aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChristoph Hellwig <hch@lst.de>2006-07-08 14:42:15 -0400
committerJames Bottomley <jejb@mulgrave.il.steeleye.com>2006-07-09 12:56:44 -0400
commit631c228cd09bd5b93090fa60bd9803ec14aa0586 (patch)
tree3d15819bbdc30e291c342e06a0694184b1616996
parentae0fda0cdf009731a33f031f86df8566f1977ffe (diff)
[SCSI] hide EH backup data outside the scsi_cmnd
Currently struct scsi_cmnd has various fields that are used to backup original data after the corresponding fields have been overridden for EH commands. This means drivers can easily get at it and misuse it. Due to the old_ naming this doesn't happen for most of them, but two that have different names have been used wrong a lot (see previous patch). Another downside is that they unessecarily bloat the scsi_cmnd size. This patch moves them onstack in scsi_send_eh_cmnd to fix those two issues aswell as allowing future EH fixes like moving the EH command submissions to use SG lists like everything else. Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
-rw-r--r--drivers/scsi/aha152x.c14
-rw-r--r--drivers/scsi/scsi.c11
-rw-r--r--drivers/scsi/scsi_error.c210
-rw-r--r--drivers/scsi/scsi_lib.c88
-rw-r--r--drivers/scsi/scsi_priv.h1
-rw-r--r--drivers/scsi/sd.c3
-rw-r--r--drivers/scsi/sr.c5
-rw-r--r--include/scsi/scsi_cmnd.h9
8 files changed, 108 insertions, 233 deletions
diff --git a/drivers/scsi/aha152x.c b/drivers/scsi/aha152x.c
index cff3d389b01..f974869ea32 100644
--- a/drivers/scsi/aha152x.c
+++ b/drivers/scsi/aha152x.c
@@ -1179,6 +1179,10 @@ static int aha152x_device_reset(Scsi_Cmnd * SCpnt)
1179 DECLARE_MUTEX_LOCKED(sem); 1179 DECLARE_MUTEX_LOCKED(sem);
1180 struct timer_list timer; 1180 struct timer_list timer;
1181 int ret, issued, disconnected; 1181 int ret, issued, disconnected;
1182 unsigned char old_cmd_len = SCpnt->cmd_len;
1183 unsigned short old_use_sg = SCpnt->use_sg;
1184 void *old_buffer = SCpnt->request_buffer;
1185 unsigned old_bufflen = SCpnt->request_bufflen;
1182 unsigned long flags; 1186 unsigned long flags;
1183 1187
1184#if defined(AHA152X_DEBUG) 1188#if defined(AHA152X_DEBUG)
@@ -1212,11 +1216,11 @@ static int aha152x_device_reset(Scsi_Cmnd * SCpnt)
1212 add_timer(&timer); 1216 add_timer(&timer);
1213 down(&sem); 1217 down(&sem);
1214 del_timer(&timer); 1218 del_timer(&timer);
1215 1219
1216 SCpnt->cmd_len = SCpnt->old_cmd_len; 1220 SCpnt->cmd_len = old_cmd_len;
1217 SCpnt->use_sg = SCpnt->old_use_sg; 1221 SCpnt->use_sg = old_use_sg;
1218 SCpnt->request_buffer = SCpnt->buffer; 1222 SCpnt->request_buffer = old_buffer;
1219 SCpnt->request_bufflen = SCpnt->bufflen; 1223 SCpnt->request_bufflen = old_bufflen;
1220 1224
1221 DO_LOCK(flags); 1225 DO_LOCK(flags);
1222 1226
diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c
index 2ab7df0dcfe..b332caddd5b 100644
--- a/drivers/scsi/scsi.c
+++ b/drivers/scsi/scsi.c
@@ -346,7 +346,7 @@ void scsi_log_send(struct scsi_cmnd *cmd)
346 if (level > 3) { 346 if (level > 3) {
347 printk(KERN_INFO "buffer = 0x%p, bufflen = %d," 347 printk(KERN_INFO "buffer = 0x%p, bufflen = %d,"
348 " done = 0x%p, queuecommand 0x%p\n", 348 " done = 0x%p, queuecommand 0x%p\n",
349 cmd->buffer, cmd->bufflen, 349 cmd->request_buffer, cmd->request_bufflen,
350 cmd->done, 350 cmd->done,
351 sdev->host->hostt->queuecommand); 351 sdev->host->hostt->queuecommand);
352 352
@@ -661,11 +661,6 @@ void __scsi_done(struct scsi_cmnd *cmd)
661 */ 661 */
662int scsi_retry_command(struct scsi_cmnd *cmd) 662int scsi_retry_command(struct scsi_cmnd *cmd)
663{ 663{
664 /*
665 * Restore the SCSI command state.
