diff mbox series

[1/2] Revert "scsi: core: Do not increase scsi_device's iorequest_cnt if dispatch failed"

Message ID 20230515070156.1790181-2-haowenchao2@huawei.com (mailing list archive)
State Accepted
Headers show
Series Fix kernel panic in scsi_queue_rq() | expand

Commit Message

Wenchao Hao May 15, 2023, 7:01 a.m. UTC 
the "atomic_inc(&cmd->device->iorequest_cnt)" in scsi_queue_rq() would
causes kernel panic, because cmd->device may be freed after returning
from scsi_dispatch_cmd().

This reverts commit cfee29ffb45b1c9798011b19d454637d1b0fe87d.

Signed-off-by: Wenchao Hao <haowenchao2@huawei.com>
Reported-by: Ming Lei <ming.lei@redhat.com>
Closes:https://lore.kernel.org/linux-scsi/8e0f2d31-e6ff-ec4a-3974-450560ad49c5@huawei.com/T/#t
---
 drivers/scsi/scsi_lib.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Ming Lei May 15, 2023, 8:45 a.m. UTC | #1 
On Mon, May 15, 2023 at 03:01:55PM +0800, Wenchao Hao wrote:
> the "atomic_inc(&cmd->device->iorequest_cnt)" in scsi_queue_rq() would
> causes kernel panic, because cmd->device may be freed after returning
> from scsi_dispatch_cmd().
> 
> This reverts commit cfee29ffb45b1c9798011b19d454637d1b0fe87d.
> 
> Signed-off-by: Wenchao Hao <haowenchao2@huawei.com>
> Reported-by: Ming Lei <ming.lei@redhat.com>
> Closes:https://lore.kernel.org/linux-scsi/8e0f2d31-e6ff-ec4a-3974-450560ad49c5@huawei.com/T/#t

Reviewed-by: Ming Lei <ming.lei@redhat.com>

Thanks,
Ming
diff mbox series

Patch

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index b7c569a42aa4..03964b26f3f2 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1463,6 +1463,8 @@  static int scsi_dispatch_cmd(struct scsi_cmnd *cmd)
 	struct Scsi_Host *host = cmd->device->host;
 	int rtn = 0;
 
+	atomic_inc(&cmd->device->iorequest_cnt);
+
 	/* check if the device is still usable */
 	if (unlikely(cmd->device->sdev_state == SDEV_DEL)) {
 		/* in SDEV_DEL we error all commands. DID_NO_CONNECT
@@ -1761,7 +1763,6 @@  static blk_status_t scsi_queue_rq(struct blk_mq_hw_ctx *hctx,
 		goto out_dec_host_busy;
 	}
 
-	atomic_inc(&cmd->device->iorequest_cnt);
 	return BLK_STS_OK;
 
 out_dec_host_busy: