From: Xiang Chen chenxiang66@hisilicon.com
For some situations that retries three times for internal IOs, sas_task is already released, but sas_free_task() will still be called again. It is possible that sas_task is released incorrectly as sas_task may be allocated for other IO before releasing it again.
Signed-off-by: Xiang Chen chenxiang66@hisilicon.com --- drivers/scsi/hisi_sas/hisi_sas_main.c | 3 ++- drivers/scsi/libsas/sas_expander.c | 3 ++- drivers/scsi/mvsas/mv_sas.c | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c index 9792b2628933..6c693810622b 100644 --- a/drivers/scsi/hisi_sas/hisi_sas_main.c +++ b/drivers/scsi/hisi_sas/hisi_sas_main.c @@ -1354,7 +1354,8 @@ static int hisi_sas_exec_internal_tmf_task(struct domain_device *device, ex_err: if (retry == TASK_RETRY) dev_warn(dev, "abort tmf: executing internal task failed!\n"); - sas_free_task(task); + else + sas_free_task(task); return res; }
diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c index 6425b9fd99ee..dd1d26e96e16 100644 --- a/drivers/scsi/libsas/sas_expander.c +++ b/drivers/scsi/libsas/sas_expander.c @@ -136,7 +136,8 @@ static int smp_execute_task_sg(struct domain_device *dev, pm_runtime_put_sync(ha->dev);
BUG_ON(retry == 3 && task != NULL); - sas_free_task(task); + if (retry != 3) + sas_free_task(task); return res; }
diff --git a/drivers/scsi/mvsas/mv_sas.c b/drivers/scsi/mvsas/mv_sas.c index 1e52bc7febfa..d7200422ac96 100644 --- a/drivers/scsi/mvsas/mv_sas.c +++ b/drivers/scsi/mvsas/mv_sas.c @@ -1350,7 +1350,8 @@ static int mvs_exec_internal_tmf_task(struct domain_device *dev, } ex_err: BUG_ON(retry == 3 && task != NULL); - sas_free_task(task); + if (retry != 3) + sas_free_task(task); return res; }