Patchwork [3.5.y.z,extended,stable] Patch "target: Fix double-free of se_cmd in" has been added to staging queue

login
register
mail settings
Submitter Herton Ronaldo Krzesinski
Date Dec. 5, 2012, 10:30 p.m.
Message ID <1354746611-21190-1-git-send-email-herton.krzesinski@canonical.com>
Download mbox | patch
Permalink /patch/203996/
State New
Headers show

Comments

Herton Ronaldo Krzesinski - Dec. 5, 2012, 10:30 p.m.
This is a note to let you know that I have just added a patch titled

    target: Fix double-free of se_cmd in

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Herton

------

From 72fcf3099d5595243143c3969f7728266fdc3167 Mon Sep 17 00:00:00 2001
From: Nicholas Bellinger <nab@linux-iscsi.org>
Date: Fri, 26 Oct 2012 15:35:45 -0700
Subject: [PATCH] target: Fix double-free of se_cmd in
 target_complete_tmr_failure
X-Extended-Stable: 3.5

commit e13d5fef88c40b87c8430f8274c3a9ca32ef90bc upstream.

Fabric drivers currently expect to internally release se_cmd in the event
of a TMR failure during target_submit_tmr(), which means the immediate call
to transport_generic_free_cmd() after TFO->queue_tm_rsp() from within
target_complete_tmr_failure() workqueue context is wrong.

This is done as some fabrics expect TMR operations to be acknowledged
before releasing the descriptor, so the assumption that core is releasing
se_cmd associated TMR memory is incorrect.  This fixes a OOPs where
transport_generic_free_cmd() was being called more than once.

This bug was originally observed with tcm_qla2xxx fabric ports.

Cc: Christoph Hellwig <hch@lst.de>
Cc: Roland Dreier <roland@purestorage.com>
Cc: Andy Grover <agrover@redhat.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
---
 drivers/target/target_core_transport.c |    1 -
 1 file changed, 1 deletion(-)

--
1.7.9.5

Patch

diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
index 0981707..7879ff4 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -1617,7 +1617,6 @@  static void target_complete_tmr_failure(struct work_struct *work)

 	se_cmd->se_tmr_req->response = TMR_LUN_DOES_NOT_EXIST;
 	se_cmd->se_tfo->queue_tm_rsp(se_cmd);
-	transport_generic_free_cmd(se_cmd, 0);
 }

 /**