69 lines
2.4 KiB
Diff
69 lines
2.4 KiB
Diff
commit bfe159a51203c15d23cb3158fffdc25ec4b4dda1
|
|
Author: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Date: Thu Jul 7 15:45:40 2011 -0500
|
|
|
|
[SCSI] fix crash in scsi_dispatch_cmd()
|
|
|
|
USB surprise removal of sr is triggering an oops in
|
|
scsi_dispatch_command(). What seems to be happening is that USB is
|
|
hanging on to a queue reference until the last close of the upper
|
|
device, so the crash is caused by surprise remove of a mounted CD
|
|
followed by attempted unmount.
|
|
|
|
The problem is that USB doesn't issue its final commands as part of
|
|
the SCSI teardown path, but on last close when the block queue is long
|
|
gone. The long term fix is probably to make sr do the teardown in the
|
|
same way as sd (so remove all the lower bits on ejection, but keep the
|
|
upper disk alive until last close of user space). However, the
|
|
current oops can be simply fixed by not allowing any commands to be
|
|
sent to a dead queue.
|
|
|
|
Cc: stable@kernel.org
|
|
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
|
|
diff --git a/block/blk-core.c b/block/blk-core.c
|
|
index d2f8f40..1d49e1c 100644
|
|
--- a/block/blk-core.c
|
|
+++ b/block/blk-core.c
|
|
@@ -839,6 +839,9 @@ struct request *blk_get_request(struct request_queue *q, int rw, gfp_t gfp_mask)
|
|
{
|
|
struct request *rq;
|
|
|
|
+ if (unlikely(test_bit(QUEUE_FLAG_DEAD, &q->queue_flags)))
|
|
+ return NULL;
|
|
+
|
|
BUG_ON(rw != READ && rw != WRITE);
|
|
|
|
spin_lock_irq(q->queue_lock);
|
|
diff --git a/block/blk-exec.c b/block/blk-exec.c
|
|
index 8a0e7ec..a1ebceb 100644
|
|
--- a/block/blk-exec.c
|
|
+++ b/block/blk-exec.c
|
|
@@ -50,6 +50,13 @@ void blk_execute_rq_nowait(struct request_queue *q, struct gendisk *bd_disk,
|
|
{
|
|
int where = at_head ? ELEVATOR_INSERT_FRONT : ELEVATOR_INSERT_BACK;
|
|
|
|
+ if (unlikely(test_bit(QUEUE_FLAG_DEAD, &q->queue_flags))) {
|
|
+ rq->errors = -ENXIO;
|
|
+ if (rq->end_io)
|
|
+ rq->end_io(rq, rq->errors);
|
|
+ return;
|
|
+ }
|
|
+
|
|
rq->rq_disk = bd_disk;
|
|
rq->end_io = done;
|
|
WARN_ON(irqs_disabled());
|
|
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
|
|
index ec1803a..28d9c9d 100644
|
|
--- a/drivers/scsi/scsi_lib.c
|
|
+++ b/drivers/scsi/scsi_lib.c
|
|
@@ -213,6 +213,8 @@ int scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
|
|
int ret = DRIVER_ERROR << 24;
|
|
|
|
req = blk_get_request(sdev->request_queue, write, __GFP_WAIT);
|
|
+ if (!req)
|
|
+ return ret;
|
|
|
|
if (bufflen && blk_rq_map_kern(sdev->request_queue, req,
|
|
buffer, bufflen, __GFP_WAIT))
|