[SCSI] target: Fix bug with task_sg chained transport_free_dev_tasks release

This patch addresses a bug in the target core release path for HW operation where transport_free_dev_tasks() was incorrectly being called from transport_lun_remove_cmd() while releasing a se_cmd reference and calling struct target_core_fabric_ops->queue_data_in(). This would result in a OOPs with HW target mode when the release of se_task->task_sg[] would happen before pci_unmap_sg() can be called in HW target mode fabric module code. This patch addresses the issue by moving transport_free_dev_tasks() from transport_lun_remove_cmd() into transport_generic_free_cmd(), and adding TRANSPORT_FREE_CMD_INTR and transport_generic_free_cmd_intr() to allow se_cmd descriptor release to happen fromfrom within transport_processing_thread() process context when release of se_cmd is not possible from HW interrupt context. Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> Cc: stable@kernel.org Signed-off-by: James Bottomley <jbottomley@parallels.com>
author: Nicholas Bellinger <nab@linux-iscsi.org> 2011-05-19 23:19:11 -0400
committer: James Bottomley <jbottomley@parallels.com> 2011-05-24 13:00:10 -0400
commit: f436677262a5b524ac87675014c6d4e8ee153029 (patch)
tree: c3ab2fb111163ac52eb4999b83d3063ca4fca718 /drivers/target
parent: 53ab6709b4d35b1924240854d794482fd7d33d4a (diff)
1 files changed, 12 insertions, 1 deletions
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
index 833060e0de5e..7c87b042375a 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -762,7 +762,6 @@ static void transport_lun_remove_cmd(struct se_cmd *cmd)
        transport_all_task_dev_remove_state(cmd);
        spin_unlock_irqrestore(&T_TASK(cmd)->t_state_lock, flags);
-        transport_free_dev_tasks(cmd);
 check_lun:
        spin_lock_irqsave(&lun->lun_cmd_lock, flags);
@@ -2058,6 +2057,13 @@ int transport_generic_handle_tmr(
 }
 EXPORT_SYMBOL(transport_generic_handle_tmr);
+void transport_generic_free_cmd_intr(
+        struct se_cmd *cmd)
+{
+        transport_add_cmd_to_queue(cmd, TRANSPORT_FREE_CMD_INTR);
+}
+EXPORT_SYMBOL(transport_generic_free_cmd_intr);
 static int transport_stop_tasks_for_cmd(struct se_cmd *cmd)
 {
        struct se_task *task, *task_tmp;
@@ -5301,6 +5307,8 @@ void transport_generic_free_cmd(
                if (wait_for_tasks && cmd->transport_wait_for_tasks)
                        cmd->transport_wait_for_tasks(cmd, 0, 0);
+                transport_free_dev_tasks(cmd);
                transport_generic_remove(cmd, release_to_pool,
                                session_reinstatement);
        }
@@ -6136,6 +6144,9 @@ get_cmd:
                case TRANSPORT_REMOVE:
                        transport_generic_remove(cmd, 1, 0);
                        break;
+                case TRANSPORT_FREE_CMD_INTR:
+                        transport_generic_free_cmd(cmd, 0, 1, 0);
+                        break;
                case TRANSPORT_PROCESS_TMR:
                        transport_generic_do_tmr(cmd);
                        break;
author	Nicholas Bellinger <nab@linux-iscsi.org>	2011-05-19 23:19:11 -0400
committer	James Bottomley <jbottomley@parallels.com>	2011-05-24 13:00:10 -0400
commit	f436677262a5b524ac87675014c6d4e8ee153029 (patch)
tree	c3ab2fb111163ac52eb4999b83d3063ca4fca718 /drivers/target
parent	53ab6709b4d35b1924240854d794482fd7d33d4a (diff)