target: Fix task->task_execute_queue=1 clear bug + LUN_RESET OOPs

BugLink: http://bugs.launchpad.net/bugs/793702

commit af57c3ac9947990da2608561b71f4799eb7795c6 upstream.

This patch fixes a bug where task->task_execute_queue=1 was not being
cleared once se_task had been removed from se_device->execute_task_list,
resulting in an OOPs in core_tmr_lun_reset() for the task->task_active=0
case where transport_remove_task_from_execute_queue() was incorrectly
being called.

This patch fixes two cases in transport_get_task_from_execute_queue()
and transport_remove_task_from_execute_queue() to properly clear
task->task_execute_queue=0 once list_del(&task->t_execute_list) has
been called.

It also adds an explict check in transport_remove_task_from_execute_queue()
to dump_stack + return if called with task->task_execute_queue=0.

Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: James Bottomley <jbottomley@parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
index 0ddcc26..d2a5768 100644 (file)
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -1197,6 +1197,7 @@ transport_get_task_from_execute_queue(struct se_device *dev)
                break;
 
        list_del(&task->t_execute_list);
+       atomic_set(&task->task_execute_queue, 0);
        atomic_dec(&dev->execute_tasks);
 
        return task;
@@ -1212,8 +1213,14 @@ void transport_remove_task_from_execute_queue(
 {
        unsigned long flags;
 
+       if (atomic_read(&task->task_execute_queue) == 0) {
+               dump_stack();
+               return;
+       }
+
        spin_lock_irqsave(&dev->execute_task_lock, flags);
        list_del(&task->t_execute_list);
+       atomic_set(&task->task_execute_queue, 0);
        atomic_dec(&dev->execute_tasks);
        spin_unlock_irqrestore(&dev->execute_task_lock, flags);
 }