diff options
author | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2005-12-14 23:32:33 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2005-12-26 16:08:58 -0800 |
commit | 8e58cb47ade0e69f3c953a41b67913c430c67879 (patch) | |
tree | bd8c01980cc311d7559aba1e996b53fa49ffab29 | |
parent | eec59235580a82f31ec66e066666332b804b0714 (diff) | |
download | linux-stable-8e58cb47ade0e69f3c953a41b67913c430c67879.tar.gz linux-stable-8e58cb47ade0e69f3c953a41b67913c430c67879.tar.bz2 linux-stable-8e58cb47ade0e69f3c953a41b67913c430c67879.zip |
[PATCH] SCSI: fix transfer direction in sd (kernel panic when ejecting iPod)
SCSI: fix transfer direction in sd (kernel panic when ejecting iPod)
sd_init_command could issue WRITE requests with zero buffer length.
This may lead to kernel panic or oops with some SCSI low-level drivers.
Seen with the command "eject /dev/sdX" when disconnecting an iPod:
http://marc.theaimsgroup.com/?l=linux1394-devel&m=113399994920181
http://marc.theaimsgroup.com/?l=linux1394-user&m=112152701817435
Derived from -rc patches from Jens Axboe and James Bottomley.
Patch is reassembled for -stable from patches:
[SCSI] fix panic when ejecting ieee1394 ipod
[SCSI] Consolidate REQ_BLOCK_PC handling path (fix ipod panic)
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | drivers/scsi/scsi_lib.c | 20 | ||||
-rw-r--r-- | drivers/scsi/sd.c | 16 | ||||
-rw-r--r-- | include/scsi/scsi_cmnd.h | 1 |
3 files changed, 22 insertions, 15 deletions
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c index 0074f28c37b2..e35dd5d331ce 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c @@ -1129,6 +1129,26 @@ static void scsi_generic_done(struct scsi_cmnd *cmd) scsi_io_completion(cmd, cmd->result == 0 ? cmd->bufflen : 0, 0); } +void scsi_setup_blk_pc_cmnd(struct scsi_cmnd *cmd, int retries) +{ + struct request *req = cmd->request; + + BUG_ON(sizeof(req->cmd) > sizeof(cmd->cmnd)); + memcpy(cmd->cmnd, req->cmd, sizeof(cmd->cmnd)); + cmd->cmd_len = req->cmd_len; + if (!req->data_len) + cmd->sc_data_direction = DMA_NONE; + else if (rq_data_dir(req) == WRITE) + cmd->sc_data_direction = DMA_TO_DEVICE; + else + cmd->sc_data_direction = DMA_FROM_DEVICE; + + cmd->transfersize = req->data_len; + cmd->allowed = retries; + cmd->timeout_per_command = req->timeout; +} +EXPORT_SYMBOL_GPL(scsi_setup_blk_pc_cmnd); + static int scsi_prep_fn(struct request_queue *q, struct request *req) { struct scsi_device *sdev = q->queuedata; diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 9a1dc0cea03c..32299612de4e 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -231,24 +231,10 @@ static int sd_init_command(struct scsi_cmnd * SCpnt) * SG_IO from block layer already setup, just copy cdb basically */ if (blk_pc_request(rq)) { - if (sizeof(rq->cmd) > sizeof(SCpnt->cmnd)) - return 0; - - memcpy(SCpnt->cmnd, rq->cmd, sizeof(SCpnt->cmnd)); - SCpnt->cmd_len = rq->cmd_len; - if (rq_data_dir(rq) == WRITE) - SCpnt->sc_data_direction = DMA_TO_DEVICE; - else if (rq->data_len) - SCpnt->sc_data_direction = DMA_FROM_DEVICE; - else - SCpnt->sc_data_direction = DMA_NONE; - - this_count = rq->data_len; + scsi_setup_blk_pc_cmnd(SCpnt, SD_PASSTHROUGH_RETRIES); if (rq->timeout) timeout = rq->timeout; - SCpnt->transfersize = rq->data_len; - SCpnt->allowed = SD_PASSTHROUGH_RETRIES; goto queue; } diff --git a/include/scsi/scsi_cmnd.h b/include/scsi/scsi_cmnd.h index bed4b7c9be99..ebb6a16636d4 100644 --- a/include/scsi/scsi_cmnd.h +++ b/include/scsi/scsi_cmnd.h @@ -150,5 +150,6 @@ extern struct scsi_cmnd *scsi_get_command(struct scsi_device *, int); extern void scsi_put_command(struct scsi_cmnd *); extern void scsi_io_completion(struct scsi_cmnd *, unsigned int, unsigned int); extern void scsi_finish_command(struct scsi_cmnd *cmd); +extern void scsi_setup_blk_pc_cmnd(struct scsi_cmnd *cmd, int retries); #endif /* _SCSI_SCSI_CMND_H */ |