[openib-general][patch review] srp: fmr implementation,
Vu Pham
vuhuong at mellanox.com
Fri Apr 14 08:44:31 PDT 2006
Roland Dreier wrote:
> Hmm, it's clearly a use-after-free bug. Based on
>
> ip is at srp_reconnect_target+0x2b1/0x5c0 [ib_srp]
>
> can you guess where it is in the SRP driver or what it's accessing?
>
> Also this is happening because the connection is being reconnected,
> because SCSI commands are timing out. Do you have any idea why this
> is happening? What does the target see when this happens?
It crashed in "cleared request queue" ie.
list_for_each_entry(req, &target->req_queue, list) {
req->scmnd->result = DID_RESET << 16;
req->scmnd->scsi_done(req->scmnd);
}
Probably scsi command already freed thru abort; however,
it's still in request queue
Vu
More information about the general
mailing list