aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrew Vasquez <andrew.vasquez@qlogic.com>2008-04-24 18:21:25 -0400
committerJames Bottomley <James.Bottomley@HansenPartnership.com>2008-04-27 13:19:58 -0400
commit0c23b856581673c90aa619b1ab04127a7f90cea2 (patch)
tree60bcebbe128c331fe9c49ed70ec18f8516ec2939
parentc1ec1f1bf9cb1ba80e79a74d48bcfb5da246d6f6 (diff)
[SCSI] qla2xxx: Correct SRB usage-after-completion/free issues.
The driver is incorrectly assuming that the 'sp' reference held in qla2[x00|4xx]_abort_command() is valid after the mailbox command is issued to abort the exchange. It is *not*, as the command may be completed during interrupt context before control is returned to the mailbox caller. Signed-off-by: Andrew Vasquez <andrew.vasquez@qlogic.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rw-r--r--drivers/scsi/qla2xxx/qla_mbx.c2
1 files changed, 0 insertions, 2 deletions
diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
index a9cb8291f58e..d10cb068245e 100644
--- a/drivers/scsi/qla2xxx/qla_mbx.c
+++ b/drivers/scsi/qla2xxx/qla_mbx.c
@@ -784,7 +784,6 @@ qla2x00_abort_command(scsi_qla_host_t *ha, srb_t *sp)
784 DEBUG2_3_11(printk("qla2x00_abort_command(%ld): failed=%x.\n", 784 DEBUG2_3_11(printk("qla2x00_abort_command(%ld): failed=%x.\n",
785 ha->host_no, rval)); 785 ha->host_no, rval));
786 } else { 786 } else {
787 sp->flags |= SRB_ABORT_PENDING;
788 DEBUG11(printk("qla2x00_abort_command(%ld): done.\n", 787 DEBUG11(printk("qla2x00_abort_command(%ld): done.\n",
789 ha->host_no)); 788 ha->host_no));
790 } 789 }
@@ -2210,7 +2209,6 @@ qla24xx_abort_command(scsi_qla_host_t *ha, srb_t *sp)
2210 rval = QLA_FUNCTION_FAILED; 2209 rval = QLA_FUNCTION_FAILED;
2211 } else { 2210 } else {
2212 DEBUG11(printk("%s(%ld): done.\n", __func__, ha->host_no)); 2211 DEBUG11(printk("%s(%ld): done.\n", __func__, ha->host_no));
2213 sp->flags |= SRB_ABORT_PENDING;
2214 } 2212 }
2215 2213
2216 dma_pool_free(ha->s_dma_pool, abt, abt_dma); 2214 dma_pool_free(ha->s_dma_pool, abt, abt_dma);