diff options
author | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2005-12-14 23:34:11 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2005-12-26 16:08:58 -0800 |
commit | 841f70676036b309f7102e2c8024dc68c3946990 (patch) | |
tree | 9c1358760ce8a80ae2889a3f211fb4653ed761cf | |
parent | 8e58cb47ade0e69f3c953a41b67913c430c67879 (diff) |
[PATCH] SCSI: fix transfer direction in scsi_lib and st
SCSI: fix transfer direction in scsi_lib and st
scsi_prep_fn and st_init_command could issue WRITE requests with zero
buffer length. This may lead to kernel panic or oops with some SCSI
low-level drivers.
Derived from -rc patches from Jens Axboe and James Bottomley.
Patch is reassembled for -stable from patches:
[SCSI] fix panic when ejecting ieee1394 ipod
[SCSI] Consolidate REQ_BLOCK_PC handling path (fix ipod panic)
Depends on patch "SCSI: fix transfer direction in sd (kernel panic when
ejecting iPod)". Also modifies the already correct sr_init_command to
fully match the corresponding -rc patch.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | drivers/scsi/scsi_lib.c | 13 | ||||
-rw-r--r-- | drivers/scsi/sr.c | 20 | ||||
-rw-r--r-- | drivers/scsi/st.c | 19 |
3 files changed, 5 insertions, 47 deletions
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c index e35dd5d331ce..a71ad5a42b43 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c @@ -1284,18 +1284,7 @@ static int scsi_prep_fn(struct request_queue *q, struct request *req) goto kill; } } else { - memcpy(cmd->cmnd, req->cmd, sizeof(cmd->cmnd)); - cmd->cmd_len = req->cmd_len; - if (rq_data_dir(req) == WRITE) - cmd->sc_data_direction = DMA_TO_DEVICE; - else if (req->data_len) - cmd->sc_data_direction = DMA_FROM_DEVICE; - else - cmd->sc_data_direction = DMA_NONE; - - cmd->transfersize = req->data_len; - cmd->allowed = 3; - cmd->timeout_per_command = req->timeout; + scsi_setup_blk_pc_cmnd(cmd, 3); cmd->done = scsi_generic_done; } } diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c index 561901b1cf11..ffdcd60f0936 100644 --- a/drivers/scsi/sr.c +++ b/drivers/scsi/sr.c @@ -320,25 +320,11 @@ static int sr_init_command(struct scsi_cmnd * SCpnt) * these are already setup, just copy cdb basically */ if (SCpnt->request->flags & REQ_BLOCK_PC) { - struct request *rq = SCpnt->request; + scsi_setup_blk_pc_cmnd(SCpnt, MAX_RETRIES); - if (sizeof(rq->cmd) > sizeof(SCpnt->cmnd)) - return 0; - - memcpy(SCpnt->cmnd, rq->cmd, sizeof(SCpnt->cmnd)); - SCpnt->cmd_len = rq->cmd_len; - if (!rq->data_len) - SCpnt->sc_data_direction = DMA_NONE; - else if (rq_data_dir(rq) == WRITE) - SCpnt->sc_data_direction = DMA_TO_DEVICE; - else - SCpnt->sc_data_direction = DMA_FROM_DEVICE; - - this_count = rq->data_len; - if (rq->timeout) - timeout = rq->timeout; + if (SCpnt->timeout_per_command) + timeout = SCpnt->timeout_per_command; - SCpnt->transfersize = rq->data_len; goto queue; } diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c index d001c046551b..6ded0f52b58c 100644 --- a/drivers/scsi/st.c +++ b/drivers/scsi/st.c @@ -4196,27 +4196,10 @@ static void st_intr(struct scsi_cmnd *SCpnt) */ static int st_init_command(struct scsi_cmnd *SCpnt) { - struct request *rq; - if (!(SCpnt->request->flags & REQ_BLOCK_PC)) return 0; - rq = SCpnt->request; - if (sizeof(rq->cmd) > sizeof(SCpnt->cmnd)) - return 0; - - memcpy(SCpnt->cmnd, rq->cmd, sizeof(SCpnt->cmnd)); - SCpnt->cmd_len = rq->cmd_len; - - if (rq_data_dir(rq) == WRITE) - SCpnt->sc_data_direction = DMA_TO_DEVICE; - else if (rq->data_len) - SCpnt->sc_data_direction = DMA_FROM_DEVICE; - else - SCpnt->sc_data_direction = DMA_NONE; - - SCpnt->timeout_per_command = rq->timeout; - SCpnt->transfersize = rq->data_len; + scsi_setup_blk_pc_cmnd(SCpnt, 0); SCpnt->done = st_intr; return 1; } |