提交 df3d422c 编写于 作者: B Bart Van Assche 提交者: Martin K. Petersen

scsi: scsi_dh_alua: Fix a reference counting bug

The code at the end of alua_rtpg_work() is as follows:

	scsi_device_put(sdev);
	kref_put(&pg->kref, release_port_group);

In other words, alua_rtpg_queue() must hold an sdev reference and a pg
reference before queueing rtpg work. If no rtpg work is queued no
additional references should be held when alua_rtpg_queue() returns. If
no rtpg work is queued, ensure that alua_rtpg_queue() only gives up the
sdev reference if that reference was obtained by the same
alua_rtpg_queue() call.
Signed-off-by: NBart Van Assche <bart.vanassche@sandisk.com>
Reported-by: NTang Junhui <tang.junhui@zte.com.cn>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Tang Junhui <tang.junhui@zte.com.cn>
Cc: <stable@vger.kernel.org>
Reviewed-by: NHannes Reinecke <hare@suse.com>
Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
上级 aac173e9
...@@ -891,6 +891,7 @@ static void alua_rtpg_queue(struct alua_port_group *pg, ...@@ -891,6 +891,7 @@ static void alua_rtpg_queue(struct alua_port_group *pg,
/* Do not queue if the worker is already running */ /* Do not queue if the worker is already running */
if (!(pg->flags & ALUA_PG_RUNNING)) { if (!(pg->flags & ALUA_PG_RUNNING)) {
kref_get(&pg->kref); kref_get(&pg->kref);
sdev = NULL;
start_queue = 1; start_queue = 1;
} }
} }
...@@ -902,7 +903,8 @@ static void alua_rtpg_queue(struct alua_port_group *pg, ...@@ -902,7 +903,8 @@ static void alua_rtpg_queue(struct alua_port_group *pg,
if (start_queue && if (start_queue &&
!queue_delayed_work(alua_wq, &pg->rtpg_work, !queue_delayed_work(alua_wq, &pg->rtpg_work,
msecs_to_jiffies(ALUA_RTPG_DELAY_MSECS))) { msecs_to_jiffies(ALUA_RTPG_DELAY_MSECS))) {
scsi_device_put(sdev); if (sdev)
scsi_device_put(sdev);
kref_put(&pg->kref, release_port_group); kref_put(&pg->kref, release_port_group);
} }
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册