On Sat, 2014-01-04 at 11:27 -0500, Alan Stern wrote: > On Fri, 3 Jan 2014, James Bottomley wrote: > > > > I'm still concerned about one thing. The previous patch does this in > > > scsi_alloc_target(): > > > > > > > found: > > > > - found_target->reap_ref++; > > > > + if (!kref_get_unless_zero(&found_target->reap_ref)) > > > > + /* > > > > + * release routine already fired. Target is dead, but > > > > + * STARGET_DEL may not yet be set (set in the release > > > > + * routine), so set here as well, just in case > > > > + */ > > > > + found_target->state = STARGET_DEL; > > > > spin_unlock_irqrestore(shost->host_lock, flags); > > > > > > As a result, the two comments in this patch aren't right: > > > > > > > @@ -384,9 +385,15 @@ static void scsi_target_reap_ref_release(struct kref *kref) > > > > struct scsi_target *starget > > > > = container_of(kref, struct scsi_target, reap_ref); > > > > > > > > - transport_remove_device(&starget->dev); > > > > - device_del(&starget->dev); > > > > - starget->state = STARGET_DEL; > > > > + /* > > > > + * if we get here and the target is still in the CREATED state that > > > > + * means it was allocated but never made visible (because a scan > > > > + * turned up no LUNs), so don't call device_del() on it. > > > > + */ > > > > + if (starget->state == STARGET_RUNNING) { > > > > + transport_remove_device(&starget->dev); > > > > + device_del(&starget->dev); > > > > + } > > > > > > Here the state could already be STARGET_DEL, even though the target is > > > still visible. > > > > Well, I agree with the theory. In practise, there are only a few > > machine instructions between the kref going to zero and us reaching that > > point, because kref_release will jump into this routine next, so the > > condition would be very hard to see. > > It's true that the window is very small and not at all likely to be > hit. Still, I prefer eliminating such things entirely. > > > However, I suppose it's easy to > > close by checking for != STARGET_CREATED and there's no reason not to do > > that, so I'll change it. > > Checking for != STARGET_CREATED is also wrong in principle. The state > could already be STARGET_DEL even though the target was never made > visible. > > The basic problem is that you are relying on the state to be an > accurate description of the target's visibility, but > scsi_alloc_target() changes the state without changing the visibility. > I really think you should get rid of that extra assignment in > scsi_alloc_target(). OK, Agreed, but that means modifying the 1/2 patch with the below. This should make the proposed diff to 2/2 correct. James --- diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c index ef3f958..5fad646 100644 --- a/drivers/scsi/scsi_scan.c +++ b/drivers/scsi/scsi_scan.c @@ -417,7 +417,7 @@ static struct scsi_target *scsi_alloc_target(struct device *parent, + shost->transportt->target_size; struct scsi_target *starget; struct scsi_target *found_target; - int error; + int error, ref_got; starget = kzalloc(size, GFP_KERNEL); if (!starget) { @@ -466,15 +466,15 @@ static struct scsi_target *scsi_alloc_target(struct device *parent, return starget; found: - if (!kref_get_unless_zero(&found_target->reap_ref)) - /* - * release routine already fired. Target is dead, but - * STARGET_DEL may not yet be set (set in the release - * routine), so set here as well, just in case - */ - found_target->state = STARGET_DEL; + /* + * release routine already fired if kref is zero, so if we can still + * take the reference, the target must be alive. If we can't, it must + * be dying and we need to wait for a new target + */ + ref_got = kref_get_unless_zero(&found_target->reap_ref); + spin_unlock_irqrestore(shost->host_lock, flags); - if (found_target->state != STARGET_DEL) { + if (ref_got) { put_device(dev); return found_target; } @@ -482,8 +482,8 @@ static struct scsi_target *scsi_alloc_target(struct device *parent, * Unfortunately, we found a dying target; need to wait until it's * dead before we can get a new one. There is an anomaly here. We * *should* call scsi_target_reap() to balance the kref_get() of the - * reap_ref above. However, since the target is in state STARGET_DEL, - * it's already invisible and the reap_ref is irrelevant. If we call + * reap_ref above. However, since the target being released, it's + * already invisible and the reap_ref is irrelevant. If we call * scsi_target_reap() we might spuriously do another device_del() on * an already invisible target. */ -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html