diff options
| author | Dan Williams <dan.j.williams@intel.com> | 2012-06-22 02:47:28 -0400 |
|---|---|---|
| committer | James Bottomley <JBottomley@Parallels.com> | 2012-07-20 03:58:45 -0400 |
| commit | 3b661a92e869ebe2358de8f4b3230ad84f7fce51 (patch) | |
| tree | aec30c8a07dacb470e0ca90082d34651b5ba4c1c /drivers/scsi | |
| parent | b5f1758f221e446c5a2956cf7ffdf62b005f6458 (diff) | |
[SCSI] fix hot unplug vs async scan race
The following crash results from cases where the end_device has been
removed before scsi_sysfs_add_sdev has had a chance to run.
BUG: unable to handle kernel NULL pointer dereference at 0000000000000098
IP: [<ffffffff8115e100>] sysfs_create_dir+0x32/0xb6
...
Call Trace:
[<ffffffff8125e4a8>] kobject_add_internal+0x120/0x1e3
[<ffffffff81075149>] ? trace_hardirqs_on+0xd/0xf
[<ffffffff8125e641>] kobject_add_varg+0x41/0x50
[<ffffffff8125e70b>] kobject_add+0x64/0x66
[<ffffffff8131122b>] device_add+0x12d/0x63a
[<ffffffff814b65ea>] ? _raw_spin_unlock_irqrestore+0x47/0x56
[<ffffffff8107de15>] ? module_refcount+0x89/0xa0
[<ffffffff8132f348>] scsi_sysfs_add_sdev+0x4e/0x28a
[<ffffffff8132dcbb>] do_scan_async+0x9c/0x145
...teach scsi_sysfs_add_devices() to check for deleted devices() before
trying to add them, and teach scsi_remove_target() how to remove targets
that have not been added via device_add().
Cc: <stable@vger.kernel.org>
Reported-by: Dariusz Majchrzak <dariusz.majchrzak@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Diffstat (limited to 'drivers/scsi')
| -rw-r--r-- | drivers/scsi/scsi_scan.c | 3 | ||||
| -rw-r--r-- | drivers/scsi/scsi_sysfs.c | 41 |
2 files changed, 29 insertions, 15 deletions
diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c index 2e5fe584aad3..f55e5f166973 100644 --- a/drivers/scsi/scsi_scan.c +++ b/drivers/scsi/scsi_scan.c | |||
| @@ -1717,6 +1717,9 @@ static void scsi_sysfs_add_devices(struct Scsi_Host *shost) | |||
| 1717 | { | 1717 | { |
| 1718 | struct scsi_device *sdev; | 1718 | struct scsi_device *sdev; |
| 1719 | shost_for_each_device(sdev, shost) { | 1719 | shost_for_each_device(sdev, shost) { |
| 1720 | /* target removed before the device could be added */ | ||
| 1721 | if (sdev->sdev_state == SDEV_DEL) | ||
| 1722 | continue; | ||
| 1720 | if (!scsi_host_scan_allowed(shost) || | 1723 | if (!scsi_host_scan_allowed(shost) || |
| 1721 | scsi_sysfs_add_sdev(sdev) != 0) | 1724 | scsi_sysfs_add_sdev(sdev) != 0) |
| 1722 | __scsi_remove_device(sdev); | 1725 | __scsi_remove_device(sdev); |
diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c index d19d7e99626d..093d4f6a54d2 100644 --- a/drivers/scsi/scsi_sysfs.c +++ b/drivers/scsi/scsi_sysfs.c | |||
| @@ -1005,7 +1005,6 @@ static void __scsi_remove_target(struct scsi_target *starget) | |||
| 1005 | struct scsi_device *sdev; | 1005 | struct scsi_device *sdev; |
| 1006 | 1006 | ||
| 1007 | spin_lock_irqsave(shost->host_lock, flags); | 1007 | spin_lock_irqsave(shost->host_lock, flags); |
| 1008 | starget->reap_ref++; | ||
| 1009 | restart: | 1008 | restart: |
| 1010 | list_for_each_entry(sdev, &shost->__devices, siblings) { | 1009 | list_for_each_entry(sdev, &shost->__devices, siblings) { |
| 1011 | if (sdev->channel != starget->channel || | 1010 | if (sdev->channel != starget->channel || |
| @@ -1019,14 +1018,6 @@ static void __scsi_remove_target(struct scsi_target *starget) | |||
| 1019 | goto restart; | 1018 | goto restart; |
| 1020 | } | 1019 | } |
| 1021 | spin_unlock_irqrestore(shost->host_lock, flags); | 1020 | spin_unlock_irqrestore(shost->host_lock, flags); |
| 1022 | scsi_target_reap(starget); | ||
| 1023 | } | ||
| 1024 | |||
| 1025 | static int __remove_child (struct device * dev, void * data) | ||
| 1026 | { | ||
| 1027 | if (scsi_is_target_device(dev)) | ||
| 1028 | __scsi_remove_target(to_scsi_target(dev)); | ||
| 1029 | return 0; | ||
| 1030 | } | 1021 | } |
| 1031 | 1022 | ||
| 1032 | /** | 1023 | /** |
| @@ -1039,14 +1030,34 @@ static int __remove_child (struct device * dev, void * data) | |||
| 1039 | */ | 1030 | */ |
| 1040 | void scsi_remove_target(struct device *dev) | 1031 | void scsi_remove_target(struct device *dev) |
| 1041 | { | 1032 | { |
| 1042 | if (scsi_is_target_device(dev)) { | 1033 | struct Scsi_Host *shost = dev_to_shost(dev->parent); |
| 1043 | __scsi_remove_target(to_scsi_target(dev)); | 1034 | struct scsi_target *starget, *found; |
| 1044 | return; | 1035 | unsigned long flags; |
| 1036 | |||
| 1037 | restart: | ||
| 1038 | found = NULL; | ||
| 1039 | spin_lock_irqsave(shost->host_lock, flags); | ||
| 1040 | list_for_each_entry(starget, &shost->__targets, siblings) { | ||
| 1041 | if (starget->state == STARGET_DEL) | ||
| 1042 | continue; | ||
| 1043 | if (starget->dev.parent == dev || &starget->dev == dev) { | ||
| 1044 | found = starget; | ||
| 1045 | found->reap_ref++; | ||
| 1046 | break; | ||
| 1047 | } | ||
| 1045 | } | 1048 | } |
| 1049 | spin_unlock_irqrestore(shost->host_lock, flags); | ||
| 1046 | 1050 | ||
| 1047 | get_device(dev); | 1051 | if (found) { |
| 1048 | device_for_each_child(dev, NULL, __remove_child); | 1052 | __scsi_remove_target(found); |
| 1049 | put_device(dev); | 1053 | scsi_target_reap(found); |
| 1054 | /* in the case where @dev has multiple starget children, | ||
| 1055 | * continue removing. | ||
| 1056 | * | ||
| 1057 | * FIXME: does such a case exist? | ||
| 1058 | */ | ||
| 1059 | goto restart; | ||
| 1060 | } | ||
| 1050 | } | 1061 | } |
| 1051 | EXPORT_SYMBOL(scsi_remove_target); | 1062 | EXPORT_SYMBOL(scsi_remove_target); |
| 1052 | 1063 | ||