IB/srp: Remove target from list before freeing Scsi_Host structure

Remove an SRP target from the SRP target list before invoking the last
scsi_host_put() call.  This change is necessary because that last put
frees the memory that holds the srp_target_port structure.

This patch prevents the following kernel oops:

    RIP: 0010:[<ffffffff810b00d0>] __lock_acquire+0x500/0x1570
    Call Trace:
     [<ffffffff810b11e4>] lock_acquire+0xa4/0x120
     [<ffffffff81531206>] _spin_lock+0x36/0x70
     [<ffffffffa01b6d8f>] srp_remove_work+0xef/0x180 [ib_srp]
     [<ffffffff8109125c>] worker_thread+0x21c/0x3d0
     [<ffffffff81096e86>] kthread+0x96/0xa0
     [<ffffffff8100c20a>] child_rip+0xa/0x20

Signed-off-by: Vu Pham <vuhuong@mellanox.com>
[ bvanassche - Modified path description and CC'ed stable. ]

Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Roland Dreier <roland@purestorage.com>

diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c
index a8f8d0b8a777d8c2b5efc199995aa0afa1cd3b03..a8c06c4451c0f00853a5b99a0c4fbfaf37b0406e 100644 (file)
--- a/drivers/infiniband/ulp/srp/ib_srp.c
+++ b/drivers/infiniband/ulp/srp/ib_srp.c
@@ -666,6 +666,11 @@ static void srp_remove_target(struct srp_target_port *target)
        cancel_work_sync(&target->tl_err_work);
        srp_rport_put(target->rport);
        srp_free_req_data(target);
+
+       spin_lock(&target->srp_host->target_lock);
+       list_del(&target->list);
+       spin_unlock(&target->srp_host->target_lock);
+
        scsi_host_put(target->scsi_host);
 }
 
@@ -677,10 +682,6 @@ static void srp_remove_work(struct work_struct *work)
        WARN_ON_ONCE(target->state != SRP_TARGET_REMOVED);
 
        srp_remove_target(target);
-
-       spin_lock(&target->srp_host->target_lock);
-       list_del(&target->list);
-       spin_unlock(&target->srp_host->target_lock);
 }
 
 static void srp_rport_delete(struct srp_rport *rport)