nvme: nvme-fc: move tagset removal to nvme_fc_delete_ctrl()

commit ea3442efabd0aa3930c5bab73c3901ef38ef6ac3 upstream.

Now target is removed from nvme_fc_ctrl_free() which is the ctrl->ref
release handler. And even admin queue is unquiesced there, this way
is definitely wrong because the ctr->ref is grabbed when submitting
command.

And Marco observed that nvme_fc_ctrl_free() can be called from request
completion code path, and trigger kernel warning since request completes
from softirq context.

Fix the issue by moveing target removal into nvme_fc_delete_ctrl(),
which is also aligned with nvme-tcp and nvme-rdma.

Patch originally proposed by Ming Lei, then modified to move the tagset
removal down to after nvme_fc_delete_association() after further testing.

Cc: Marco Patalano <mpatalan@redhat.com>
Cc: Ewan Milne <emilne@redhat.com>
Cc: James Smart <james.smart@broadcom.com>
Cc: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Cc: stable@vger.kernel.org
Tested-by: Marco Patalano <mpatalan@redhat.com>
Reviewed-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: Ewan D. Milne <emilne@redhat.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c
index 57c94912338608f2b3218bbe8044c8252ea2d9d9..2d29e3bbef0de85c475b183d6e8802695f81b56b 100644 (file)
--- a/drivers/nvme/host/fc.c
+++ b/drivers/nvme/host/fc.c
@@ -2349,17 +2349,11 @@ nvme_fc_ctrl_free(struct kref *ref)
                container_of(ref, struct nvme_fc_ctrl, ref);
        unsigned long flags;
 
-       if (ctrl->ctrl.tagset)
-               nvme_remove_io_tag_set(&ctrl->ctrl);
-
        /* remove from rport list */
        spin_lock_irqsave(&ctrl->rport->lock, flags);
        list_del(&ctrl->ctrl_list);
        spin_unlock_irqrestore(&ctrl->rport->lock, flags);
 
-       nvme_unquiesce_admin_queue(&ctrl->ctrl);
-       nvme_remove_admin_tag_set(&ctrl->ctrl);
-
        kfree(ctrl->queues);
 
        put_device(ctrl->dev);
@@ -3255,11 +3249,18 @@ nvme_fc_delete_ctrl(struct nvme_ctrl *nctrl)
 
        cancel_work_sync(&ctrl->ioerr_work);
        cancel_delayed_work_sync(&ctrl->connect_work);
+
        /*
         * kill the association on the link side.  this will block
         * waiting for io to terminate
         */
        nvme_fc_delete_association(ctrl);
+
+       if (ctrl->ctrl.tagset)
+               nvme_remove_io_tag_set(&ctrl->ctrl);
+
+       nvme_unquiesce_admin_queue(&ctrl->ctrl);
+       nvme_remove_admin_tag_set(&ctrl->ctrl);
 }
 
 static void