666 */
667 scsi_setup_cmd_retry(cmd);
668
669 /* 664 /*
670 * Zero the sense information from the last time we tried 665 * Zero the sense information from the last time we tried
671 * this command. 666 * this command.
@@ -711,10 +706,6 @@ void scsi_finish_command(struct scsi_cmnd *cmd)
711 "Notifying upper driver of completion " 706 "Notifying upper driver of completion "
712 "(result %x)\n", cmd->result)); 707 "(result %x)\n", cmd->result));
713 708
714 /*
715 * We can get here with use_sg=0, causing a panic in the upper level
716 */
717 cmd->use_sg = cmd->old_use_sg;
718 cmd->done(cmd); 709 cmd->done(cmd);
719} 710}
720EXPORT_SYMBOL(scsi_finish_command); 711EXPORT_SYMBOL(scsi_finish_command);
diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
index 6683d596234..6a5b731bd5b 100644
--- a/drivers/scsi/scsi_error.c
+++ b/drivers/scsi/scsi_error.c
@@ -460,19 +460,67 @@ static void scsi_eh_done(struct scsi_cmnd *scmd)
460 * Return value: 460 * Return value:
461 * SUCCESS or FAILED or NEEDS_RETRY 461 * SUCCESS or FAILED or NEEDS_RETRY
462 **/ 462 **/
463static int scsi_send_eh_cmnd(struct scsi_cmnd *scmd, int timeout) 463static int scsi_send_eh_cmnd(struct scsi_cmnd *scmd, int timeout, int copy_sense)
464{ 464{
465 struct scsi_device *sdev = scmd->device; 465 struct scsi_device *sdev = scmd->device;
466 struct Scsi_Host *shost = sdev->host; 466 struct Scsi_Host *shost = sdev->host;
467 int old_result = scmd->result;
467 DECLARE_COMPLETION(done); 468 DECLARE_COMPLETION(done);
468 unsigned long timeleft; 469 unsigned long timeleft;
469 unsigned long flags; 470 unsigned long flags;
471 unsigned char old_cmnd[MAX_COMMAND_SIZE];
472 enum dma_data_direction old_data_direction;
473 unsigned short old_use_sg;
474 unsigned char old_cmd_len;
475 unsigned old_bufflen;
476 void *old_buffer;
470 int rtn; 477 int rtn;
471 478
479 /*
480 * We need saved copies of a number of fields - this is because
481 * error handling may need to overwrite these with different values
482 * to run different commands, and once error handling is complete,
483 * we will need to restore these values prior to running the actual
484 * command.
485 */
486 old_buffer = scmd->request_buffer;
487 old_bufflen = scmd->request_bufflen;
488 memcpy(old_cmnd, scmd->cmnd, sizeof(scmd->cmnd));
489 old_data_direction = scmd->sc_data_direction;
490 old_cmd_len = scmd->cmd_len;
491 old_use_sg = scmd->use_sg;
492
493 if (copy_sense) {
494 int gfp_mask = GFP_ATOMIC;
495
496 if (shost->hostt->unchecked_isa_dma)
497 gfp_mask |= __GFP_DMA;
498
499 scmd->sc_data_direction = DMA_FROM_DEVICE;
500 scmd->request_bufflen = 252;
501 scmd->request_buffer = kzalloc(scmd->request_bufflen, gfp_mask);
502 if (!scmd->request_buffer)
503 return FAILED;
504 } else {
505 scmd->request_buffer = NULL;
506 scmd->request_bufflen = 0;
507 scmd->sc_data_direction = DMA_NONE;
508 }
509
510 scmd->underflow = 0;
511 scmd->use_sg = 0;
512 scmd->cmd_len = COMMAND_SIZE(scmd->cmnd[0]);
513
472 if (sdev->scsi_level <= SCSI_2) 514 if (sdev->scsi_level <= SCSI_2)
473 scmd->cmnd[1] = (scmd->cmnd[1] & 0x1f) | 515 scmd->cmnd[1] = (scmd->cmnd[1] & 0x1f) |
474 (sdev->lun << 5 & 0xe0); 516 (sdev->lun << 5 & 0xe0);
475 517
518 /*
519 * Zero the sense buffer. The scsi spec mandates that any
520 * untransferred sense data should be interpreted as being zero.
