I took a look at scsi_host_cancel(), scsi_device_cancel(), and a few other
routines. Three things stood out:
When a host is removed, currently executing requests are
aborted within the midlevel but the low-level driver is not
informed of this. Presumably it shouldn't care since it
ought to cancel its own outstanding I/O?
There's a race between scsi_host_cancel()/scsi_device_cancel()
and scsi_times_out(). If the timer fires before
scsi_device_cancel() can delete it, and scsi_host_cancel()
tests the SHOST_RECOVERY bit before the error handler manages
to set it, then you will remove a host that's still in error
recovery.
There's no protection against accessing the host template
via procfs, if a user process pins the file during
scsi_remove_host(). You probably are already aware of this.
Alan Stern
-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
_______________________________________________
[EMAIL PROTECTED]
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel
