Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley: "This is a set of five small fixes: one is a null deref fix which is pretty critical for the fc transport class and one fixes a potential security issue of sg leaking kernel information" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE scsi: sg: factor out sg_fill_request_table() scsi: sd: Remove unnecessary condition in sd_read_block_limits() scsi: acornscsi: fix build error scsi: scsi_transport_fc: fix NULL pointer dereference in fc_bsg_job_timeout
author: Linus Torvalds <torvalds@linux-foundation.org> 2017-09-19 23:09:55 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2017-09-19 23:09:55 -0400
commit: 820bf5c419e4b85298e5c3001bd1b5be46d60765 (patch)
tree: 2f7321d28c194871b38f7e90fa68a46ae2df5ab1
parent: b8350cd00407a121e10727d9591026d6194714b7 (diff)
parent: 3e0097499839e0fe3af380410eababe5a47c4cf9 (diff)
4 files changed, 40 insertions, 34 deletions
diff --git a/drivers/scsi/arm/acornscsi.c b/drivers/scsi/arm/acornscsi.c
index 690816f3c6af..421fe869a11e 100644
--- a/drivers/scsi/arm/acornscsi.c
+++ b/drivers/scsi/arm/acornscsi.c
@@ -2725,9 +2725,9 @@ int acornscsi_abort(struct scsi_cmnd *SCpnt)
 * Params   : SCpnt  - command causing reset
 * Returns  : one of SCSI_RESET_ macros
 */
-int acornscsi_host_reset(struct Scsi_Host *shpnt)
+int acornscsi_host_reset(struct scsi_cmnd *SCpnt)
 {
-        AS_Host *host = (AS_Host *)shpnt->hostdata;
+        AS_Host *host = (AS_Host *)SCpnt->device->host->hostdata;
        struct scsi_cmnd *SCptr;
    
    host->stats.resets += 1;
@@ -2741,7 +2741,7 @@ int acornscsi_host_reset(struct Scsi_Host *shpnt)
        printk(KERN_WARNING "acornscsi_reset: ");
        print_sbic_status(asr, ssr, host->scsi.phase);
-        for (devidx = 0; devidx < 9; devidx ++) {
+        for (devidx = 0; devidx < 9; devidx++)
            acornscsi_dumplog(host, devidx);
    }
 #endif
diff --git a/drivers/scsi/scsi_transport_fc.c b/drivers/scsi/scsi_transport_fc.c
index 3c6bc0081fcb..ba9d70f8a6a1 100644
--- a/drivers/scsi/scsi_transport_fc.c
+++ b/drivers/scsi/scsi_transport_fc.c
@@ -3571,7 +3571,7 @@ fc_vport_sched_delete(struct work_struct *work)
 static enum blk_eh_timer_return
 fc_bsg_job_timeout(struct request *req)
 {
-        struct bsg_job *job = (void *) req->special;
+        struct bsg_job *job = blk_mq_rq_to_pdu(req);
        struct Scsi_Host *shost = fc_bsg_to_shost(job);
        struct fc_rport *rport = fc_bsg_to_rport(job);
        struct fc_internal *i = to_fc_internal(shost->transportt);
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index 11c1738c2100..fb9f8b5f4673 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -2915,8 +2915,6 @@ static void sd_read_block_limits(struct scsi_disk *sdkp)
                                sd_config_discard(sdkp, SD_LBP_WS16);
                        else if (sdkp->lbpws10)
                                sd_config_discard(sdkp, SD_LBP_WS10);
-                        else if (sdkp->lbpu && sdkp->max_unmap_blocks)
-                                sd_config_discard(sdkp, SD_LBP_UNMAP);
                        else
                                sd_config_discard(sdkp, SD_LBP_DISABLE);
                }
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index cf0e71db9e51..0419c2298eab 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -828,6 +828,39 @@ static int max_sectors_bytes(struct request_queue *q)
        return max_sectors << 9;
 }
+static void
+sg_fill_request_table(Sg_fd *sfp, sg_req_info_t *rinfo)
+{
+        Sg_request *srp;
+        int val;
+        unsigned int ms;
+        val = 0;
+        list_for_each_entry(srp, &sfp->rq_list, entry) {
+                if (val > SG_MAX_QUEUE)
+                        break;
+                rinfo[val].req_state = srp->done + 1;
+                rinfo[val].problem =
+                        srp->header.masked_status &
+                        srp->header.host_status &
+                        srp->header.driver_status;
+                if (srp->done)
+                        rinfo[val].duration =
+                                srp->header.duration;
+                else {
+                        ms = jiffies_to_msecs(jiffies);
+                        rinfo[val].duration =
+                                (ms > srp->header.duration) ?
+                                (ms - srp->header.duration) : 0;
+                }
+                rinfo[val].orphan = srp->orphan;
+                rinfo[val].sg_io_owned = srp->sg_io_owned;
+                rinfo[val].pack_id = srp->header.pack_id;
+                rinfo[val].usr_ptr = srp->header.usr_ptr;
+                val++;
+        }
+}
 static long
 sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
 {
@@ -1012,38 +1045,13 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
                        return -EFAULT;
                else {
                        sg_req_info_t *rinfo;
-                        unsigned int ms;
-                        rinfo = kmalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
+                        rinfo = kzalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
-                                                                GFP_KERNEL);
+                                        GFP_KERNEL);
                        if (!rinfo)
                                return -ENOMEM;
                        read_lock_irqsave(&sfp->rq_list_lock, iflags);
-                        val = 0;
+                        sg_fill_request_table(sfp, rinfo);
-                        list_for_each_entry(srp, &sfp->rq_list, entry) {
-                                if (val >= SG_MAX_QUEUE)
-                                        break;
-                                memset(&rinfo[val], 0, SZ_SG_REQ_INFO);
-                                rinfo[val].req_state = srp->done + 1;
-                                rinfo[val].problem =
-                                        srp->header.masked_status &
-                                        srp->header.host_status &
-                                        srp->header.driver_status;
-                                if (srp->done)
-                                        rinfo[val].duration =
-                                                srp->header.duration;
-                                else {
-                                        ms = jiffies_to_msecs(jiffies);
-                                        rinfo[val].duration =
-                                                (ms > srp->header.duration) ?
-                                                (ms - srp->header.duration) : 0;
-                                }
-                                rinfo[val].orphan = srp->orphan;
-                                rinfo[val].sg_io_owned = srp->sg_io_owned;
-                                rinfo[val].pack_id = srp->header.pack_id;
-                                rinfo[val].usr_ptr = srp->header.usr_ptr;
-                                val++;
-                        }
                        read_unlock_irqrestore(&sfp->rq_list_lock, iflags);
                        result = __copy_to_user(p, rinfo,
                                                SZ_SG_REQ_INFO * SG_MAX_QUEUE);
author	Linus Torvalds <torvalds@linux-foundation.org>	2017-09-19 23:09:55 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2017-09-19 23:09:55 -0400
commit	820bf5c419e4b85298e5c3001bd1b5be46d60765 (patch)
tree	2f7321d28c194871b38f7e90fa68a46ae2df5ab1
parent	b8350cd00407a121e10727d9591026d6194714b7 (diff)
parent	3e0097499839e0fe3af380410eababe5a47c4cf9 (diff)