521 */
522 memset(scmd->sense_buffer, 0, sizeof(scmd->sense_buffer));
523
476 shost->eh_action = &done; 524 shost->eh_action = &done;
477 525
478 spin_lock_irqsave(shost->host_lock, flags); 526 spin_lock_irqsave(shost->host_lock, flags);
@@ -522,6 +570,29 @@ static int scsi_send_eh_cmnd(struct scsi_cmnd *scmd, int timeout)
522 rtn = FAILED; 570 rtn = FAILED;
523 } 571 }
524 572
573
574 /*
575 * Last chance to have valid sense data.
576 */
577 if (copy_sense) {
578 if (!SCSI_SENSE_VALID(scmd)) {
579 memcpy(scmd->sense_buffer, scmd->request_buffer,
580 sizeof(scmd->sense_buffer));
581 }
582 kfree(scmd->request_buffer);
583 }
584
585
586 /*
587 * Restore original data
588 */
589 scmd->request_buffer = old_buffer;
590 scmd->request_bufflen = old_bufflen;
591 memcpy(scmd->cmnd, old_cmnd, sizeof(scmd->cmnd));
592 scmd->sc_data_direction = old_data_direction;
593 scmd->cmd_len = old_cmd_len;
594 scmd->use_sg = old_use_sg;
595 scmd->result = old_result;
525 return rtn; 596 return rtn;
526} 597}
527 598
@@ -537,56 +608,10 @@ static int scsi_send_eh_cmnd(struct scsi_cmnd *scmd, int timeout)
537static int scsi_request_sense(struct scsi_cmnd *scmd) 608static int scsi_request_sense(struct scsi_cmnd *scmd)
538{ 609{
539 static unsigned char generic_sense[6] = 610 static unsigned char generic_sense[6] =
540 {REQUEST_SENSE, 0, 0, 0, 252, 0}; 611 {REQUEST_SENSE, 0, 0, 0, 252, 0};
541 unsigned char *scsi_result;
542 int saved_result;
543 int rtn;
544 612
545 memcpy(scmd->cmnd, generic_sense, sizeof(generic_sense)); 613 memcpy(scmd->cmnd, generic_sense, sizeof(generic_sense));
546 614 return scsi_send_eh_cmnd(scmd, SENSE_TIMEOUT, 1);
547 scsi_result = kmalloc(252, GFP_ATOMIC | ((scmd->device->host->hostt->unchecked_isa_dma) ? __GFP_DMA : 0));
548
549
550 if (unlikely(!scsi_result)) {
551 printk(KERN_ERR "%s: cannot allocate scsi_result.\n",
552 __FUNCTION__);
553 return FAILED;
554 }
555
556 /*
557 * zero the sense buffer. some host adapters automatically always
558 * request sense, so it is not a good idea that
559 * scmd->request_buffer and scmd->sense_buffer point to the same
560 * address (db). 0 is not a valid sense code.
