sbp2_command_orb_lock must be held when accessing the _orb_inuse list.
Fixes an oops in sbp2util_find_command_for_SCpnt after sbp2scsi_abort:
https://bugzilla.novell.com/show_bug.cgi?id=113734
Signed-off-by: Jody McIntyre <scjody@steamballoon.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
diff --git a/drivers/ieee1394/sbp2.c b/drivers/ieee1394/sbp2.c
index 12cec7c..f7e18cc 100644
--- a/drivers/ieee1394/sbp2.c
+++ b/drivers/ieee1394/sbp2.c
@@ -2350,6 +2350,7 @@
struct scsi_cmnd *SCpnt = NULL;
u32 scsi_status = SBP2_SCSI_STATUS_GOOD;
struct sbp2_command_info *command;
+ unsigned long flags;
SBP2_DEBUG("sbp2_handle_status_write");
@@ -2451,9 +2452,11 @@
* null out last orb so that next time around we write directly to the orb pointer...
* Quick start saves one 1394 bus transaction.
*/
+ spin_lock_irqsave(&scsi_id->sbp2_command_orb_lock, flags);
if (list_empty(&scsi_id->sbp2_command_orb_inuse)) {
scsi_id->last_orb = NULL;
}
+ spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags);
} else {
@@ -2563,9 +2566,11 @@
struct sbp2scsi_host_info *hi = scsi_id->hi;
struct list_head *lh;
struct sbp2_command_info *command;
+ unsigned long flags;
SBP2_DEBUG("sbp2scsi_complete_all_commands");
+ spin_lock_irqsave(&scsi_id->sbp2_command_orb_lock, flags);
while (!list_empty(&scsi_id->sbp2_command_orb_inuse)) {
SBP2_DEBUG("Found pending command to complete");
lh = scsi_id->sbp2_command_orb_inuse.next;
@@ -2582,6 +2587,7 @@
command->Current_done(command->Current_SCpnt);
}
}
+ spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags);
return;
}