[SCSI] hpsa: fix a race in cmd_free/scsi_done

When the driver calls scsi_done and after that frees it's internal
preallocated memory it can happen that a new job is enqueud before
the memory is freed. The allocation fails and the message
"cmd_alloc returned NULL" is shown.
Patch below fixes it by moving cmd->scsi_done after cmd_free.

Signed-off-by: Tomas Henzl <thenzl@redhat.com>
Acked-by: Stephen M. Cameron <scameron@beardog.cce.hp.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>

diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
index 7f4f790a3d716109ed2a73a8379b222ed8019331..21fd2b182ec9059982f132041fbfcb29e3d756fb 100644 (file)
--- a/drivers/scsi/hpsa.c
+++ b/drivers/scsi/hpsa.c
@@ -1205,8 +1205,8 @@ static void complete_scsi_command(struct CommandList *cp)
        scsi_set_resid(cmd, ei->ResidualCnt);
 
        if (ei->CommandStatus == 0) {
-               cmd->scsi_done(cmd);
                cmd_free(h, cp);
+               cmd->scsi_done(cmd);
                return;
        }
 
@@ -1379,8 +1379,8 @@ static void complete_scsi_command(struct CommandList *cp)
                dev_warn(&h->pdev->dev, "cp %p returned unknown status %x\n",
                                cp, ei->CommandStatus);
        }
-       cmd->scsi_done(cmd);
        cmd_free(h, cp);
+       cmd->scsi_done(cmd);
 }
 
 static void hpsa_pci_unmap(struct pci_dev *pdev,