Skip to content

L
linux
Commit 841f7067 authored by Stefan Richter's avatar Stefan Richter Committed by Greg Kroah-Hartman
Browse files
Options

[PATCH] SCSI: fix transfer direction in scsi_lib and st 

SCSI: fix transfer direction in scsi_lib and st

scsi_prep_fn and st_init_command could issue WRITE requests with zero
buffer length. This may lead to kernel panic or oops with some SCSI
low-level drivers.

Derived from -rc patches from Jens Axboe and James Bottomley.

Patch is reassembled for -stable from patches:
[SCSI] fix panic when ejecting ieee1394 ipod
[SCSI] Consolidate REQ_BLOCK_PC handling path (fix ipod panic)

Depends on patch "SCSI: fix transfer direction in sd (kernel panic when
ejecting iPod)". Also modifies the already correct sr_init_command to
fully match the corresponding -rc patch.
Signed-off-by: default avatarStefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 8e58cb47
Hide whitespace changes
Inline Side-by-side
Showing with 5 additions and 47 deletions
drivers/scsi/scsi_lib.c
View file @ 841f7067
...@@ -1284,18 +1284,7 @@ static int scsi_prep_fn(struct request_queue *q, struct request *req) ...@@ -1284,18 +1284,7 @@ static int scsi_prep_fn(struct request_queue *q, struct request *req)
goto kill; goto kill;
} }
} else { } else {
memcpy(cmd->cmnd, req->cmd, sizeof(cmd->cmnd)); scsi_setup_blk_pc_cmnd(cmd, 3);
cmd->cmd_len = req->cmd_len;
if (rq_data_dir(req) == WRITE)
cmd->sc_data_direction = DMA_TO_DEVICE;
else if (req->data_len)
cmd->sc_data_direction = DMA_FROM_DEVICE;
else
cmd->sc_data_direction = DMA_NONE;
cmd->transfersize = req->data_len;
cmd->allowed = 3;
cmd->timeout_per_command = req->timeout;
cmd->done = scsi_generic_done; cmd->done = scsi_generic_done;
} }
} }
......
drivers/scsi/sr.c
View file @ 841f7067
...@@ -320,25 +320,11 @@ static int sr_init_command(struct scsi_cmnd * SCpnt) ...@@ -320,25 +320,11 @@ static int sr_init_command(struct scsi_cmnd * SCpnt)
* these are already setup, just copy cdb basically * these are already setup, just copy cdb basically
*/ */
if (SCpnt->request->flags & REQ_BLOCK_PC) { if (SCpnt->request->flags & REQ_BLOCK_PC) {
struct request *rq = SCpnt->request; scsi_setup_blk_pc_cmnd(SCpnt, MAX_RETRIES);
if (sizeof(rq->cmd) > sizeof(SCpnt->cmnd)) if (SCpnt->timeout_per_command)
return 0; timeout = SCpnt->timeout_per_command;
memcpy(SCpnt->cmnd, rq->cmd, sizeof(SCpnt->cmnd));
SCpnt->cmd_len = rq->cmd_len;
if (!rq->data_len)
SCpnt->sc_data_direction = DMA_NONE;
else if (rq_data_dir(rq) == WRITE)
SCpnt->sc_data_direction = DMA_TO_DEVICE;
else
SCpnt->sc_data_direction = DMA_FROM_DEVICE;
this_count = rq->data_len;
if (rq->timeout)
timeout = rq->timeout;
SCpnt->transfersize = rq->data_len;
goto queue; goto queue;
} }
......
drivers/scsi/st.c
View file @ 841f7067
...@@ -4196,27 +4196,10 @@ static void st_intr(struct scsi_cmnd *SCpnt) ...@@ -4196,27 +4196,10 @@ static void st_intr(struct scsi_cmnd *SCpnt)
*/ */
static int st_init_command(struct scsi_cmnd *SCpnt) static int st_init_command(struct scsi_cmnd *SCpnt)
{ {
struct request *rq;
if (!(SCpnt->request->flags & REQ_BLOCK_PC)) if (!(SCpnt->request->flags & REQ_BLOCK_PC))
return 0; return 0;
rq = SCpnt->request; scsi_setup_blk_pc_cmnd(SCpnt, 0);
if (sizeof(rq->cmd) > sizeof(SCpnt->cmnd))
return 0;
memcpy(SCpnt->cmnd, rq->cmd, sizeof(SCpnt->cmnd));
SCpnt->cmd_len = rq->cmd_len;
if (rq_data_dir(rq) == WRITE)
SCpnt->sc_data_direction = DMA_TO_DEVICE;
else if (rq->data_len)
SCpnt->sc_data_direction = DMA_FROM_DEVICE;
else
SCpnt->sc_data_direction = DMA_NONE;
SCpnt->timeout_per_command = rq->timeout;
SCpnt->transfersize = rq->data_len;
SCpnt->done = st_intr; SCpnt->done = st_intr;
return 1; return 1;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7