aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlan Stern <stern@rowland.harvard.edu>2010-03-18 15:39:30 -0400
committerJames Bottomley <James.Bottomley@suse.de>2010-05-25 12:00:56 -0400
commitf9e8894ae5157796dd69249c56062042d02a431d (patch)
treecfc0f34d22771525330b995a2f58655bdd5aaa04
parent8a52da632ceb9d8b776494563df579e87b7b586b (diff)
[SCSI] fix race in scsi_target_reap
This patch (as1357) fixes a race in SCSI target allocation and release. Putting a target in the STARGET_DEL state isn't protected by the host lock, so an old target structure could be reused by a new device even though it's about to be deleted. The cure is to change the state while still holding the host lock. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
-rw-r--r--drivers/scsi/scsi_scan.c9
1 files changed, 5 insertions, 4 deletions
diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
index c992ecf4e372..a77468cd5a33 100644
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -492,19 +492,20 @@ void scsi_target_reap(struct scsi_target *starget)
492 struct Scsi_Host *shost = dev_to_shost(starget->dev.parent); 492 struct Scsi_Host *shost = dev_to_shost(starget->dev.parent);
493 unsigned long flags; 493 unsigned long flags;
494 enum scsi_target_state state; 494 enum scsi_target_state state;
495 int empty; 495 int empty = 0;
496 496
497 spin_lock_irqsave(shost->host_lock, flags); 497 spin_lock_irqsave(shost->host_lock, flags);
498 state = starget->state; 498 state = starget->state;
499 empty = --starget->reap_ref == 0 && 499 if (--starget->reap_ref == 0 && list_empty(&starget->devices)) {
500 list_empty(&starget->devices) ? 1 : 0; 500 empty = 1;
501 starget->state = STARGET_DEL;
502 }
501 spin_unlock_irqrestore(shost->host_lock, flags); 503 spin_unlock_irqrestore(shost->host_lock, flags);
502 504
503 if (!empty) 505 if (!empty)
504 return; 506 return;
505 507
506 BUG_ON(state == STARGET_DEL); 508 BUG_ON(state == STARGET_DEL);
507 starget->state = STARGET_DEL;
508 if (state == STARGET_CREATED) 509 if (state == STARGET_CREATED)
509 scsi_target_destroy(starget); 510 scsi_target_destroy(starget);
510 else 511 else