diff options
| author | Nicholas Bellinger <nab@linux-iscsi.org> | 2012-03-17 23:12:36 -0400 |
|---|---|---|
| committer | Nicholas Bellinger <nab@linux-iscsi.org> | 2012-03-18 01:13:48 -0400 |
| commit | 187e70a554e0f0717a65998bc9199945cbbd4692 (patch) | |
| tree | c328e72d485b172e5d4e8a283ea5252654dd7676 /drivers/infiniband/ulp/srpt/ib_srpt.c | |
| parent | ee9b866a3696ae434418348e2f499c41841366d4 (diff) | |
ib_srpt: Fix srpt_handle_cmd send_ioctx->ioctx_kref leak on exception
This patch addresses a bug in srpt_handle_cmd() failure handling where
send_ioctx->kref is being leaked with the local extra reference after init,
causing the expected kref_put() in srpt_handle_send_comp() to not be the final
call to invoke srpt_put_send_ioctx_kref() -> transport_generic_free_cmd() and
perform se_cmd descriptor memory release.
It also fixes a SCF_SCSI_RESERVATION_CONFLICT handling bug where this code
is incorrectly falling through to transport_handle_cdb_direct() after
invoking srpt_queue_status() to send SAM_STAT_RESERVATION_CONFLICT status.
Note this patch is for >= v3.3 mainline code, and current lio-core.git
code has already been converted to target_submit_cmd() + se_cmd->cmd_kref usage,
and internal ioctx->kref usage has been removed. I'm including this patch
now into target-pending/for-next with a CC' for v3.3 stable.
Cc: Bart Van Assche <bvanassche@acm.org>
Cc: Roland Dreier <roland@purestorage.com>
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Diffstat (limited to 'drivers/infiniband/ulp/srpt/ib_srpt.c')
| -rw-r--r-- | drivers/infiniband/ulp/srpt/ib_srpt.c | 19 |
1 files changed, 12 insertions, 7 deletions
diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c index 6735b63d96f0..c3cb907d8105 100644 --- a/drivers/infiniband/ulp/srpt/ib_srpt.c +++ b/drivers/infiniband/ulp/srpt/ib_srpt.c | |||
| @@ -1757,6 +1757,7 @@ static int srpt_handle_cmd(struct srpt_rdma_ch *ch, | |||
| 1757 | srp_cmd->tag); | 1757 | srp_cmd->tag); |
| 1758 | cmd->se_cmd_flags |= SCF_SCSI_CDB_EXCEPTION; | 1758 | cmd->se_cmd_flags |= SCF_SCSI_CDB_EXCEPTION; |
| 1759 | cmd->scsi_sense_reason = TCM_INVALID_CDB_FIELD; | 1759 | cmd->scsi_sense_reason = TCM_INVALID_CDB_FIELD; |
| 1760 | kref_put(&send_ioctx->kref, srpt_put_send_ioctx_kref); | ||
| 1760 | goto send_sense; | 1761 | goto send_sense; |
| 1761 | } | 1762 | } |
| 1762 | 1763 | ||
| @@ -1764,15 +1765,19 @@ static int srpt_handle_cmd(struct srpt_rdma_ch *ch, | |||
| 1764 | cmd->data_direction = dir; | 1765 | cmd->data_direction = dir; |
| 1765 | unpacked_lun = srpt_unpack_lun((uint8_t *)&srp_cmd->lun, | 1766 | unpacked_lun = srpt_unpack_lun((uint8_t *)&srp_cmd->lun, |
| 1766 | sizeof(srp_cmd->lun)); | 1767 | sizeof(srp_cmd->lun)); |
| 1767 | if (transport_lookup_cmd_lun(cmd, unpacked_lun) < 0) | 1768 | if (transport_lookup_cmd_lun(cmd, unpacked_lun) < 0) { |
| 1769 | kref_put(&send_ioctx->kref, srpt_put_send_ioctx_kref); | ||
| 1768 | goto send_sense; | 1770 | goto send_sense; |
| 1771 | } | ||
| 1769 | ret = transport_generic_allocate_tasks(cmd, srp_cmd->cdb); | 1772 | ret = transport_generic_allocate_tasks(cmd, srp_cmd->cdb); |
| 1770 | if (cmd->se_cmd_flags & SCF_SCSI_RESERVATION_CONFLICT) | 1773 | if (ret < 0) { |
| 1771 | srpt_queue_status(cmd); | 1774 | kref_put(&send_ioctx->kref, srpt_put_send_ioctx_kref); |
| 1772 | else if (cmd->se_cmd_flags & SCF_SCSI_CDB_EXCEPTION) | 1775 | if (cmd->se_cmd_flags & SCF_SCSI_RESERVATION_CONFLICT) { |
| 1773 | goto send_sense; | 1776 | srpt_queue_status(cmd); |
| 1774 | else | 1777 | return 0; |
| 1775 | WARN_ON_ONCE(ret); | 1778 | } else |
| 1779 | goto send_sense; | ||
| 1780 | } | ||
| 1776 | 1781 | ||
| 1777 | transport_handle_cdb_direct(cmd); | 1782 | transport_handle_cdb_direct(cmd); |
| 1778 | return 0; | 1783 | return 0; |