aug 2012 15:27:34 +0000 (08:27 -0700)
commit 3b661a92e869ebe2358de8f4b3230ad84f7fce51 upstream.

The following crash results from cases where the end_device has been
removed before scsi_sysfs_add_sdev has had a chance to run.

 BUG: unable to handle kernel NULL pointer dereference at 0000000000000098
 IP: [<ffffffff8115e100>] sysfs_create_dir+0x32/0xb6
 ...
 Call Trace:
  [<ffffffff8125e4a8>] kobject_add_internal+0x120/0x1e3
  [<ffffffff81075149>] ? trace_hardirqs_on+0xd/0xf
  [<ffffffff8125e641>] kobject_add_varg+0x41/0x50
  [<ffffffff8125e70b>] kobject_add+0x64/0x66
  [<ffffffff8131122b>] device_add+0x12d/0x63a
  [<ffffffff814b65ea>] ? _raw_spin_unlock_irqrestore+0x47/0x56
  [<ffffffff8107de15>] ? module_refcount+0x89/0xa0
  [<ffffffff8132f348>] scsi_sysfs_add_sdev+0x4e/0x28a
  [<ffffffff8132dcbb>] do_scan_async+0x9c/0x145

...teach scsi_sysfs_add_devices() to check for deleted devices() before
trying to add them, and teach scsi_remove_target() how to remove targets
that have not been added via device_add().

Reported-by: Dariusz Majchrzak <dariusz.majchrzak@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/scsi/scsi_scan.c
drivers/scsi/scsi_sysfs.c

index 6e7ea4a2b7a1515c1a2f6efe9386836cf18659a9..a48b59c0354a275ef4946f91f0d1b19322cebfc5 100644 (file)
@@ -1710,6 +1710,9 @@ static void scsi_sysfs_add_devices(struct Scsi_Host *shost)
 {
        struct scsi_device *sdev;
        shost_for_each_device(sdev, shost) {
+               /* target removed before the device could be added */
+               if (sdev->sdev_state == SDEV_DEL)
+                       continue;
                if (!scsi_host_scan_allowed(shost) ||
                    scsi_sysfs_add_sdev(sdev) != 0)
                        __scsi_remove_device(sdev);
index e0bd3f790fca1bf50e4e66e3b2f30f9a130547f3..de21547e7c43f4f4382ae33c713faeefd9dc2f6e 100644 (file)
@@ -962,7 +962,6 @@ static void __scsi_remove_target(struct scsi_target *starget)
        struct scsi_device *sdev;
 
        spin_lock_irqsave(shost->host_lock, flags);
-       starget->reap_ref++;
  restart:
        list_for_each_entry(sdev, &shost->__devices, siblings) {
                if (sdev->channel != starget->channel ||
@@ -976,14 +975,6 @@ static void __scsi_remove_target(struct scsi_target *starget)
                goto restart;
        }
        spin_unlock_irqrestore(shost->host_lock, flags);
-       scsi_target_reap(starget);
-}
-
-static int __remove_child (struct device * dev, void * data)
-{
-       if (scsi_is_target_device(dev))
-               __scsi_remove_target(to_scsi_target(dev));
-       return 0;
 }
 
 /**
@@ -996,14 +987,34 @@ static int __remove_child (struct device * dev, void * data)
  */
 void scsi_remove_target(struct device *dev)
 {
-       if (scsi_is_target_device(dev)) {
-               __scsi_remove_target(to_scsi_target(dev));
-               return;
+       struct Scsi_Host *shost = dev_to_shost(dev->parent);
+       struct scsi_target *starget, *found;
+       unsigned long flags;
+
+ restart:
+       found = NULL;
+       spin_lock_irqsave(shost->host_lock, flags);
+       list_for_each_entry(starget, &shost->__targets, siblings) {
+               if (starget->state == STARGET_DEL)
+                       continue;
+               if (starget->dev.parent == dev || &starget->dev == dev) {
+                       found = starget;
+                       found->reap_ref++;
+                       break;
+               }
        }
+       spin_unlock_irqrestore(shost->host_lock, flags);
 
-       get_device(dev);
-       device_for_each_child(dev, NULL, __remove_child);
-       put_device(dev);
+       if (found) {
+               __scsi_remove_target(found);
+               scsi_target_reap(found);
+               /* in the case where @dev has multiple starget children,
+                * continue removing.
+                *
+                * FIXME: does such a case exist?
+                */
+               goto restart;
+       }
 }
 EXPORT_SYMBOL(scsi_remove_target);