hpsa: fix a race in cmd_free/scsi_done

commit 2cc5bfaf854463d9d1aa52091f60110fbf102a96 upstream.

When the driver calls scsi_done and after that frees it's internal
preallocated memory it can happen that a new job is enqueud before
the memory is freed. The allocation fails and the message
"cmd_alloc returned NULL" is shown.
Patch below fixes it by moving cmd->scsi_done after cmd_free.

Signed-off-by: Tomas Henzl <thenzl@redhat.com>
Acked-by: Stephen M. Cameron <scameron@beardog.cce.hp.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Masoud Sharbiani <msharbiani@twopensource.com>

diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
index 603a2cb..64c8a80 100644 (file)
--- a/drivers/scsi/hpsa.c
+++ b/drivers/scsi/hpsa.c
@@ -1126,8 +1126,8 @@ static void complete_scsi_command(struct CommandList *cp)
        scsi_set_resid(cmd, ei->ResidualCnt);
 
        if (ei->CommandStatus == 0) {
-               cmd->scsi_done(cmd);
                cmd_free(h, cp);
+               cmd->scsi_done(cmd);
                return;
        }
 
@@ -1300,8 +1300,8 @@ static void complete_scsi_command(struct CommandList *cp)
                dev_warn(&h->pdev->dev, "cp %p returned unknown status %x\n",
                                cp, ei->CommandStatus);
        }
-       cmd->scsi_done(cmd);
        cmd_free(h, cp);
+       cmd->scsi_done(cmd);
 }
 
 static int hpsa_scsi_detect(struct ctlr_info *h)