From 93079162bf0ed2934c7b0c3ee93ba894df8fb3cd Mon Sep 17 00:00:00 2001 From: Bart Van Assche Date: Wed, 11 Dec 2013 17:06:14 +0100 Subject: scsi_transport_srp: Fix a race condition The rport timers must be stopped before the SRP initiator destroys the resources associated with the SCSI host. This is necessary because otherwise the callback functions invoked from the SRP transport layer could trigger a use-after-free. Stopping the rport timers before invoking scsi_remove_host() can trigger long delays in the SCSI error handler if a transport layer failure occurs while scsi_remove_host() is in progress. Hence move the code for stopping the rport timers from srp_rport_release() into a new function and invoke that function after scsi_remove_host() has finished. This patch fixes the following sporadic kernel crash: kernel BUG at include/asm-generic/dma-mapping-common.h:64! invalid opcode: 0000 [#1] SMP RIP: 0010:[] [] srp_unmap_data+0x121/0x130 [ib_srp] Call Trace: [] srp_free_req+0x3c/0x80 [ib_srp] [] srp_finish_req+0x48/0x70 [ib_srp] [] srp_terminate_io+0x4b/0x60 [ib_srp] [] __rport_fail_io_fast+0x75/0x80 [scsi_transport_srp] [] rport_fast_io_fail_timedout+0x88/0xc0 [scsi_transport_srp] [] worker_thread+0x170/0x2a0 [] kthread+0x96/0xa0 [] child_rip+0xa/0x20 Signed-off-by: Bart Van Assche Signed-off-by: Roland Dreier --- drivers/infiniband/ulp/srp/ib_srp.c | 1 + 1 file changed, 1 insertion(+) (limited to 'drivers/infiniband') diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c index a88631918e85..529b6bcdca7a 100644 --- a/drivers/infiniband/ulp/srp/ib_srp.c +++ b/drivers/infiniband/ulp/srp/ib_srp.c @@ -660,6 +660,7 @@ static void srp_remove_target(struct srp_target_port *target) srp_rport_get(target->rport); srp_remove_host(target->scsi_host); scsi_remove_host(target->scsi_host); + srp_stop_rport_timers(target->rport); srp_disconnect_target(target); ib_destroy_cm_id(target->cm_id); srp_free_target_ib(target); -- cgit v1.2.3