On 5/18/20 11:48 AM, Bodo Stroesser wrote: > When tcmu queues a new command - no matter whether in command > ring or in qfull_queue - a cmd_id from IDR udev->commands is > assigned to the command. > > If userspaces sends a wrong command completion containing the > cmd_id of a command on the qfull_queue, tcmu_handle_completions() > finds the command in the IDR and calls tcmu_handle_completion() > for it. This might do some nasty things, because commands in > qfull_queue do not have a valid dbi list. > > To fix this bug, we no longer add queued commands to the idr. > Instead the cmd_id is assign when a command is written to > the command ring. > > Due to this change I had to adapt the source code at several > places where up to now an idr_for_each had been done. > > Signed-off-by: Bodo Stroesser <bstroesser@xxxxxxxxxxxxxx> Acked-by: Mike Christie <mchristi@xxxxxxxxxx>
