• David S. Miller's avatar
    esp_scsi: Fix tag state corruption when autosensing. · 21af8107
    David S. Miller authored
    Meelis Roos reports a crash in esp_free_lun_tag() in the presense
    of a disk which has died.
    
    The issue is that when we issue an autosense command, we do so by
    hijacking the original command that caused the check-condition.
    
    When we do so we clear out the ent->tag[] array when we issue it via
    find_and_prep_issuable_command().  This is so that the autosense
    command is forced to be issued non-tagged.
    
    That is problematic, because it is the value of ent->tag[] which
    determines whether we issued the original scsi command as tagged
    vs. non-tagged (see esp_alloc_lun_tag()).
    
    And that, in turn, is what trips up the sanity checks in
    esp_free_lun_tag().  That function needs the original ->tag[] values
    in order to free up the tag slot properly.
    
    Fix this by remembering the original command's tag values, and
    having esp_alloc_lun_tag() and esp_free_lun_tag() use them.
    Reported-by: default avatarMeelis Roos <mroos@linux.ee>
    Tested-by: default avatarMeelis Roos <mroos@linux.ee>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    21af8107
esp_scsi.c 64.9 KB