561 */
562 memset(scmd->sense_buffer, 0, sizeof(scmd->sense_buffer));
563 memset(scsi_result, 0, 252);
564
565 saved_result = scmd->result;
566 scmd->request_buffer = scsi_result;
567 scmd->request_bufflen = 252;
568 scmd->use_sg = 0;
569 scmd->cmd_len = COMMAND_SIZE(scmd->cmnd[0]);
570 scmd->sc_data_direction = DMA_FROM_DEVICE;
571 scmd->underflow = 0;
572
573 rtn = scsi_send_eh_cmnd(scmd, SENSE_TIMEOUT);
574
575 /* last chance to have valid sense data */
576 if(!SCSI_SENSE_VALID(scmd)) {
577 memcpy(scmd->sense_buffer, scmd->request_buffer,
578 sizeof(scmd->sense_buffer));
579 }
580
581 kfree(scsi_result);
582
583 /*
584 * when we eventually call scsi_finish, we really wish to complete
585 * the original request, so let's restore the original data. (db)
586 */
587 scsi_setup_cmd_retry(scmd);
588 scmd->result = saved_result;
589 return rtn;
590} 615}
591 616
592/** 617/**
@@ -605,12 +630,6 @@ void scsi_eh_finish_cmd(struct scsi_cmnd *scmd, struct list_head *done_q)
605{ 630{
606 scmd->device->host->host_failed--; 631 scmd->device->host->host_failed--;
607 scmd->eh_eflags = 0; 632 scmd->eh_eflags = 0;
608
609 /*
610 * set this back so that the upper level can correctly free up
611 * things.
612 */
613 scsi_setup_cmd_retry(scmd);
614 list_move_tail(&scmd->eh_entry, done_q); 633 list_move_tail(&scmd->eh_entry, done_q);
615} 634}
616EXPORT_SYMBOL(scsi_eh_finish_cmd); 635EXPORT_SYMBOL(scsi_eh_finish_cmd);
@@ -715,47 +734,26 @@ static int scsi_eh_tur(struct scsi_cmnd *scmd)
715{ 734{
716 static unsigned char tur_command[6] = {TEST_UNIT_READY, 0, 0, 0, 0, 0}; 735 static unsigned char tur_command[6] = {TEST_UNIT_READY, 0, 0, 0, 0, 0};
717 int retry_cnt = 1, rtn; 736 int retry_cnt = 1, rtn;
718 int saved_result;
719 737
720retry_tur: 738retry_tur:
721 memcpy(scmd->cmnd, tur_command, sizeof(tur_command)); 739 memcpy(scmd->cmnd, tur_command, sizeof(tur_command));
722 740
723 /*
724 * zero the sense buffer. the scsi spec mandates that any
725 * untransferred sense data should be interpreted as being zero.
726 */
727 memset(scmd->sense_buffer, 0, sizeof(scmd->sense_buffer));
728
729 saved_result = scmd->result;
730 scmd->request_buffer = NULL;
731 scmd->request_bufflen = 0;
732 scmd->use_sg = 0;
733 scmd->cmd_len = COMMAND_SIZE(scmd->cmnd[0]);
734 scmd->underflow = 0;
735 scmd->sc_data_direction = DMA_NONE;
736 741
737 rtn = scsi_send_eh_cmnd(scmd, SENSE_TIMEOUT); 742 rtn = scsi_send_eh_cmnd(scmd, SENSE_TIMEOUT, 0);
738 743
739 /*
740 * when we eventually call scsi_finish, we really wish to complete
741 * the original request, so let's restore the original data. (db)
742 */
743 scsi_setup_cmd_retry(scmd);
744 scmd->result = saved_result;
745
746 /*
747 * hey, we are done. let's look to see what happened.
