Roland Dreier wrote:
Hmm, it's clearly a use-after-free bug. Based on
ip is at srp_reconnect_target+0x2b1/0x5c0 [ib_srp]
can you guess where it is in the SRP driver or what it's accessing?
Also this is happening because the connection is being reconnected,
because SCSI commands are timing out. Do you have any idea why this
is happening? What does the target see when this happens?
It crashed in "cleared request queue" ie.
list_for_each_entry(req, &target->req_queue, list) {
req->scmnd->result = DID_RESET << 16;
req->scmnd->scsi_done(req->scmnd);
}
Probably scsi command already freed thru abort; however,
it's still in request queue
Vu
_______________________________________________
openib-general mailing list
[email protected]
http://openib.org/mailman/listinfo/openib-general
To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
