| User: | Jiri Slaby |
| Error type: | Invalid Pointer Dereference |
| Error type description: | A pointer which is invalid is being dereferenced |
| File location: | drivers/scsi/NCR5380.c |
| Line in file: | 2786 |
| Project: | Linux Kernel |
| Project version: | 2.6.28 |
| Tools: |
Smatch
(1.59)
|
| Entered: | 2013-09-11 08:47:26 UTC |
2756 2757 if (hostdata->connected) { 2758 dprintk(NDEBUG_ABORT, ("scsi%d : abort failed, command connected.\n", instance->host_no)); 2759 return FAILED; 2760 } 2761/* 2762 * Case 4: If the command is currently disconnected from the bus, and 2763 * there are no connected commands, we reconnect the I_T_L or 2764 * I_T_L_Q nexus associated with it, go into message out, and send 2765 * an abort message. 2766 * 2767 * This case is especially ugly. In order to reestablish the nexus, we 2768 * need to call NCR5380_select(). The easiest way to implement this 2769 * function was to abort if the bus was busy, and let the interrupt 2770 * handler triggered on the SEL for reselect take care of lost arbitrations 2771 * where necessary, meaning interrupts need to be enabled. 2772 * 2773 * When interrupts are enabled, the queues may change - so we 2774 * can't remove it from the disconnected queue before selecting it 2775 * because that could cause a failure in hashing the nexus if that 2776 * device reselected. 2777 * 2778 * Since the queues may change, we can't use the pointers from when we 2779 * first locate it. 2780 * 2781 * So, we must first locate the command, and if NCR5380_select() 2782 * succeeds, then issue the abort, relocate the command and remove 2783 * it from the disconnected queue. 2784 */ 2785 2786 for (tmp = (Scsi_Cmnd *) hostdata->disconnected_queue; tmp; tmp = (Scsi_Cmnd *) tmp->host_scribble) 2787 if (cmd == tmp) { 2788 dprintk(NDEBUG_ABORT, ("scsi%d : aborting disconnected command.\n", instance->host_no)); 2789 2790 if (NCR5380_select(instance, cmd, (int) cmd->tag)) 2791 return FAILED; 2792 dprintk(NDEBUG_ABORT, ("scsi%d : nexus reestablished.\n", instance->host_no)); 2793 2794 do_abort(instance); 2795 2796 for (prev = (Scsi_Cmnd **) & (hostdata->disconnected_queue), tmp = (Scsi_Cmnd *) hostdata->disconnected_queue; tmp; prev = (Scsi_Cmnd **) & (tmp->host_scribble), tmp = (Scsi_Cmnd *) tmp->host_scribble)