[S390] tape: Fix race condition in tape block device driver

Due to incorrect function call sequence it can happen that a tape block
request is finished before the request is taken from the block request queue.

The following sequence leads to that condition:
 * tapeblock_start_request() -> start CCW program
 * Request finishes -> IO interrupt
 * tapeblock_end_request()
 * end_that_request_last()

If blkdev_dequeue_request() has not been called before end_that_request_last(),
a kernel bug is triggered in end_that_request_last() because the request is
still queued. To solve that problem blkdev_dequeue_request() has to be called
before starting the CCW program.

Signed-off-by: Michael Holzheu <holzheu@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>

diff --git a/drivers/s390/char/tape_block.c b/drivers/s390/char/tape_block.c
index ddc4a114e7f415c2b2ed2d03218910488a7ac1ba..95da72bc17e8d7e3b218bfe0c4f46a1a9d306900 100644 (file)
--- a/drivers/s390/char/tape_block.c
+++ b/drivers/s390/char/tape_block.c
@@ -179,11 +179,11 @@ tapeblock_requeue(struct work_struct *work) {
                        tapeblock_end_request(req, -EIO);
                        continue;
                }
+               blkdev_dequeue_request(req);
+               nr_queued++;
                spin_unlock_irq(&device->blk_data.request_queue_lock);
                rc = tapeblock_start_request(device, req);
                spin_lock_irq(&device->blk_data.request_queue_lock);
-               blkdev_dequeue_request(req);
-               nr_queued++;
        }
        spin_unlock_irq(&device->blk_data.request_queue_lock);
        atomic_set(&device->blk_data.requeue_scheduled, 0);