libfc: Fix a race in fc_exch_timer_set_locked()

It is allowed to pass a zero timeout value to fc_seq_exch_abort(). Avoid that this can cause the timeout function to drop the exchange reference before it has been increased by fc_exch_timer_set_locked(). This patch fixes a crash when running FCoE target code with poisoning enabled in the memory allocator. Signed-off-by: Bart Van Assche <bvanassche@acm.org> Cc: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: Robert Love <robert.w.love@intel.com>
2013-08-14 15:35:29 +00:00 · 2013-08-14 15:35:29 +00:00 · b86788658b
commit b86788658b
parent 8d08023687
1 changed files with 4 additions and 3 deletions
--- a/drivers/scsi/libfc/fc_exch.c
+++ b/drivers/scsi/libfc/fc_exch.c
@ -360,9 +360,10 @@ static inline void fc_exch_timer_set_locked(struct fc_exch *ep,

 	FC_EXCH_DBG(ep, "Exchange timer armed : %d msecs\n", timer_msec);

-	if (queue_delayed_work(fc_exch_workqueue, &ep->timeout_work,
-			       msecs_to_jiffies(timer_msec)))
-		fc_exch_hold(ep);		/* hold for timer */
+	fc_exch_hold(ep);		/* hold for timer */
+	if (!queue_delayed_work(fc_exch_workqueue, &ep->timeout_work,
+				msecs_to_jiffies(timer_msec)))
+		fc_exch_release(ep);
 }

 /**