aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorMoger, Babu <Babu.Moger@netapp.com>2012-02-02 10:21:54 -0500
committerJames Bottomley <JBottomley@Parallels.com>2012-02-22 13:15:19 -0500
commit3569e5374df66a42ab66368b8bbb075e81d4e85c (patch)
treedadcf03a1949b5918c286ba6d43da1ef9ece68a1 /drivers
parentfea6d607e154cf96ab22254ccb48addfd43d4cb5 (diff)
[SCSI] scsi_dh_rdac: Fix for unbalanced reference count
This patch fixes an unbalanced refcount issue. Elevating the lock for both kref_put and also for controller node deletion. Previously, controller deletion was protected but the not the kref_put. This was causing the other thread to pick up the controller structure which was already kref'd zero. This was causing the following WARN_ON and also sometimes panic. WARNING: at lib/kref.c:43 kref_get+0x2d/0x30() (Not tainted) Hardware name: IBM System x3655 -[7985AC1]- Modules linked in: fuse scsi_dh_rdac autofs4 nfs lockd fscache nfs_acl auth_rpcgss sunrpc 8021q garp stp llc ipv6 ib_srp(U) scsi_transport_srp scsi_tgt ib_cm(U) ib_sa(U) ib_uverbs(U) ib_umad(U) mlx4_ib(U) mlx4_core(U) ib_mthca(U) ib_mad(U) ib_core(U) dm_mirror dm_region_hash dm_log dm_round_robin dm_multipath uinput bnx2 ses enclosure sg ibmpex ibmaem ipmi_msghandler serio_raw k8temp hwmon amd64_edac_mod edac_core edac_mce_amd shpchp i2c_piix4 ext4 mbcache jbd2 sr_mod cdrom sd_mod crc_t10dif sata_svw pata_acpi ata_generic pata_serverworks aacraid radeon ttm drm_kms_helper drm i2c_algo_bit i2c_core dm_mod [last unloaded: freq_table] Pid: 13735, comm: srp_daemon Not tainted 2.6.32-71.el6.x86_64 #1 Call Trace: [<ffffffff8106b857>] warn_slowpath_common+0x87/0xc0 [<ffffffff8106b8aa>] warn_slowpath_null+0x1a/0x20 [<ffffffff8125c39d>] kref_get+0x2d/0x30 [<ffffffffa01b4029>] rdac_bus_attach+0x459/0x580 [scsi_dh_rdac] [<ffffffff8135232a>] scsi_dh_handler_attach+0x2a/0x80 [<ffffffff81352c7b>] scsi_dh_notifier+0x9b/0xa0 [<ffffffff814cd7a5>] notifier_call_chain+0x55/0x80 [<ffffffff8109711a>] __blocking_notifier_call_chain+0x5a/0x80 [<ffffffff81097156>] blocking_notifier_call_chain+0x16/0x20 [<ffffffff8132bec5>] device_add+0x515/0x640 [<ffffffff813329e4>] ? attribute_container_device_trigger+0xc4/0xe0 [<ffffffff8134f659>] scsi_sysfs_add_sdev+0x89/0x2c0 [<ffffffff8134d096>] scsi_probe_and_add_lun+0xea6/0xed0 [<ffffffff8134beb2>] ? scsi_alloc_target+0x292/0x2d0 [<ffffffff8134d1e1>] __scsi_scan_target+0x121/0x750 [<ffffffff811df806>] ? sysfs_create_file+0x26/0x30 [<ffffffff8132b759>] ? device_create_file+0x19/0x20 [<ffffffff81332838>] ? attribute_container_add_attrs+0x78/0x90 [<ffffffff814b008c>] ? klist_next+0x4c/0xf0 [<ffffffff81332e30>] ? transport_configure+0x0/0x20 [<ffffffff813329e4>] ? attribute_container_device_trigger+0xc4/0xe0 [<ffffffff8134df40>] scsi_scan_target+0xd0/0xe0 [<ffffffffa02f053a>] srp_create_target+0x75a/0x890 [ib_srp] [<ffffffff8132a130>] dev_attr_store+0x20/0x30 [<ffffffff811df145>] sysfs_write_file+0xe5/0x170 [<ffffffff8116c818>] vfs_write+0xb8/0x1a0 [<ffffffff810d40a2>] ? audit_syscall_entry+0x272/0x2a0 [<ffffffff8116d251>] sys_write+0x51/0x90 [<ffffffff81013172>] system_call_fastpath+0x16/0x1b Signed-off-by: Babu Moger <babu.moger@netapp.com> Acked-by: Mike Snitzer <snitzer@redhat.com> Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/scsi/device_handler/scsi_dh_rdac.c25
1 files changed, 14 insertions, 11 deletions
diff --git a/drivers/scsi/device_handler/scsi_dh_rdac.c b/drivers/scsi/device_handler/scsi_dh_rdac.c
index 53a31c753cb1..20c4557f5abd 100644
--- a/drivers/scsi/device_handler/scsi_dh_rdac.c
+++ b/drivers/scsi/device_handler/scsi_dh_rdac.c
@@ -364,10 +364,7 @@ static void release_controller(struct kref *kref)
364 struct rdac_controller *ctlr; 364 struct rdac_controller *ctlr;
365 ctlr = container_of(kref, struct rdac_controller, kref); 365 ctlr = container_of(kref, struct rdac_controller, kref);
366 366
