sbp2_command_orb_lock must be held when accessing the _orb_inuse list. Fixes an oops in sbp2util_find_command_for_SCpnt after sbp2scsi_abort: https://bugzilla.novell.com/show_bug.cgi?id=113734 Signed-off-by: Jody McIntyre Signed-off-by: Stefan Richter --- Bug has been spotted several times during the past months, e.g. at http://lkml.org/lkml/2004/9/21/9 http://lkml.org/lkml/2005/2/5/99 sbp2.c | 6 ++++++ 1 files changed, 6 insertions(+) diff -uprN -X linux-2.6.14-git3/Documentation/dontdiff linux-2.6.14-git3/drivers/ieee1394.orig/sbp2.c linux-2.6.14-git3/drivers/ieee1394/sbp2.c --- linux-2.6.14-git3/drivers/ieee1394.orig/sbp2.c 2005-10-28 02:02:08.000000000 +0200 +++ linux-2.6.14-git3/drivers/ieee1394/sbp2.c 2005-10-31 12:42:28.000000000 +0100 @@ -2350,6 +2350,7 @@ static int sbp2_handle_status_write(stru struct scsi_cmnd *SCpnt = NULL; u32 scsi_status = SBP2_SCSI_STATUS_GOOD; struct sbp2_command_info *command; + unsigned long flags; SBP2_DEBUG("sbp2_handle_status_write"); @@ -2451,9 +2452,11 @@ static int sbp2_handle_status_write(stru * null out last orb so that next time around we write directly to the orb pointer... * Quick start saves one 1394 bus transaction. */ + spin_lock_irqsave(&scsi_id->sbp2_command_orb_lock, flags); if (list_empty(&scsi_id->sbp2_command_orb_inuse)) { scsi_id->last_orb = NULL; } + spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags); } else { @@ -2563,9 +2566,11 @@ static void sbp2scsi_complete_all_comman struct sbp2scsi_host_info *hi = scsi_id->hi; struct list_head *lh; struct sbp2_command_info *command; + unsigned long flags; SBP2_DEBUG("sbp2scsi_complete_all_commands"); + spin_lock_irqsave(&scsi_id->sbp2_command_orb_lock, flags); while (!list_empty(&scsi_id->sbp2_command_orb_inuse)) { SBP2_DEBUG("Found pending command to complete"); lh = scsi_id->sbp2_command_orb_inuse.next; @@ -2582,6 +2587,7 @@ static void sbp2scsi_complete_all_comman command->Current_done(command->Current_SCpnt); } } + spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags); return; }