[SCSI] fix race in scsi_target_reap

This patch (as1357) fixes a race in SCSI target allocation and
release.  Putting a target in the STARGET_DEL state isn't protected by
the host lock, so an old target structure could be reused by a new
device even though it's about to be deleted.  The cure is to change
the state while still holding the host lock.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>

1 files changed, 5 insertions, 4 deletions

diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
index c992ecf4e372..a77468cd5a33 100644
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -492,19 +492,20 @@ void scsi_target_reap(struct scsi_target *starget)
         struct Scsi_Host *shost = dev_to_shost(starget->dev.parent);
         unsigned long flags;
         enum scsi_target_state state;
-        int empty;
+        int empty = 0;
 
         spin_lock_irqsave(shost->host_lock, flags);
         state = starget->state;
-        empty = --starget->reap_ref == 0 &&
-                list_empty(&starget->devices) ? 1 : 0;
+        if (--starget->reap_ref == 0 && list_empty(&starget->devices)) {
+                empty = 1;
+                starget->state = STARGET_DEL;
+        }
         spin_unlock_irqrestore(shost->host_lock, flags);
 
         if (!empty)
                 return;
 
         BUG_ON(state == STARGET_DEL);
-        starget->state = STARGET_DEL;
         if (state == STARGET_CREATED)
                 scsi_target_destroy(starget);
         else