diff options
author | Matthew Dharm <mdharm-usb@one-eyed-alien.net> | 2005-07-28 14:45:50 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2005-09-08 16:22:55 -0700 |
commit | 26186ba77b493204ae0fadc3c88a67b14f22168f (patch) | |
tree | 6fc0d50a4d286df33b18f21e0994b09637d0c6c8 /drivers/usb/storage/usb.c | |
parent | 77f46328fb83b64befd889ebce6d7fb959932509 (diff) | |
download | lwn-26186ba77b493204ae0fadc3c88a67b14f22168f.tar.gz lwn-26186ba77b493204ae0fadc3c88a67b14f22168f.zip |
[PATCH] USB Storage: close a race condition in disconnect near queuecommand
This patch started life as as534, and has been re-diffed against the latest
tree.
usb-storage has a small loophole, a window between the time queuecommand
accepts a new command and the time the control thread starts to execute
it. If disconnect is called during that window, the driver won't cancel
the pending command -- we've been relying on the SCSI core to cancel it
for us during host removal. But it's better for usb-storage to cancel
it; this avoids races and reduces reliance on the SCSI core.
Fortunately cancelling these commands is easy to do; the key is to do it
_before_ calling scsi_remove_host.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Matthew Dharm <mdharm-usb@one-eyed-alien.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/usb/storage/usb.c')
-rw-r--r-- | drivers/usb/storage/usb.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/drivers/usb/storage/usb.c b/drivers/usb/storage/usb.c index 255771151399..97b9ebb8a082 100644 --- a/drivers/usb/storage/usb.c +++ b/drivers/usb/storage/usb.c @@ -833,6 +833,19 @@ static void quiesce_and_remove_host(struct us_data *us) /* Wait for the current command to finish, then remove the host */ down(&us->dev_semaphore); up(&us->dev_semaphore); + + /* queuecommand won't accept any new commands and the control + * thread won't execute a previously-queued command. If there + * is such a command pending, complete it with an error. */ + if (us->srb) { + us->srb->result = DID_NO_CONNECT << 16; + scsi_lock(us_to_host(us)); + us->srb->scsi_done(us->srb); + us->srb = NULL; + scsi_unlock(us_to_host(us)); + } + + /* Now we own no commands so it's safe to remove the SCSI host */ scsi_remove_host(us_to_host(us)); } |