[SCSI] fix OOPS due to clearing eh_action prior to aborting eh command

The eh_action semaphore in scsi_eh_send_command is cleared after a
command timeout.  The command is subsequently aborted and the abort
will try to call scsi_done() on it.  Unfortunately, the scsi_eh_done()
routine unconditinally completes the semaphore (which is now null).
Fix this race by makiong the scsi_eh_done() routine check that the
semaphore is non null before completing it (mirroring the ordinary
command done/timeout logic).

Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>

diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
index 18c5d252301441b287735e74b0dfae07c48b75af..c0ae9e965f6f26f71d591456280fbb4dad11a912 100644 (file)
--- a/drivers/scsi/scsi_error.c
+++ b/drivers/scsi/scsi_error.c
@@ -422,10 +422,15 @@ static int scsi_eh_completed_normally(struct scsi_cmnd *scmd)
  **/
 static void scsi_eh_done(struct scsi_cmnd *scmd)
 {
+       struct completion     *eh_action;
+
        SCSI_LOG_ERROR_RECOVERY(3,
                printk("%s scmd: %p result: %x\n",
                        __FUNCTION__, scmd, scmd->result));
-       complete(scmd->device->host->eh_action);
+
+       eh_action = scmd->device->host->eh_action;
+       if (eh_action)
+               complete(eh_action);
 }
 
 /**