scsi: ibmvfc: Protect vhost->task_set increment by the host lock

In the discovery thread, ibmvfc does a vhost->task_set++ without any lock
held. This could result in two targets getting the same cancel key, which
could have strange effects in error recovery.  The actual probability of
this occurring should be extremely small, since this should all be done in
a single threaded loop from the discovery thread, but let's fix it up
anyway to be safe.

Link: https://lore.kernel.org/r/1600286999-22059-1-git-send-email-brking@linux.vnet.ibm.com
Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c
index e641aaa1a0f6177fa3d2ce6e7fa9974ac9a6b100..e09e0310b4c814410a27b121e61e478c4c805f56 100644 (file)
--- a/drivers/scsi/ibmvscsi/ibmvfc.c
+++ b/drivers/scsi/ibmvscsi/ibmvfc.c
@@ -4184,11 +4184,11 @@ static int ibmvfc_alloc_target(struct ibmvfc_host *vhost,
        tgt->wwpn = wwpn;
        tgt->vhost = vhost;
        tgt->need_login = 1;
-       tgt->cancel_key = vhost->task_set++;
        timer_setup(&tgt->timer, ibmvfc_adisc_timeout, 0);
        kref_init(&tgt->kref);
        ibmvfc_init_tgt(tgt, ibmvfc_tgt_implicit_logout);
        spin_lock_irqsave(vhost->host->host_lock, flags);
+       tgt->cancel_key = vhost->task_set++;
        list_add_tail(&tgt->queue, &vhost->targets);
 
 unlock_out: