Commit 820bf5c4 authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
 "This is a set of five small fixes: one is a null deref fix which is
  pretty critical for the fc transport class and one fixes a potential
  security issue of sg leaking kernel information"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE
  scsi: sg: factor out sg_fill_request_table()
  scsi: sd: Remove unnecessary condition in sd_read_block_limits()
  scsi: acornscsi: fix build error
  scsi: scsi_transport_fc: fix NULL pointer dereference in fc_bsg_job_timeout
parents b8350cd0 3e009749
...@@ -2725,9 +2725,9 @@ int acornscsi_abort(struct scsi_cmnd *SCpnt) ...@@ -2725,9 +2725,9 @@ int acornscsi_abort(struct scsi_cmnd *SCpnt)
* Params : SCpnt - command causing reset * Params : SCpnt - command causing reset
* Returns : one of SCSI_RESET_ macros * Returns : one of SCSI_RESET_ macros
*/ */
int acornscsi_host_reset(struct Scsi_Host *shpnt) int acornscsi_host_reset(struct scsi_cmnd *SCpnt)
{ {
AS_Host *host = (AS_Host *)shpnt->hostdata; AS_Host *host = (AS_Host *)SCpnt->device->host->hostdata;
struct scsi_cmnd *SCptr; struct scsi_cmnd *SCptr;
host->stats.resets += 1; host->stats.resets += 1;
...@@ -2741,7 +2741,7 @@ int acornscsi_host_reset(struct Scsi_Host *shpnt) ...@@ -2741,7 +2741,7 @@ int acornscsi_host_reset(struct Scsi_Host *shpnt)
printk(KERN_WARNING "acornscsi_reset: "); printk(KERN_WARNING "acornscsi_reset: ");
print_sbic_status(asr, ssr, host->scsi.phase); print_sbic_status(asr, ssr, host->scsi.phase);
for (devidx = 0; devidx < 9; devidx ++) { for (devidx = 0; devidx < 9; devidx++)
acornscsi_dumplog(host, devidx); acornscsi_dumplog(host, devidx);
} }
#endif #endif
......
...@@ -3571,7 +3571,7 @@ fc_vport_sched_delete(struct work_struct *work) ...@@ -3571,7 +3571,7 @@ fc_vport_sched_delete(struct work_struct *work)
static enum blk_eh_timer_return static enum blk_eh_timer_return
fc_bsg_job_timeout(struct request *req) fc_bsg_job_timeout(struct request *req)
{ {
struct bsg_job *job = (void *) req->special; struct bsg_job *job = blk_mq_rq_to_pdu(req);
struct Scsi_Host *shost = fc_bsg_to_shost(job); struct Scsi_Host *shost = fc_bsg_to_shost(job);
struct fc_rport *rport = fc_bsg_to_rport(job); struct fc_rport *rport = fc_bsg_to_rport(job);
struct fc_internal *i = to_fc_internal(shost->transportt); struct fc_internal *i = to_fc_internal(shost->transportt);
......
...@@ -2915,8 +2915,6 @@ static void sd_read_block_limits(struct scsi_disk *sdkp) ...@@ -2915,8 +2915,6 @@ static void sd_read_block_limits(struct scsi_disk *sdkp)
sd_config_discard(sdkp, SD_LBP_WS16); sd_config_discard(sdkp, SD_LBP_WS16);
else if (sdkp->lbpws10) else if (sdkp->lbpws10)
sd_config_discard(sdkp, SD_LBP_WS10); sd_config_discard(sdkp, SD_LBP_WS10);
else if (sdkp->lbpu && sdkp->max_unmap_blocks)
sd_config_discard(sdkp, SD_LBP_UNMAP);
else else
sd_config_discard(sdkp, SD_LBP_DISABLE); sd_config_discard(sdkp, SD_LBP_DISABLE);
} }
......
...@@ -828,6 +828,39 @@ static int max_sectors_bytes(struct request_queue *q) ...@@ -828,6 +828,39 @@ static int max_sectors_bytes(struct request_queue *q)
return max_sectors << 9; return max_sectors << 9;
} }
static void
sg_fill_request_table(Sg_fd *sfp, sg_req_info_t *rinfo)
{
Sg_request *srp;
int val;
unsigned int ms;
val = 0;
list_for_each_entry(srp, &sfp->rq_list, entry) {
if (val > SG_MAX_QUEUE)
break;
rinfo[val].req_state = srp->done + 1;
rinfo[val].problem =
srp->header.masked_status &
srp->header.host_status &
srp->header.driver_status;
if (srp->done)
rinfo[val].duration =
srp->header.duration;
else {
ms = jiffies_to_msecs(jiffies);
rinfo[val].duration =
(ms > srp->header.duration) ?
(ms - srp->header.duration) : 0;
}
rinfo[val].orphan = srp->orphan;
rinfo[val].sg_io_owned = srp->sg_io_owned;
rinfo[val].pack_id = srp->header.pack_id;
rinfo[val].usr_ptr = srp->header.usr_ptr;
val++;
}
}
static long static long
sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
{ {
...@@ -1012,38 +1045,13 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) ...@@ -1012,38 +1045,13 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
return -EFAULT; return -EFAULT;
else { else {
sg_req_info_t *rinfo; sg_req_info_t *rinfo;
unsigned int ms;
rinfo = kmalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE, rinfo = kzalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
GFP_KERNEL); GFP_KERNEL);
if (!rinfo) if (!rinfo)
return -ENOMEM; return -ENOMEM;
read_lock_irqsave(&sfp->rq_list_lock, iflags); read_lock_irqsave(&sfp->rq_list_lock, iflags);
val = 0; sg_fill_request_table(sfp, rinfo);
list_for_each_entry(srp, &sfp->rq_list, entry) {
if (val >= SG_MAX_QUEUE)
break;
memset(&rinfo[val], 0, SZ_SG_REQ_INFO);
rinfo[val].req_state = srp->done + 1;
rinfo[val].problem =
srp->header.masked_status &
srp->header.host_status &
srp->header.driver_status;
if (srp->done)
rinfo[val].duration =
srp->header.duration;
else {
ms = jiffies_to_msecs(jiffies);
rinfo[val].duration =
(ms > srp->header.duration) ?
(ms - srp->header.duration) : 0;
}
rinfo[val].orphan = srp->orphan;
rinfo[val].sg_io_owned = srp->sg_io_owned;
rinfo[val].pack_id = srp->header.pack_id;
rinfo[val].usr_ptr = srp->header.usr_ptr;
val++;
}
read_unlock_irqrestore(&sfp->rq_list_lock, iflags); read_unlock_irqrestore(&sfp->rq_list_lock, iflags);
result = __copy_to_user(p, rinfo, result = __copy_to_user(p, rinfo,
SZ_SG_REQ_INFO * SG_MAX_QUEUE); SZ_SG_REQ_INFO * SG_MAX_QUEUE);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment