On Thu, 05 Aug 2010 12:28:09 -0700
Joe Eykholt <jeykholt@xxxxxxxxx> wrote:
> > --- a/drivers/scsi/scsi_tgt_lib.c
> > +++ b/drivers/scsi/scsi_tgt_lib.c
> > @@ -184,6 +184,7 @@ static void scsi_tgt_cmd_destroy(struct work_struct *work)
> >
> > dprintk("cmd %p %d %u\n", cmd, cmd->sc_data_direction,
> > rq_data_dir(cmd->request));
> > + blk_end_request_all(cmd->request, 0);
> > scsi_unmap_user_pages(tcmd);
> > scsi_host_put_command(scsi_tgt_cmd_to_host(cmd), cmd);
>
> Both blk_end_request_all() and scsi_host_put_command() do
> a __blk_put_request().
Oops, right.
> I get a fault in the above call to scsi_tgt_cmd_to_host() where
> it derefs the request, presumably because the request has been
> freed by blk_end_request_all().
>
> This happens once, early in my LUN discovery sequence (maybe
> an Inquiry or Report LUNs) and then it seems OK. My system
> goes on after the fault.
>
> So, is there a case where we might not have started a request?
We don't start a request (like normal requests). We just use request
structure to keep page frames.
> I don't see that. I thought maybe a special case like
> an I/O with no buffer and dir == DMA_NONE, like a Test Unit Ready.
> Or maybe the request refcnt is not correct in some case?
I'm not sure. I think that only blk_execute_rq plays with
req->ref_count.
> I tried merely getting the host pointer before blk_end_request_all(),
> but that just lead to another problem in scsi_host_put_command()
> since it also refers to the request to get the tcmd.
I think that just setting req->bio to NULL is the simplest solution.
--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
