From patchwork Fri Jun 5 21:20:46 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Dev, Vasu" X-Patchwork-Id: 6557951 Return-Path: X-Original-To: patchwork-linux-scsi@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id E89CD9F1CC for ; Fri, 5 Jun 2015 21:20:51 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id EF84220816 for ; Fri, 5 Jun 2015 21:20:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E543420811 for ; Fri, 5 Jun 2015 21:20:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752391AbbFEVUs (ORCPT ); Fri, 5 Jun 2015 17:20:48 -0400 Received: from mga14.intel.com ([192.55.52.115]:25329 "EHLO mga14.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751717AbbFEVUr (ORCPT ); Fri, 5 Jun 2015 17:20:47 -0400 Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga103.fm.intel.com with ESMTP; 05 Jun 2015 14:20:46 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.13,560,1427785200"; d="scan'208";a="721580283" Received: from lin-nd1-054.jf.intel.com ([10.166.48.54]) by fmsmga001.fm.intel.com with ESMTP; 05 Jun 2015 14:20:46 -0700 From: Vasu Dev Subject: [PATCH 2/3] libfc: Fix fc_exch_recv_req() error path To: linux-scsi@vger.kernel.org Cc: fcoe-devel@open-fcoe.org, target-devel , Bart Van Assche , Vasu Dev , stable , Vasu Dev Date: Fri, 05 Jun 2015 14:20:46 -0700 Message-ID: <20150605212045.6054.14709.stgit@lin-nd1-054.jf.intel.com> In-Reply-To: <20150605212003.6054.15351.stgit@lin-nd1-054.jf.intel.com> References: <20150605212003.6054.15351.stgit@lin-nd1-054.jf.intel.com> User-Agent: StGIT/0.14.3 MIME-Version: 1.0 Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Bart Van Assche Due to patch "libfc: Do not invoke the response handler after fc_exch_done()" (commit ID 7030fd62) the lport_recv() call in fc_exch_recv_req() is passed a dangling pointer. Avoid this by moving the fc_frame_free() call from fc_invoke_resp() to its callers. This patch fixes the following crash: general protection fault: 0000 [#3] PREEMPT SMP RIP: fc_lport_recv_req+0x72/0x280 [libfc] Call Trace: fc_exch_recv+0x642/0xde0 [libfc] fcoe_percpu_receive_thread+0x46a/0x5ed [fcoe] kthread+0x10a/0x120 ret_from_fork+0x42/0x70 Signed-off-by: Bart Van Assche Cc: Vasu Dev Cc: stable -v2 Updated to revised patch posted at: http://lists.open-fcoe.org/pipermail/fcoe-devel/2015-May/012462.html Signed-off-by: Vasu Dev --- drivers/scsi/libfc/fc_exch.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/scsi/libfc/fc_exch.c b/drivers/scsi/libfc/fc_exch.c index 1b3a094..30f9ef0 100644 --- a/drivers/scsi/libfc/fc_exch.c +++ b/drivers/scsi/libfc/fc_exch.c @@ -733,8 +733,6 @@ static bool fc_invoke_resp(struct fc_exch *ep, struct fc_seq *sp, if (resp) { resp(sp, fp, arg); res = true; - } else if (!IS_ERR(fp)) { - fc_frame_free(fp); } spin_lock_bh(&ep->ex_lock); @@ -1596,7 +1594,8 @@ static void fc_exch_recv_seq_resp(struct fc_exch_mgr *mp, struct fc_frame *fp) * If new exch resp handler is valid then call that * first. */ - fc_invoke_resp(ep, sp, fp); + if (!fc_invoke_resp(ep, sp, fp)) + fc_frame_free(fp); fc_exch_release(ep); return; @@ -1695,7 +1694,8 @@ static void fc_exch_abts_resp(struct fc_exch *ep, struct fc_frame *fp) fc_exch_hold(ep); if (!rc) fc_exch_delete(ep); - fc_invoke_resp(ep, sp, fp); + if (!fc_invoke_resp(ep, sp, fp)) + fc_frame_free(fp); if (has_rec) fc_exch_timer_set(ep, ep->r_a_tov); fc_exch_release(ep);