Commit 0c23b856 authored by Andrew Vasquez's avatar Andrew Vasquez Committed by James Bottomley

[SCSI] qla2xxx: Correct SRB usage-after-completion/free issues.

The driver is incorrectly assuming that the 'sp' reference held
in qla2[x00|4xx]_abort_command() is valid after the mailbox
command is issued to abort the exchange.  It is *not*, as the
command may be completed during interrupt context before control
is returned to the mailbox caller.
Signed-off-by: default avatarAndrew Vasquez <andrew.vasquez@qlogic.com>
Signed-off-by: default avatarJames Bottomley <James.Bottomley@HansenPartnership.com>
parent c1ec1f1b
...@@ -784,7 +784,6 @@ qla2x00_abort_command(scsi_qla_host_t *ha, srb_t *sp) ...@@ -784,7 +784,6 @@ qla2x00_abort_command(scsi_qla_host_t *ha, srb_t *sp)
DEBUG2_3_11(printk("qla2x00_abort_command(%ld): failed=%x.\n", DEBUG2_3_11(printk("qla2x00_abort_command(%ld): failed=%x.\n",
ha->host_no, rval)); ha->host_no, rval));
} else { } else {
sp->flags |= SRB_ABORT_PENDING;
DEBUG11(printk("qla2x00_abort_command(%ld): done.\n", DEBUG11(printk("qla2x00_abort_command(%ld): done.\n",
ha->host_no)); ha->host_no));
} }
...@@ -2210,7 +2209,6 @@ qla24xx_abort_command(scsi_qla_host_t *ha, srb_t *sp) ...@@ -2210,7 +2209,6 @@ qla24xx_abort_command(scsi_qla_host_t *ha, srb_t *sp)
rval = QLA_FUNCTION_FAILED; rval = QLA_FUNCTION_FAILED;
} else { } else {
DEBUG11(printk("%s(%ld): done.\n", __func__, ha->host_no)); DEBUG11(printk("%s(%ld): done.\n", __func__, ha->host_no));
sp->flags |= SRB_ABORT_PENDING;
} }
dma_pool_free(ha->s_dma_pool, abt, abt_dma); dma_pool_free(ha->s_dma_pool, abt, abt_dma);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment