diff options
| author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2011-07-07 15:45:40 -0500 |
|---|---|---|
| committer | Jonas ABERG <jonas.aberg@stericsson.com> | 2011-10-28 11:09:33 +0200 |
| commit | dbf536d8c83a569b8d0587d27707f8800a75da22 (patch) | |
| tree | 7efb584b7b00d072a832a6114364e73c407914fa | |
| parent | 7cdff239f9a622c105896406f9a43565f3eada2d (diff) | |
fix crash in scsi_dispatch_cmd()
commit bfe159a51203c15d23cb3158fffdc25ec4b4dda1 upstream.
USB surprise removal of sr is triggering an oops in
scsi_dispatch_command(). What seems to be happening is that USB is
hanging on to a queue reference until the last close of the upper
device, so the crash is caused by surprise remove of a mounted CD
followed by attempted unmount.
The problem is that USB doesn't issue its final commands as part of
the SCSI teardown path, but on last close when the block queue is long
gone. The long term fix is probably to make sr do the teardown in the
same way as sd (so remove all the lower bits on ejection, but keep the
upper disk alive until last close of user space). However, the
current oops can be simply fixed by not allowing any commands to be
sent to a dead queue.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Change-Id: I5106bb4ec29746f65016511878286b5dc2c61324
Reviewed-on: http://gerrit.lud.stericsson.com/gerrit/35622
Tested-by: Per VAHLNE <per.xx.vahlne@stericsson.com>
Reviewed-by: Jonas ABERG <jonas.aberg@stericsson.com>
| -rw-r--r-- | block/blk-core.c | 3 | ||||
| -rw-r--r-- | block/blk-exec.c | 7 | ||||
| -rw-r--r-- | drivers/scsi/scsi_lib.c | 2 |
3 files changed, 12 insertions, 0 deletions
diff --git a/block/blk-core.c b/block/blk-core.c index d2f8f4049ab..1d49e1c7c90 100644 --- a/block/blk-core.c +++ b/block/blk-core.c @@ -839,6 +839,9 @@ struct request *blk_get_request(struct request_queue *q, int rw, gfp_t gfp_mask) { struct request *rq; + if (unlikely(test_bit(QUEUE_FLAG_DEAD, &q->queue_flags))) + return NULL; + BUG_ON(rw != READ && rw != WRITE); spin_lock_irq(q->queue_lock); diff --git a/block/blk-exec.c b/block/blk-exec.c index 8a0e7ec056e..a1ebceb332f 100644 --- a/block/blk-exec.c +++ b/block/blk-exec.c @@ -50,6 +50,13 @@ void blk_execute_rq_nowait(struct request_queue *q, struct gendisk *bd_disk, { int where = at_head ? ELEVATOR_INSERT_FRONT : ELEVATOR_INSERT_BACK; + if (unlikely(test_bit(QUEUE_FLAG_DEAD, &q->queue_flags))) { + rq->errors = -ENXIO; + if (rq->end_io) + rq->end_io(rq, rq->errors); + return; + } + rq->rq_disk = bd_disk; rq->end_io = done; WARN_ON(irqs_disabled()); diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c index ec1803a4872..28d9c9d6b4b 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c @@ -213,6 +213,8 @@ int scsi_execute(struct scsi_device *sdev, const unsigned char *cmd, int ret = DRIVER_ERROR << 24; req = blk_get_request(sdev->request_queue, write, __GFP_WAIT); + if (!req) + return ret; if (bufflen && blk_rq_map_kern(sdev->request_queue, req, buffer, bufflen, __GFP_WAIT)) |