[PATCH v2 04/30] cxlflash: Fix potential oops following LUN removal

Matthew R. Ochs mrochs at linux.vnet.ibm.com
Tue Sep 22 08:32:44 AEST 2015

> On Sep 21, 2015, at 7:11 AM, Tomas Henzl <thenzl at redhat.com> wrote:
> On 16.9.2015 23:27, Matthew R. Ochs wrote:
>> When a LUN is removed, the sdev that is associated with the LUN
>> remains intact until its reference count drops to 0. In order
>> to prevent an sdev from being removed while a context is still
>> associated with it, obtain an additional reference per-context
>> for each LUN attached to the context.
>> This resolves a potential Oops in the release handler when a
>> dealing with a LUN that has already been removed.
>> Signed-off-by: Matthew R. Ochs <mrochs at linux.vnet.ibm.com>
>> Signed-off-by: Manoj N. Kumar <manoj at linux.vnet.ibm.com>
>> Suggested-by: Brian King <brking at linux.vnet.ibm.com>
>> ---
>> drivers/scsi/cxlflash/superpipe.c | 36 ++++++++++++++++++++++++------------
>> 1 file changed, 24 insertions(+), 12 deletions(-)
>> diff --git a/drivers/scsi/cxlflash/superpipe.c b/drivers/scsi/cxlflash/superpipe.c
>> index fa513ba..1fa4af6 100644
>> --- a/drivers/scsi/cxlflash/superpipe.c
>> +++ b/drivers/scsi/cxlflash/superpipe.c
>> @@ -880,6 +880,9 @@ static int _cxlflash_disk_detach(struct scsi_device *sdev,
>> 			sys_close(lfd);
>> 	}
>> +	/* Release the sdev reference that bound this LUN to the context */
>> +	scsi_device_put(sdev);
>> +
> I'm not sure here with the use if scsi_device_get+put, also I don't quite well
> understand what you are going to fix here and how can it happen.
> The scsi_device_get takes an additional module reference, so if used from
> a module it shouldn't be held for a long time.

The issue here is that the user context needs to be bound to the device so that
in the event that device goes away, it doesn't completely go away until the user
context is done using it. Without it, it is possible to crash when the context is
being freed.

Essentially this is the same as incrementing the count when an open is performed
on the device. The device can be removed (and is hidden upon doing so) but is
not actually freed until the reference is resolved (close()).

> Is it possible for a user to rmmod the czlflash module
> after the disk attach function is called?

Not while a user is present.

More information about the Linuxppc-dev mailing list