[SCSI] qla2xxx: Correct SRB usage-after-completion/free issues.

The driver is incorrectly assuming that the 'sp' reference held
in qla2[x00|4xx]_abort_command() is valid after the mailbox
command is issued to abort the exchange.  It is *not*, as the
command may be completed during interrupt context before control
is returned to the mailbox caller.

Signed-off-by: Andrew Vasquez <andrew.vasquez@qlogic.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
index a9cb8291f58efc5f3332dd8c8b0d000ddf056443..d10cb068245e729a5f80eea7ac868b523361fb4b 100644 (file)
--- a/drivers/scsi/qla2xxx/qla_mbx.c
+++ b/drivers/scsi/qla2xxx/qla_mbx.c
@@ -784,7 +784,6 @@ qla2x00_abort_command(scsi_qla_host_t *ha, srb_t *sp)
                DEBUG2_3_11(printk("qla2x00_abort_command(%ld): failed=%x.\n",
                    ha->host_no, rval));
        } else {
-               sp->flags |= SRB_ABORT_PENDING;
                DEBUG11(printk("qla2x00_abort_command(%ld): done.\n",
                    ha->host_no));
        }
@@ -2210,7 +2209,6 @@ qla24xx_abort_command(scsi_qla_host_t *ha, srb_t *sp)
                rval = QLA_FUNCTION_FAILED;
        } else {
                DEBUG11(printk("%s(%ld): done.\n", __func__, ha->host_no));
-               sp->flags |= SRB_ABORT_PENDING;
        }
 
        dma_pool_free(ha->s_dma_pool, abt, abt_dma);