748 */
749 SCSI_LOG_ERROR_RECOVERY(3, printk("%s: scmd %p rtn %x\n", 744 SCSI_LOG_ERROR_RECOVERY(3, printk("%s: scmd %p rtn %x\n",
750 __FUNCTION__, scmd, rtn)); 745 __FUNCTION__, scmd, rtn));
751 if (rtn == SUCCESS) 746
752 return 0; 747 switch (rtn) {
753 else if (rtn == NEEDS_RETRY) { 748 case NEEDS_RETRY:
754 if (retry_cnt--) 749 if (retry_cnt--)
755 goto retry_tur; 750 goto retry_tur;
751 /*FALLTHRU*/
752 case SUCCESS:
756 return 0; 753 return 0;
754 default:
755 return 1;
757 } 756 }
758 return 1;
759} 757}
760 758
761/** 759/**
@@ -837,44 +835,16 @@ static int scsi_try_bus_device_reset(struct scsi_cmnd *scmd)
837static int scsi_eh_try_stu(struct scsi_cmnd *scmd) 835static int scsi_eh_try_stu(struct scsi_cmnd *scmd)
838{ 836{
839 static unsigned char stu_command[6] = {START_STOP, 0, 0, 0, 1, 0}; 837 static unsigned char stu_command[6] = {START_STOP, 0, 0, 0, 1, 0};
840 int rtn;
841 int saved_result;
842 838
843 if (!scmd->device->allow_restart) 839 if (scmd->device->allow_restart) {
844 return 1; 840 int rtn;
845
846 memcpy(scmd->cmnd, stu_command, sizeof(stu_command));
847
848 /*
849 * zero the sense buffer. the scsi spec mandates that any
850 * untransferred sense data should be interpreted as being zero.
851 */
852 memset(scmd->sense_buffer, 0, sizeof(scmd->sense_buffer));
853
854 saved_result = scmd->result;
855 scmd->request_buffer = NULL;
856 scmd->request_bufflen = 0;
857 scmd->use_sg = 0;
858 scmd->cmd_len = COMMAND_SIZE(scmd->cmnd[0]);
859 scmd->underflow = 0;
860 scmd->sc_data_direction = DMA_NONE;
861 841
862 rtn = scsi_send_eh_cmnd(scmd, START_UNIT_TIMEOUT); 842 memcpy(scmd->cmnd, stu_command, sizeof(stu_command));
863 843 rtn = scsi_send_eh_cmnd(scmd, START_UNIT_TIMEOUT, 0);
864 /* 844 if (rtn == SUCCESS)
865 * when we eventually call scsi_finish, we really wish to complete 845 return 0;
866 * the original request, so let's restore the original data. (db) 846 }
867 */
868 scsi_setup_cmd_retry(scmd);
869 scmd->result = saved_result;
870 847
871 /*
872 * hey, we are done. let's look to see what happened.
873 */
874 SCSI_LOG_ERROR_RECOVERY(3, printk("%s: scmd %p rtn %x\n",
875 __FUNCTION__, scmd, rtn));
876 if (rtn == SUCCESS)
877 return 0;
878 return 1; 848 return 1;
879} 849}
880 850
@@ -1684,8 +1654,6 @@ scsi_reset_provider(struct scsi_device *dev, int flag)
1684 1654
1685 scmd->scsi_done = scsi_reset_provider_done_command; 1655 scmd->scsi_done = scsi_reset_provider_done_command;
1686 scmd->done = NULL; 1656 scmd->done = NULL;
1687 scmd->buffer = NULL;
1688 scmd->bufflen = 0;
1689 scmd->request_buffer = NULL; 1657 scmd->request_buffer = NULL;
1690 scmd->request_bufflen = 0; 1658 scmd->request_bufflen = 0;
1691 1659
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 08af9aae7df..077c1c69121 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -436,60 +436,16 @@ EXPORT_SYMBOL_GPL(scsi_execute_async);
436 * 436 *
437 * Arguments: cmd - command that is ready to be queued. 437 * Arguments: cmd - command that is ready to be queued.
438 * 438 *
439 * Returns: Nothing
440 *
441 * Notes: This function has the job of initializing a number of 439 * Notes: This function has the job of initializing a number of
442 * fields related to error handling. Typically this will 440 * fields related to error handling. Typically this will
443 * be called once for each command, as required. 441 * be called once for each command, as required.
444 */ 442 */
445static int scsi_init_cmd_errh(struct scsi_cmnd *cmd) 443static void scsi_init_cmd_errh(struct scsi_cmnd *cmd)
446{ 444{
447 cmd->serial_number = 0; 445 cmd->serial_number = 0;
448
449 memset(cmd->sense_buffer, 0, sizeof cmd->sense_buffer); 446 memset(cmd->sense_buffer, 0, sizeof cmd->sense_buffer);
450
451 if (cmd->cmd_len == 0) 447 if (cmd->cmd_len == 0)
452 cmd->cmd_len = COMMAND_SIZE(cmd->cmnd[0]); 448 cmd->cmd_len = COMMAND_SIZE(cmd->cmnd[0]);
453
454 /*
455 * We need saved copies of a number of fields - this is because
456 * error handling may need to overwrite these with different values
457 * to run different commands, and once error handling is complete,
458 * we will need to restore these values prior to running the actual
459 * command.
