diff options
author | Andrew Vasquez <andrew.vasquez@qlogic.com> | 2008-04-24 18:21:25 -0400 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2008-04-27 13:19:58 -0400 |
commit | 0c23b856581673c90aa619b1ab04127a7f90cea2 (patch) | |
tree | 60bcebbe128c331fe9c49ed70ec18f8516ec2939 /drivers | |
parent | c1ec1f1bf9cb1ba80e79a74d48bcfb5da246d6f6 (diff) |
[SCSI] qla2xxx: Correct SRB usage-after-completion/free issues.
The driver is incorrectly assuming that the 'sp' reference held
in qla2[x00|4xx]_abort_command() is valid after the mailbox
command is issued to abort the exchange. It is *not*, as the
command may be completed during interrupt context before control
is returned to the mailbox caller.
Signed-off-by: Andrew Vasquez <andrew.vasquez@qlogic.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/scsi/qla2xxx/qla_mbx.c | 2 |
1 files changed, 0 insertions, 2 deletions
diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c index a9cb8291f58e..d10cb068245e 100644 --- a/drivers/scsi/qla2xxx/qla_mbx.c +++ b/drivers/scsi/qla2xxx/qla_mbx.c | |||
@@ -784,7 +784,6 @@ qla2x00_abort_command(scsi_qla_host_t *ha, srb_t *sp) | |||
784 | DEBUG2_3_11(printk("qla2x00_abort_command(%ld): failed=%x.\n", | 784 | DEBUG2_3_11(printk("qla2x00_abort_command(%ld): failed=%x.\n", |
785 | ha->host_no, rval)); | 785 | ha->host_no, rval)); |
786 | } else { | 786 | } else { |
787 | sp->flags |= SRB_ABORT_PENDING; | ||
788 | DEBUG11(printk("qla2x00_abort_command(%ld): done.\n", | 787 | DEBUG11(printk("qla2x00_abort_command(%ld): done.\n", |
789 | ha->host_no)); | 788 | ha->host_no)); |
790 | } | 789 | } |
@@ -2210,7 +2209,6 @@ qla24xx_abort_command(scsi_qla_host_t *ha, srb_t *sp) | |||
2210 | rval = QLA_FUNCTION_FAILED; | 2209 | rval = QLA_FUNCTION_FAILED; |
2211 | } else { | 2210 | } else { |
2212 | DEBUG11(printk("%s(%ld): done.\n", __func__, ha->host_no)); | 2211 | DEBUG11(printk("%s(%ld): done.\n", __func__, ha->host_no)); |
2213 | sp->flags |= SRB_ABORT_PENDING; | ||
2214 | } | 2212 | } |
2215 | 2213 | ||
2216 | dma_pool_free(ha->s_dma_pool, abt, abt_dma); | 2214 | dma_pool_free(ha->s_dma_pool, abt, abt_dma); |