• Brian King's avatar
    scsi: ipr: Fix abort path race condition · 439ae285
    Brian King authored
    This fixes a race condition in the error handlomg paths of ipr. While a
    command is outstanding to the adapter, it is placed on a pending queue
    for the hrrq it is associated with, while holding the HRRQ lock. When a
    command is completed, it is removed from the pending queue, under HRRQ
    lock, and placed on a local list.  This list is then iterated through
    without any locks and each command's done function is invoked, inside of
    which, the command gets returned to the free list while grabbing the
    HRRQ lock. This fixes two race conditions when commands have been
    removed from the pending list but have not yet been added to the free
    list. Both of these changes fix race conditions that could result in
    returning success from eh_abort_handler and then later calling scsi_done
    for the same request.
    
    The first race condition is in ipr_cancel_op. It looks through each
    pending queue to see if the command to be aborted is still outstanding
    or not. Rather than looking on the pending queue, reverse the logic to
    check to look for commands that are NOT on the free queue.  The second
    race condition can occur when in ipr_wait_for_ops where we are waiting
    for responses for commands we've aborted.
    Signed-off-by: default avatarBrian King <brking@linux.vnet.ibm.com>
    Reviewed-by: default avatarWendy Xiong <wenxiong@linux.vnet.ibm.com>
    Tested-by: default avatarWendy Xiong <wenxiong@linux.vnet.ibm.com>
    Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
    439ae285
ipr.c 298 KB