提交 0a219edb 编写于 作者: V Vasu Dev 提交者: James Bottomley

[SCSI] libfc: fix race in SRR response

In this case fsp was freed before error handler was invoked,
this is fixed by having SRR fsp reference freed by exch
destructor so that fsp will be always held until it exch
is freed.

Also don't reset fsp->recov_seq since this is needed by
SRR error handler to do exch done.
Signed-off-by: NVasu Dev <vasu.dev@intel.com>
Tested-by: NRoss Brattain <ross.b.brattain@intel.com>
Signed-off-by: NRobert Love <robert.w.love@intel.com>
Signed-off-by: NJames Bottomley <jbottomley@parallels.com>
上级 8d23f4ba
...@@ -1673,7 +1673,8 @@ static void fc_fcp_srr(struct fc_fcp_pkt *fsp, enum fc_rctl r_ctl, u32 offset) ...@@ -1673,7 +1673,8 @@ static void fc_fcp_srr(struct fc_fcp_pkt *fsp, enum fc_rctl r_ctl, u32 offset)
FC_FCTL_REQ, 0); FC_FCTL_REQ, 0);
rec_tov = get_fsp_rec_tov(fsp); rec_tov = get_fsp_rec_tov(fsp);
seq = lport->tt.exch_seq_send(lport, fp, fc_fcp_srr_resp, NULL, seq = lport->tt.exch_seq_send(lport, fp, fc_fcp_srr_resp,
fc_fcp_pkt_destroy,
fsp, jiffies_to_msecs(rec_tov)); fsp, jiffies_to_msecs(rec_tov));
if (!seq) if (!seq)
goto retry; goto retry;
...@@ -1720,7 +1721,6 @@ static void fc_fcp_srr_resp(struct fc_seq *seq, struct fc_frame *fp, void *arg) ...@@ -1720,7 +1721,6 @@ static void fc_fcp_srr_resp(struct fc_seq *seq, struct fc_frame *fp, void *arg)
return; return;
} }
fsp->recov_seq = NULL;
switch (fc_frame_payload_op(fp)) { switch (fc_frame_payload_op(fp)) {
case ELS_LS_ACC: case ELS_LS_ACC:
fsp->recov_retry = 0; fsp->recov_retry = 0;
...@@ -1732,10 +1732,9 @@ static void fc_fcp_srr_resp(struct fc_seq *seq, struct fc_frame *fp, void *arg) ...@@ -1732,10 +1732,9 @@ static void fc_fcp_srr_resp(struct fc_seq *seq, struct fc_frame *fp, void *arg)
break; break;
} }
fc_fcp_unlock_pkt(fsp); fc_fcp_unlock_pkt(fsp);
fsp->lp->tt.exch_done(seq);
out: out:
fsp->lp->tt.exch_done(seq);
fc_frame_free(fp); fc_frame_free(fp);
fc_fcp_pkt_release(fsp); /* drop hold for outstanding SRR */
} }
/** /**
...@@ -1747,8 +1746,6 @@ static void fc_fcp_srr_error(struct fc_fcp_pkt *fsp, struct fc_frame *fp) ...@@ -1747,8 +1746,6 @@ static void fc_fcp_srr_error(struct fc_fcp_pkt *fsp, struct fc_frame *fp)
{ {
if (fc_fcp_lock_pkt(fsp)) if (fc_fcp_lock_pkt(fsp))
goto out; goto out;
fsp->lp->tt.exch_done(fsp->recov_seq);
fsp->recov_seq = NULL;
switch (PTR_ERR(fp)) { switch (PTR_ERR(fp)) {
case -FC_EX_TIMEOUT: case -FC_EX_TIMEOUT:
if (fsp->recov_retry++ < FC_MAX_RECOV_RETRY) if (fsp->recov_retry++ < FC_MAX_RECOV_RETRY)
...@@ -1764,7 +1761,7 @@ static void fc_fcp_srr_error(struct fc_fcp_pkt *fsp, struct fc_frame *fp) ...@@ -1764,7 +1761,7 @@ static void fc_fcp_srr_error(struct fc_fcp_pkt *fsp, struct fc_frame *fp)
} }
fc_fcp_unlock_pkt(fsp); fc_fcp_unlock_pkt(fsp);
out: out:
fc_fcp_pkt_release(fsp); /* drop hold for outstanding SRR */ fsp->lp->tt.exch_done(fsp->recov_seq);
} }
/** /**
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册