The rport_lookup function must be called while holding the disc_mutex. Otherwise, the rdata could be deleted just after that by another thread.
All callers now check the state after grabbing the rdata rp_mutex. Even though rport_lookup skips ports in DELETE state, it does that without holding the rdata rp_mutex, so that the state may change. Signed-off-by: Joe Eykholt <[email protected]> --- drivers/scsi/libfc/fc_rport.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/drivers/scsi/libfc/fc_rport.c b/drivers/scsi/libfc/fc_rport.c index f598abe..89ef740 100644 --- a/drivers/scsi/libfc/fc_rport.c +++ b/drivers/scsi/libfc/fc_rport.c @@ -925,14 +925,17 @@ void fc_rport_recv_req(struct fc_seq *sp, struct fc_frame *fp, fh = fc_frame_header_get(fp); s_id = ntoh24(fh->fh_s_id); + mutex_lock(&lport->disc.disc_mutex); rdata = lport->tt.rport_lookup(lport, s_id); if (!rdata) { + mutex_unlock(&lport->disc.disc_mutex); els_data.reason = ELS_RJT_UNAB; lport->tt.seq_els_rsp_send(sp, ELS_LS_RJT, &els_data); fc_frame_free(fp); return; } mutex_lock(&rdata->rp_mutex); + mutex_unlock(&lport->disc.disc_mutex); op = fc_frame_payload_op(fp); switch (op) { _______________________________________________ devel mailing list [email protected] http://www.open-fcoe.org/mailman/listinfo/devel