460 */
461 cmd->old_use_sg = cmd->use_sg;
462 cmd->old_cmd_len = cmd->cmd_len;
463 cmd->sc_old_data_direction = cmd->sc_data_direction;
464 cmd->old_underflow = cmd->underflow;
465 memcpy(cmd->data_cmnd, cmd->cmnd, sizeof(cmd->cmnd));
466 cmd->buffer = cmd->request_buffer;
467 cmd->bufflen = cmd->request_bufflen;
468
469 return 1;
470}
471
472/*
473 * Function: scsi_setup_cmd_retry()
474 *
475 * Purpose: Restore the command state for a retry
476 *
477 * Arguments: cmd - command to be restored
478 *
479 * Returns: Nothing
480 *
481 * Notes: Immediately prior to retrying a command, we need
482 * to restore certain fields that we saved above.
483 */
484void scsi_setup_cmd_retry(struct scsi_cmnd *cmd)
485{
486 memcpy(cmd->cmnd, cmd->data_cmnd, sizeof(cmd->data_cmnd));
487 cmd->request_buffer = cmd->buffer;
488 cmd->request_bufflen = cmd->bufflen;
489 cmd->use_sg = cmd->old_use_sg;
490 cmd->cmd_len = cmd->old_cmd_len;
491 cmd->sc_data_direction = cmd->sc_old_data_direction;
492 cmd->underflow = cmd->old_underflow;
493} 449}
494 450
495void scsi_device_unbusy(struct scsi_device *sdev) 451void scsi_device_unbusy(struct scsi_device *sdev)
@@ -807,22 +763,13 @@ static void scsi_free_sgtable(struct scatterlist *sgl, int index)
807 */ 763 */
808static void scsi_release_buffers(struct scsi_cmnd *cmd) 764static void scsi_release_buffers(struct scsi_cmnd *cmd)
809{ 765{
810 struct request *req = cmd->request;
811
812 /*
813 * Free up any indirection buffers we allocated for DMA purposes.
814 */
815 if (cmd->use_sg) 766 if (cmd->use_sg)
816 scsi_free_sgtable(cmd->request_buffer, cmd->sglist_len); 767 scsi_free_sgtable(cmd->request_buffer, cmd->sglist_len);
817 else if (cmd->request_buffer != req->buffer)
818 kfree(cmd->request_buffer);
819 768
820 /* 769 /*
821 * Zero these out. They now point to freed memory, and it is 770 * Zero these out. They now point to freed memory, and it is
822 * dangerous to hang onto the pointers. 771 * dangerous to hang onto the pointers.
823 */ 772 */
824 cmd->buffer = NULL;
825 cmd->bufflen = 0;
826 cmd->request_buffer = NULL; 773 cmd->request_buffer = NULL;
827 cmd->request_bufflen = 0; 774 cmd->request_bufflen = 0;
828} 775}
@@ -858,7 +805,7 @@ static void scsi_release_buffers(struct scsi_cmnd *cmd)
858void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes) 805void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes)
859{ 806{
860 int result = cmd->result; 807 int result = cmd->result;
861 int this_count = cmd->bufflen; 808 int this_count = cmd->request_bufflen;
862 request_queue_t *q = cmd->device->request_queue; 809 request_queue_t *q = cmd->device->request_queue;
863 struct request *req = cmd->request; 810 struct request *req = cmd->request;
864 int clear_errors = 1; 811 int clear_errors = 1;
@@ -866,28 +813,14 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes)
866 int sense_valid = 0; 813 int sense_valid = 0;
867 int sense_deferred = 0; 814 int sense_deferred = 0;
868 815
869 /* 816 scsi_release_buffers(cmd);
870 * Free up any indirection buffers we allocated for DMA purposes.
