summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBart Van Assche <bvanassche@acm.org>2013-08-14 17:35:29 +0200
committerRobert Love <robert.w.love@intel.com>2013-09-04 22:16:25 +0200
commitb86788658be425a5454246a954721d9122d2b3d6 (patch)
treec8faadee82cd2149e3af75996b51d4db90072724
parentlibfc: Clarify fc_exch_find() (diff)
downloadlinux-b86788658be425a5454246a954721d9122d2b3d6.tar.xz
linux-b86788658be425a5454246a954721d9122d2b3d6.zip
libfc: Fix a race in fc_exch_timer_set_locked()
It is allowed to pass a zero timeout value to fc_seq_exch_abort(). Avoid that this can cause the timeout function to drop the exchange reference before it has been increased by fc_exch_timer_set_locked(). This patch fixes a crash when running FCoE target code with poisoning enabled in the memory allocator. Signed-off-by: Bart Van Assche <bvanassche@acm.org> Cc: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: Robert Love <robert.w.love@intel.com>
-rw-r--r--drivers/scsi/libfc/fc_exch.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/drivers/scsi/libfc/fc_exch.c b/drivers/scsi/libfc/fc_exch.c
index f6bb0fbf422f..7000203845bd 100644
--- a/drivers/scsi/libfc/fc_exch.c
+++ b/drivers/scsi/libfc/fc_exch.c
@@ -360,9 +360,10 @@ static inline void fc_exch_timer_set_locked(struct fc_exch *ep,
FC_EXCH_DBG(ep, "Exchange timer armed : %d msecs\n", timer_msec);
- if (queue_delayed_work(fc_exch_workqueue, &ep->timeout_work,
- msecs_to_jiffies(timer_msec)))
- fc_exch_hold(ep); /* hold for timer */
+ fc_exch_hold(ep); /* hold for timer */
+ if (!queue_delayed_work(fc_exch_workqueue, &ep->timeout_work,
+ msecs_to_jiffies(timer_msec)))
+ fc_exch_release(ep);
}
/**