libfc: Fix a race in fc_exch_timer_set_locked()

It is allowed to pass a zero timeout value to fc_seq_exch_abort().
Avoid that this can cause the timeout function to drop the exchange
reference before it has been increased by fc_exch_timer_set_locked().
This patch fixes a crash when running FCoE target code with poisoning
enabled in the memory allocator.

Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Cc: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>

diff --git a/drivers/scsi/libfc/fc_exch.c b/drivers/scsi/libfc/fc_exch.c
index f6bb0fbf422fdbcc9a1dd9a012319c6d2146f77e..7000203845bd136f15d30b2069e9088b83f2181b 100644 (file)
--- a/drivers/scsi/libfc/fc_exch.c
+++ b/drivers/scsi/libfc/fc_exch.c
@@ -360,9 +360,10 @@ static inline void fc_exch_timer_set_locked(struct fc_exch *ep,
 
        FC_EXCH_DBG(ep, "Exchange timer armed : %d msecs\n", timer_msec);
 
-       if (queue_delayed_work(fc_exch_workqueue, &ep->timeout_work,
-                              msecs_to_jiffies(timer_msec)))
-               fc_exch_hold(ep);               /* hold for timer */
+       fc_exch_hold(ep);               /* hold for timer */
+       if (!queue_delayed_work(fc_exch_workqueue, &ep->timeout_work,
+                               msecs_to_jiffies(timer_msec)))
+               fc_exch_release(ep);
 }
 
 /**