871 * For the case of a READ, we need to copy the data out of the
872 * bounce buffer and into the real buffer.
873 */
874 if (cmd->use_sg)
875 scsi_free_sgtable(cmd->buffer, cmd->sglist_len);
876 else if (cmd->buffer != req->buffer) {
877 if (rq_data_dir(req) == READ) {
878 unsigned long flags;
879 char *to = bio_kmap_irq(req->bio, &flags);
880 memcpy(to, cmd->buffer, cmd->bufflen);
881 bio_kunmap_irq(to, &flags);
882 }
883 kfree(cmd->buffer);
884 }
885 817
886 if (result) { 818 if (result) {
887 sense_valid = scsi_command_normalize_sense(cmd, &sshdr); 819 sense_valid = scsi_command_normalize_sense(cmd, &sshdr);
888 if (sense_valid) 820 if (sense_valid)
889 sense_deferred = scsi_sense_is_deferred(&sshdr); 821 sense_deferred = scsi_sense_is_deferred(&sshdr);
890 } 822 }
823
891 if (blk_pc_request(req)) { /* SG_IO ioctl from block level */ 824 if (blk_pc_request(req)) { /* SG_IO ioctl from block level */
892 req->errors = result; 825 req->errors = result;
893 if (result) { 826 if (result) {
@@ -908,15 +841,6 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes)
908 } 841 }
909 842
910 /* 843 /*
911 * Zero these out. They now point to freed memory, and it is
912 * dangerous to hang onto the pointers.
913 */
914 cmd->buffer = NULL;
915 cmd->bufflen = 0;
916 cmd->request_buffer = NULL;
917 cmd->request_bufflen = 0;
918
919 /*
920 * Next deal with any sectors which we were able to correctly 844 * Next deal with any sectors which we were able to correctly
921 * handle. 845 * handle.
922 */ 846 */
@@ -1012,7 +936,7 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes)
1012 if (!(req->flags & REQ_QUIET)) { 936 if (!(req->flags & REQ_QUIET)) {
1013 scmd_printk(KERN_INFO, cmd, 937 scmd_printk(KERN_INFO, cmd,
1014 "Volume overflow, CDB: "); 938 "Volume overflow, CDB: ");
1015 __scsi_print_command(cmd->data_cmnd); 939 __scsi_print_command(cmd->cmnd);
1016 scsi_print_sense("", cmd); 940 scsi_print_sense("", cmd);
1017 } 941 }
1018 /* See SSC3rXX or current. */ 942 /* See SSC3rXX or current. */
@@ -1143,7 +1067,7 @@ static void scsi_blk_pc_done(struct scsi_cmnd *cmd)
1143 * successfully. Since this is a REQ_BLOCK_PC command the 1067 * successfully. Since this is a REQ_BLOCK_PC command the
1144 * caller should check the request's errors value 1068 * caller should check the request's errors value
1145 */ 1069 */
1146 scsi_io_completion(cmd, cmd->bufflen); 1070 scsi_io_completion(cmd, cmd->request_bufflen);
1147} 1071}
1148 1072
1149static void scsi_setup_blk_pc_cmnd(struct scsi_cmnd *cmd) 1073static void scsi_setup_blk_pc_cmnd(struct scsi_cmnd *cmd)
diff --git a/drivers/scsi/scsi_priv.h b/drivers/scsi/scsi_priv.h
index e2fbe9a9d5a..ae24c85aaee 100644
--- a/drivers/scsi/scsi_priv.h
+++ b/drivers/scsi/scsi_priv.h
@@ -57,7 +57,6 @@ extern int scsi_eh_scmd_add(struct scsi_cmnd *, int);
57 57
58/* scsi_lib.c */ 58/* scsi_lib.c */
59extern int scsi_maybe_unblock_host(struct scsi_device *sdev); 59extern int scsi_maybe_unblock_host(struct scsi_device *sdev);
60extern void scsi_setup_cmd_retry(struct scsi_cmnd *cmd);
61extern void scsi_device_unbusy(struct scsi_device *sdev); 60extern void scsi_device_unbusy(struct scsi_device *sdev);
