After the list_del() in core_tmr_drain_tmr_list(),
core_tmr_release_req() would list_del() the same object again.
Call graph:
core_tmr_drain_tmr_list
transport_cmd_finish_abort_tmr
transport_generic_remove
transport_free_se_cmd
core_tmr_release_req
So use list_del_init(), as list_del() of an initialized list_head is
safe and essentially a nop. In the CONFIG_DEBUG_LIST case, list_del()
actually poisons the list_head, but that is fine as we free the object
directly afterwards.
Signed-off-by: Joern Engel <joern@logfs.org>
Cc: stable@kernel.org
Signed-off-by: Nicholas Bellinger <nab@risingtidesystems.com>
spin_unlock_irqrestore(&dev->se_tmr_lock, flags);
list_for_each_entry_safe(tmr_p, tmr_pp, &drain_tmr_list, tmr_list) {
- list_del(&tmr_p->tmr_list);
+ list_del_init(&tmr_p->tmr_list);
cmd = tmr_p->task_cmd;
pr_debug("LUN_RESET: %s releasing TMR %p Function: 0x%02x,"