aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorNicholas Bellinger <nab@linux-iscsi.org>2012-03-17 23:12:36 -0400
committerNicholas Bellinger <nab@linux-iscsi.org>2012-03-18 01:13:48 -0400
commit187e70a554e0f0717a65998bc9199945cbbd4692 (patch)
treec328e72d485b172e5d4e8a283ea5252654dd7676 /drivers
parentee9b866a3696ae434418348e2f499c41841366d4 (diff)
ib_srpt: Fix srpt_handle_cmd send_ioctx->ioctx_kref leak on exception
This patch addresses a bug in srpt_handle_cmd() failure handling where send_ioctx->kref is being leaked with the local extra reference after init, causing the expected kref_put() in srpt_handle_send_comp() to not be the final call to invoke srpt_put_send_ioctx_kref() -> transport_generic_free_cmd() and perform se_cmd descriptor memory release. It also fixes a SCF_SCSI_RESERVATION_CONFLICT handling bug where this code is incorrectly falling through to transport_handle_cdb_direct() after invoking srpt_queue_status() to send SAM_STAT_RESERVATION_CONFLICT status. Note this patch is for >= v3.3 mainline code, and current lio-core.git code has already been converted to target_submit_cmd() + se_cmd->cmd_kref usage, and internal ioctx->kref usage has been removed. I'm including this patch now into target-pending/for-next with a CC' for v3.3 stable. Cc: Bart Van Assche <bvanassche@acm.org> Cc: Roland Dreier <roland@purestorage.com> Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/infiniband/ulp/srpt/ib_srpt.c19
1 files changed, 12 insertions, 7 deletions
diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c
index 6735b63d96f0..c3cb907d8105 100644
--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -1757,6 +1757,7 @@ static int srpt_handle_cmd(struct srpt_rdma_ch *ch,
1757 srp_cmd->tag); 1757 srp_cmd->tag);
1758 cmd->se_cmd_flags |= SCF_SCSI_CDB_EXCEPTION; 1758 cmd->se_cmd_flags |= SCF_SCSI_CDB_EXCEPTION;
1759 cmd->scsi_sense_reason = TCM_INVALID_CDB_FIELD; 1759 cmd->scsi_sense_reason = TCM_INVALID_CDB_FIELD;
1760 kref_put(&send_ioctx->kref, srpt_put_send_ioctx_kref);
1760 goto send_sense; 1761 goto send_sense;
1761 } 1762 }
1762 1763
@@ -1764,15 +1765,19 @@ static int srpt_handle_cmd(struct srpt_rdma_ch *ch,
1764 cmd->data_direction = dir; 1765 cmd->data_direction = dir;
1765 unpacked_lun = srpt_unpack_lun((uint8_t *)&srp_cmd->lun, 1766 unpacked_lun = srpt_unpack_lun((uint8_t *)&srp_cmd->lun,
1766 sizeof(srp_cmd->lun)); 1767 sizeof(srp_cmd->lun));
1767 if (transport_lookup_cmd_lun(cmd, unpacked_lun) < 0) 1768 if (transport_lookup_cmd_lun(cmd, unpacked_lun) < 0) {
1769 kref_put(&send_ioctx->kref, srpt_put_send_ioctx_kref);
1768 goto send_sense; 1770 goto send_sense;
1771 }
1769 ret = transport_generic_allocate_tasks(cmd, srp_cmd->cdb); 1772 ret = transport_generic_allocate_tasks(cmd, srp_cmd->cdb);
1770 if (cmd->se_cmd_flags & SCF_SCSI_RESERVATION_CONFLICT) 1773 if (ret < 0) {
1771 srpt_queue_status(cmd); 1774 kref_put(&send_ioctx->kref, srpt_put_send_ioctx_kref);
1772 else if (cmd->se_cmd_flags & SCF_SCSI_CDB_EXCEPTION) 1775 if (cmd->se_cmd_flags & SCF_SCSI_RESERVATION_CONFLICT) {
1773 goto send_sense; 1776 srpt_queue_status(cmd);
1774 else 1777 return 0;
1775 WARN_ON_ONCE(ret); 1778 } else
1779 goto send_sense;
1780 }
1776 1781
1777 transport_handle_cdb_direct(cmd); 1782 transport_handle_cdb_direct(cmd);
1778 return 0; 1783 return 0;