target: Avoid double list_del for aborted se_tmr_req
authorJoern Engel <joern@logfs.org>
Thu, 27 Oct 2011 22:44:46 +0000 (15:44 -0700)
committerNicholas Bellinger <nab@linux-iscsi.org>
Wed, 2 Nov 2011 15:56:41 +0000 (15:56 +0000)
After the list_del() in core_tmr_drain_tmr_list(),
core_tmr_release_req() would list_del() the same object again.

Call graph:
        core_tmr_drain_tmr_list
        transport_cmd_finish_abort_tmr
        transport_generic_remove
        transport_free_se_cmd
        core_tmr_release_req

So use list_del_init(), as list_del() of an initialized list_head is
safe and essentially a nop.  In the CONFIG_DEBUG_LIST case, list_del()
actually poisons the list_head, but that is fine as we free the object
directly afterwards.

Signed-off-by: Joern Engel <joern@logfs.org>
Cc: stable@kernel.org
Signed-off-by: Nicholas Bellinger <nab@risingtidesystems.com>
drivers/target/target_core_tmr.c

index 2b0c528c1dd9e1e0d0ca56900cec3e8bd14a4d45..b1b9f2d6f935fb8f26121be988078de592fcb31f 100644 (file)
@@ -152,7 +152,7 @@ static void core_tmr_drain_tmr_list(
        spin_unlock_irqrestore(&dev->se_tmr_lock, flags);
 
        list_for_each_entry_safe(tmr_p, tmr_pp, &drain_tmr_list, tmr_list) {
-               list_del(&tmr_p->tmr_list);
+               list_del_init(&tmr_p->tmr_list);
                cmd = tmr_p->task_cmd;
 
                pr_debug("LUN_RESET: %s releasing TMR %p Function: 0x%02x,"