Hi !
while reviewing some type missmatch of wait_for_completion_timeout in
drivers/scsi/aic94xx/aic94xx_tmf.c:asd_clear_nexus() a question regarding
the struct completion use came up:
(line numbers are from 4.0-rc2 linux-next)
351 tascb->completion = &completion;
352
353 ASD_DPRINTK("task not done, clearing nexus\n");
354 if (tascb->tag_valid)
355 res = asd_clear_nexus_tag(task);
356 else
357 res = asd_clear_nexus_index(task);
358 leftover = wait_for_completion_timeout(&completion,
359 AIC94XX_SCB_TIMEOUT);
360 tascb->completion = NULL;
this looks racy - atleast I was not able to figure out what would prevent
complete() from accessing a NULL pointer (similarly on line 524/525+545)
e.g. in asd_clear_nexus_tasklet_complete()
85 tcs->dl_opcode = dl->opcode;
86 complete(ascb->completion);
87 asd_ascb_free(ascb);
so if the timeout ever occured would that not result in a NULL access ?
what am I overlooking here ?
thx!
hofrat
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
