Re: OOPS in scsi generic stuff 2.4.10-pre6

Jens Axboe (axboe@suse.de)
Sun, 16 Sep 2001 18:55:22 +0200

On Sun, Sep 16 2001, Jens Axboe wrote:
> It looks like a race in that sg_cmd_done_bh can be completed before
> generic_unplug_device is called (and thus on a free'd scsi request). We
> then pass an invalid queue to generic_unplug_device.

(corrected version, scsi_allocate_request can of course fail)

--- drivers/scsi/sg.c~ Sun Sep 16 18:17:20 2001
+++ drivers/scsi/sg.c Sun Sep 16 18:53:38 2001
@@ -645,6 +645,7 @@
Scsi_Request * SRpnt;
Sg_device * sdp = sfp->parentdp;
sg_io_hdr_t * hp = &srp->header;
+ request_queue_t * q;

srp->data.cmd_opcode = cmnd[0]; /* hold opcode of command */
hp->status = 0;
@@ -680,6 +681,7 @@
}

srp->my_cmdp = SRpnt;
+ q = &SRpnt->sr_device->request_queue;
SRpnt->sr_request.rq_dev = sdp->i_rdev;
SRpnt->sr_request.rq_status = RQ_ACTIVE;
SRpnt->sr_sense_buffer[0] = 0;
@@ -715,7 +717,7 @@
(void *)SRpnt->sr_buffer, hp->dxfer_len,
sg_cmd_done_bh, timeout, SG_DEFAULT_RETRIES);
/* dxfer_len overwrites SRpnt->sr_bufflen, hence need for b_malloc_len */
- generic_unplug_device(&SRpnt->sr_device->request_queue);
+ generic_unplug_device(q);
return 0;
}

-- 
Jens Axboe


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/