In transport_free_session, se_nacl is got from se_sess
with the initial reference. If se_nacl->acl_sess_list is
empty, se_nacl->dynamic_stop is set to true. Then the first
target_put_nacl(se_nacl) will drop the initial reference
and free se_nacl. Later there is a second target_put_nacl()
to put se_nacl. It may cause error in race.
My patch sets se_nacl->dynamic_stop to false to avoid the
double put.
Signed-off-by: Lv Yunlong <lyl2...@mail.ustc.edu.cn>
---
drivers/target/target_core_transport.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/target/target_core_transport.c
b/drivers/target/target_core_transport.c
index 5ecb9f18a53d..c266defe694f 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -584,8 +584,10 @@ void transport_free_session(struct se_session *se_sess)
}
mutex_unlock(&se_tpg->acl_node_mutex);
- if (se_nacl->dynamic_stop)
+ if (se_nacl->dynamic_stop) {
target_put_nacl(se_nacl);
+ se_nacl->dynamic_stop = false;
+ }
target_put_nacl(se_nacl);
}
--
2.25.1
