* RFC scsi: aic94xx: use of complete() looks racy
@ 2015-03-09 8:32 Nicholas Mc Guire
0 siblings, 0 replies; only message in thread
From: Nicholas Mc Guire @ 2015-03-09 8:32 UTC (permalink / raw)
To: James E.J. Bottomley; +Cc: linux-scsi
Hi !
while reviewing some type missmatch of wait_for_completion_timeout in
drivers/scsi/aic94xx/aic94xx_tmf.c:asd_clear_nexus() a question regarding
the struct completion use came up:
(line numbers are from 4.0-rc2 linux-next)
351 tascb->completion = &completion;
352
353 ASD_DPRINTK("task not done, clearing nexus\n");
354 if (tascb->tag_valid)
355 res = asd_clear_nexus_tag(task);
356 else
357 res = asd_clear_nexus_index(task);
358 leftover = wait_for_completion_timeout(&completion,
359 AIC94XX_SCB_TIMEOUT);
360 tascb->completion = NULL;
this looks racy - atleast I was not able to figure out what would prevent
complete() from accessing a NULL pointer (similarly on line 524/525+545)
e.g. in asd_clear_nexus_tasklet_complete()
85 tcs->dl_opcode = dl->opcode;
86 complete(ascb->completion);
87 asd_ascb_free(ascb);
so if the timeout ever occured would that not result in a NULL access ?
what am I overlooking here ?
thx!
hofrat
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2015-03-09 8:32 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-03-09 8:32 RFC scsi: aic94xx: use of complete() looks racy Nicholas Mc Guire
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).