367 flush_workqueue(kmpath_rdacd);
368 spin_lock(&list_lock);
369 list_del(&ctlr->node); 367 list_del(&ctlr->node);
370 spin_unlock(&list_lock);
371 kfree(ctlr); 368 kfree(ctlr);
372} 369}
373 370
@@ -376,20 +373,17 @@ static struct rdac_controller *get_controller(int index, char *array_name,
376{ 373{
377 struct rdac_controller *ctlr, *tmp; 374 struct rdac_controller *ctlr, *tmp;
378 375
379 spin_lock(&list_lock);
380
381 list_for_each_entry(tmp, &ctlr_list, node) { 376 list_for_each_entry(tmp, &ctlr_list, node) {
382 if ((memcmp(tmp->array_id, array_id, UNIQUE_ID_LEN) == 0) && 377 if ((memcmp(tmp->array_id, array_id, UNIQUE_ID_LEN) == 0) &&
383 (tmp->index == index) && 378 (tmp->index == index) &&
384 (tmp->host == sdev->host)) { 379 (tmp->host == sdev->host)) {
385 kref_get(&tmp->kref); 380 kref_get(&tmp->kref);
386 spin_unlock(&list_lock);
387 return tmp; 381 return tmp;
388 } 382 }
389 } 383 }
390 ctlr = kmalloc(sizeof(*ctlr), GFP_ATOMIC); 384 ctlr = kmalloc(sizeof(*ctlr), GFP_ATOMIC);
391 if (!ctlr) 385 if (!ctlr)
392 goto done; 386 return NULL;
393 387
394 /* initialize fields of controller */ 388 /* initialize fields of controller */
395 memcpy(ctlr->array_id, array_id, UNIQUE_ID_LEN); 389 memcpy(ctlr->array_id, array_id, UNIQUE_ID_LEN);
@@ -405,8 +399,7 @@ static struct rdac_controller *get_controller(int index, char *array_name,
405 INIT_WORK(&ctlr->ms_work, send_mode_select); 399 INIT_WORK(&ctlr->ms_work, send_mode_select);
406 INIT_LIST_HEAD(&ctlr->ms_head); 400 INIT_LIST_HEAD(&ctlr->ms_head);
407 list_add(&ctlr->node, &ctlr_list); 401 list_add(&ctlr->node, &ctlr_list);
408done: 402
409 spin_unlock(&list_lock);
410 return ctlr; 403 return ctlr;
411} 404}
412 405
@@ -517,9 +510,12 @@ static int initialize_controller(struct scsi_device *sdev,
517 index = 0; 510 index = 0;
518 else 511 else
519 index = 1; 512 index = 1;
513
514 spin_lock(&list_lock);
520 h->ctlr = get_controller(index, array_name, array_id, sdev); 515 h->ctlr = get_controller(index, array_name, array_id, sdev);
521 if (!h->ctlr) 516 if (!h->ctlr)
522 err = SCSI_DH_RES_TEMP_UNAVAIL; 517 err = SCSI_DH_RES_TEMP_UNAVAIL;
518 spin_unlock(&list_lock);
523 } 519 }
524 return err; 520 return err;
525} 521}
@@ -906,7 +902,9 @@ static int rdac_bus_attach(struct scsi_device *sdev)
906 return 0; 902 return 0;
907 903
908clean_ctlr: 904clean_ctlr:
905 spin_lock(&list_lock);
909 kref_put(&h->ctlr->kref, release_controller); 906 kref_put(&h->ctlr->kref, release_controller);
907 spin_unlock(&list_lock);
910 908
911failed: 909failed:
912 kfree(scsi_dh_data); 910 kfree(scsi_dh_data);
@@ -921,14 +919,19 @@ static void rdac_bus_detach( struct scsi_device *sdev )
921 struct rdac_dh_data *h; 919 struct rdac_dh_data *h;
922 unsigned long flags; 920 unsigned long flags;
923 921
924 spin_lock_irqsave(sdev->request_queue->queue_lock, flags);
925 scsi_dh_data = sdev->scsi_dh_data; 922 scsi_dh_data = sdev->scsi_dh_data;
923 h = (struct rdac_dh_data *) scsi_dh_data->buf;
924 if (h->ctlr && h->ctlr->ms_queued)
925 flush_workqueue(kmpath_rdacd);
926
927 spin_lock_irqsave(sdev->request_queue->queue_lock, flags);
926 sdev->scsi_dh_data = NULL; 928 sdev->scsi_dh_data = NULL;
927 spin_unlock_irqrestore(sdev->request_queue->queue_lock, flags); 929 spin_unlock_irqrestore(sdev->request_queue->queue_lock, flags);
928 930
929 h = (struct rdac_dh_data *) scsi_dh_data->buf; 931 spin_lock(&list_lock);
930 if (h->ctlr) 932 if (h->ctlr)
931 kref_put(&h->ctlr->kref, release_controller); 933 kref_put(&h->ctlr->kref, release_controller);
934 spin_unlock(&list_lock);
932 kfree(scsi_dh_data); 935 kfree(scsi_dh_data);
933 module_put(THIS_MODULE); 936 module_put(THIS_MODULE);
934 sdev_printk(KERN_NOTICE, sdev, "%s: Detached\n", RDAC_NAME); 937 sdev_printk(KERN_NOTICE, sdev, "%s: Detached\n", RDAC_NAME);
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-07 01:28:26 -0500