From: Andrew Vasquez Date: Thu, 24 Apr 2008 22:21:25 +0000 (-0700) Subject: [SCSI] qla2xxx: Correct SRB usage-after-completion/free issues. X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=0c23b856581673c90aa619b1ab04127a7f90cea2;p=GitHub%2Fmt8127%2Fandroid_kernel_alcatel_ttab.git [SCSI] qla2xxx: Correct SRB usage-after-completion/free issues. The driver is incorrectly assuming that the 'sp' reference held in qla2[x00|4xx]_abort_command() is valid after the mailbox command is issued to abort the exchange. It is *not*, as the command may be completed during interrupt context before control is returned to the mailbox caller. Signed-off-by: Andrew Vasquez Signed-off-by: James Bottomley --- diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c index a9cb8291f58e..d10cb068245e 100644 --- a/drivers/scsi/qla2xxx/qla_mbx.c +++ b/drivers/scsi/qla2xxx/qla_mbx.c @@ -784,7 +784,6 @@ qla2x00_abort_command(scsi_qla_host_t *ha, srb_t *sp) DEBUG2_3_11(printk("qla2x00_abort_command(%ld): failed=%x.\n", ha->host_no, rval)); } else { - sp->flags |= SRB_ABORT_PENDING; DEBUG11(printk("qla2x00_abort_command(%ld): done.\n", ha->host_no)); } @@ -2210,7 +2209,6 @@ qla24xx_abort_command(scsi_qla_host_t *ha, srb_t *sp) rval = QLA_FUNCTION_FAILED; } else { DEBUG11(printk("%s(%ld): done.\n", __func__, ha->host_no)); - sp->flags |= SRB_ABORT_PENDING; } dma_pool_free(ha->s_dma_pool, abt, abt_dma);