Commit 616f0e6c authored by Hans de Goede's avatar Hans de Goede Committed by Greg Kroah-Hartman

uas: Drop all references to a scsi_cmnd once it has been aborted

Do not keep references around to a cmnd which is under error handling.
Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent b6823c51
...@@ -257,12 +257,11 @@ static int uas_try_complete(struct scsi_cmnd *cmnd, const char *caller) ...@@ -257,12 +257,11 @@ static int uas_try_complete(struct scsi_cmnd *cmnd, const char *caller)
lockdep_assert_held(&devinfo->lock); lockdep_assert_held(&devinfo->lock);
if (cmdinfo->state & (COMMAND_INFLIGHT | if (cmdinfo->state & (COMMAND_INFLIGHT |
DATA_IN_URB_INFLIGHT | DATA_IN_URB_INFLIGHT |
DATA_OUT_URB_INFLIGHT)) DATA_OUT_URB_INFLIGHT |
COMMAND_ABORTED))
return -EBUSY; return -EBUSY;
WARN_ON_ONCE(cmdinfo->state & COMMAND_COMPLETED); WARN_ON_ONCE(cmdinfo->state & COMMAND_COMPLETED);
cmdinfo->state |= COMMAND_COMPLETED; cmdinfo->state |= COMMAND_COMPLETED;
if (cmdinfo->state & COMMAND_ABORTED)
scmd_printk(KERN_INFO, cmnd, "abort completed\n");
devinfo->cmnd[uas_get_tag(cmnd) - 1] = NULL; devinfo->cmnd[uas_get_tag(cmnd) - 1] = NULL;
cmnd->scsi_done(cmnd); cmnd->scsi_done(cmnd);
return 0; return 0;
...@@ -712,6 +711,47 @@ static int uas_queuecommand_lck(struct scsi_cmnd *cmnd, ...@@ -712,6 +711,47 @@ static int uas_queuecommand_lck(struct scsi_cmnd *cmnd,
static DEF_SCSI_QCMD(uas_queuecommand) static DEF_SCSI_QCMD(uas_queuecommand)
/*
* For now we do not support actually sending an abort to the device, so
* this eh always fails. Still we must define it to make sure that we've
* dropped all references to the cmnd in question once this function exits.
*/
static int uas_eh_abort_handler(struct scsi_cmnd *cmnd)
{
struct uas_cmd_info *cmdinfo = (void *)&cmnd->SCp;
struct uas_dev_info *devinfo = (void *)cmnd->device->hostdata;
struct urb *data_in_urb = NULL;
struct urb *data_out_urb = NULL;
unsigned long flags;
spin_lock_irqsave(&devinfo->lock, flags);
uas_log_cmd_state(cmnd, __func__);
/* Ensure that try_complete does not call scsi_done */
cmdinfo->state |= COMMAND_ABORTED;
/* Drop all refs to this cmnd, kill data urbs to break their ref */
devinfo->cmnd[uas_get_tag(cmnd) - 1] = NULL;
if (cmdinfo->state & DATA_IN_URB_INFLIGHT)
data_in_urb = usb_get_urb(cmdinfo->data_in_urb);
if (cmdinfo->state & DATA_OUT_URB_INFLIGHT)
data_out_urb = usb_get_urb(cmdinfo->data_out_urb);
spin_unlock_irqrestore(&devinfo->lock, flags);
if (data_in_urb) {
usb_kill_urb(data_in_urb);
usb_put_urb(data_in_urb);
}
if (data_out_urb) {
usb_kill_urb(data_out_urb);
usb_put_urb(data_out_urb);
}
return FAILED;
}
static int uas_eh_bus_reset_handler(struct scsi_cmnd *cmnd) static int uas_eh_bus_reset_handler(struct scsi_cmnd *cmnd)
{ {
struct scsi_device *sdev = cmnd->device; struct scsi_device *sdev = cmnd->device;
...@@ -797,6 +837,7 @@ static struct scsi_host_template uas_host_template = { ...@@ -797,6 +837,7 @@ static struct scsi_host_template uas_host_template = {
.queuecommand = uas_queuecommand, .queuecommand = uas_queuecommand,
.slave_alloc = uas_slave_alloc, .slave_alloc = uas_slave_alloc,
.slave_configure = uas_slave_configure, .slave_configure = uas_slave_configure,
.eh_abort_handler = uas_eh_abort_handler,
.eh_bus_reset_handler = uas_eh_bus_reset_handler, .eh_bus_reset_handler = uas_eh_bus_reset_handler,
.can_queue = 65536, /* Is there a limit on the _host_ ? */ .can_queue = 65536, /* Is there a limit on the _host_ ? */
.this_id = -1, .this_id = -1,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment