Skip to content

Commit

Permalink
[SCSI] libfc: fix race in SRR response
Browse files Browse the repository at this point in the history 
In this case fsp was freed before error handler was invoked,
this is fixed by having SRR fsp reference freed by exch
destructor so that fsp will be always held until it exch
is freed.

Also don't reset fsp->recov_seq since this is needed by
SRR error handler to do exch done.

Signed-off-by: Vasu Dev <vasu.dev@intel.com>
Tested-by: Ross Brattain <ross.b.brattain@intel.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <jbottomley@parallels.com>
  • Loading branch information
Vasu Dev authored and James Bottomley committed May 24, 2011
1 parent 8d23f4b commit 0a219ed
Showing 1 changed file with 4 additions and 7 deletions.
11 changes: 4 additions & 7 deletions drivers/scsi/libfc/fc_fcp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1673,7 +1673,8 @@ static void fc_fcp_srr(struct fc_fcp_pkt *fsp, enum fc_rctl r_ctl, u32 offset)
FC_FCTL_REQ, 0);

rec_tov = get_fsp_rec_tov(fsp);
seq = lport->tt.exch_seq_send(lport, fp, fc_fcp_srr_resp, NULL,
seq = lport->tt.exch_seq_send(lport, fp, fc_fcp_srr_resp,
fc_fcp_pkt_destroy,
fsp, jiffies_to_msecs(rec_tov));
if (!seq)
goto retry;
Expand Down Expand Up @@ -1720,7 +1721,6 @@ static void fc_fcp_srr_resp(struct fc_seq *seq, struct fc_frame *fp, void *arg)
return;
}

fsp->recov_seq = NULL;
switch (fc_frame_payload_op(fp)) {
case ELS_LS_ACC:
fsp->recov_retry = 0;
Expand All @@ -1732,10 +1732,9 @@ static void fc_fcp_srr_resp(struct fc_seq *seq, struct fc_frame *fp, void *arg)
break;
}
fc_fcp_unlock_pkt(fsp);
fsp->lp->tt.exch_done(seq);
out:
fsp->lp->tt.exch_done(seq);
fc_frame_free(fp);
fc_fcp_pkt_release(fsp); /* drop hold for outstanding SRR */
}

/**
Expand All @@ -1747,8 +1746,6 @@ static void fc_fcp_srr_error(struct fc_fcp_pkt *fsp, struct fc_frame *fp)
{
if (fc_fcp_lock_pkt(fsp))
goto out;
fsp->lp->tt.exch_done(fsp->recov_seq);
fsp->recov_seq = NULL;
switch (PTR_ERR(fp)) {
case -FC_EX_TIMEOUT:
if (fsp->recov_retry++ < FC_MAX_RECOV_RETRY)
Expand All @@ -1764,7 +1761,7 @@ static void fc_fcp_srr_error(struct fc_fcp_pkt *fsp, struct fc_frame *fp)
}
fc_fcp_unlock_pkt(fsp);
out:
fc_fcp_pkt_release(fsp); /* drop hold for outstanding SRR */
fsp->lp->tt.exch_done(fsp->recov_seq);
}

/**
Expand Down

0 comments on commit 0a219ed

Please sign in to comment.