From mdharm@multivac.one-eyed-alien.net Thu Jul 28 14:47:17 2005
Date: Thu, 28 Jul 2005 14:45:50 -0700
From: Matthew Dharm <mdharm-usb@one-eyed-alien.net>
Subject: USB Storage: close a race condition in disconnect near queuecommand
Message-ID: <20050728214550.GC31016@one-eyed-alien.net>

This patch started life as as534, and has been re-diffed against the latest
tree.

usb-storage has a small loophole, a window between the time queuecommand
accepts a new command and the time the control thread starts to execute
it.  If disconnect is called during that window, the driver won't cancel
the pending command -- we've been relying on the SCSI core to cancel it
for us during host removal.  But it's better for usb-storage to cancel
it;  this avoids races and reduces reliance on the SCSI core.
Fortunately cancelling these commands is easy to do; the key is to do it
_before_ calling scsi_remove_host.


Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Matthew Dharm <mdharm-usb@one-eyed-alien.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/usb/storage/usb.c |   13 +++++++++++++
 1 files changed, 13 insertions(+)

--- gregkh-2.6.orig/drivers/usb/storage/usb.c	2005-08-08 16:43:57.000000000 -0700
+++ gregkh-2.6/drivers/usb/storage/usb.c	2005-08-08 16:43:57.000000000 -0700
@@ -833,6 +833,19 @@
 	/* Wait for the current command to finish, then remove the host */
 	down(&us->dev_semaphore);
 	up(&us->dev_semaphore);
+
+	/* queuecommand won't accept any new commands and the control
+	 * thread won't execute a previously-queued command.  If there
+	 * is such a command pending, complete it with an error. */
+	if (us->srb) {
+		us->srb->result = DID_NO_CONNECT << 16;
+		scsi_lock(us_to_host(us));
+		us->srb->scsi_done(us->srb);
+		us->srb = NULL;
+		scsi_unlock(us_to_host(us));
+	}
+
+	/* Now we own no commands so it's safe to remove the SCSI host */
 	scsi_remove_host(us_to_host(us));
 }