62extern int scsi_queue_insert(struct scsi_cmnd *cmd, int reason); 61extern int scsi_queue_insert(struct scsi_cmnd *cmd, int reason);
63extern void scsi_next_command(struct scsi_cmnd *cmd); 62extern void scsi_next_command(struct scsi_cmnd *cmd);
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index 3225d31449e..98bd3aab973 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -502,8 +502,7 @@ static int sd_init_command(struct scsi_cmnd * SCpnt)
502 SCpnt->cmnd[4] = (unsigned char) this_count; 502 SCpnt->cmnd[4] = (unsigned char) this_count;
503 SCpnt->cmnd[5] = 0; 503 SCpnt->cmnd[5] = 0;
504 } 504 }
505 SCpnt->request_bufflen = SCpnt->bufflen = 505 SCpnt->request_bufflen = this_count * sdp->sector_size;
506 this_count * sdp->sector_size;
507 506
508 /* 507 /*
509 * We shouldn't disconnect in the middle of a sector, so with a dumb 508 * We shouldn't disconnect in the middle of a sector, so with a dumb
diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
index fd94408577e..fae6e95a629 100644
--- a/drivers/scsi/sr.c
+++ b/drivers/scsi/sr.c
@@ -360,7 +360,7 @@ static int sr_init_command(struct scsi_cmnd * SCpnt)
360 "mismatch count %d, bytes %d\n", 360 "mismatch count %d, bytes %d\n",
361 size, SCpnt->request_bufflen); 361 size, SCpnt->request_bufflen);
362 if (SCpnt->request_bufflen > size) 362 if (SCpnt->request_bufflen > size)
363 SCpnt->request_bufflen = SCpnt->bufflen = size; 363 SCpnt->request_bufflen = size;
364 } 364 }
365 } 365 }
366 366
@@ -387,8 +387,7 @@ static int sr_init_command(struct scsi_cmnd * SCpnt)
387 387
388 if (this_count > 0xffff) { 388 if (this_count > 0xffff) {
389 this_count = 0xffff; 389 this_count = 0xffff;
390 SCpnt->request_bufflen = SCpnt->bufflen = 390 SCpnt->request_bufflen = this_count * s_size;
391 this_count * s_size;
392 } 391 }
393 392
394 SCpnt->cmnd[2] = (unsigned char) (block >> 24) & 0xff; 393 SCpnt->cmnd[2] = (unsigned char) (block >> 24) & 0xff;
diff --git a/include/scsi/scsi_cmnd.h b/include/scsi/scsi_cmnd.h
index 371f70d9aa9..58e6444eebe 100644
--- a/include/scsi/scsi_cmnd.h
+++ b/include/scsi/scsi_cmnd.h
@@ -58,9 +58,7 @@ struct scsi_cmnd {
58 int timeout_per_command; 58 int timeout_per_command;
59 59
60 unsigned char cmd_len; 60 unsigned char cmd_len;
61 unsigned char old_cmd_len;
62 enum dma_data_direction sc_data_direction; 61 enum dma_data_direction sc_data_direction;
63 enum dma_data_direction sc_old_data_direction;
64 62
65 /* These elements define the operation we are about to perform */ 63 /* These elements define the operation we are about to perform */
66#define MAX_COMMAND_SIZE 16 64#define MAX_COMMAND_SIZE 16
@@ -71,18 +69,11 @@ struct scsi_cmnd {
71 void *request_buffer; /* Actual requested buffer */ 69 void *request_buffer; /* Actual requested buffer */
72 70
73 /* These elements define the operation we ultimately want to perform */ 71 /* These elements define the operation we ultimately want to perform */
74 unsigned char data_cmnd[MAX_COMMAND_SIZE];
75 unsigned short old_use_sg; /* We save use_sg here when requesting
76 * sense info */
77 unsigned short use_sg; /* Number of pieces of scatter-gather */ 72 unsigned short use_sg; /* Number of pieces of scatter-gather */
78 unsigned short sglist_len; /* size of malloc'd scatter-gather list */ 73 unsigned short sglist_len; /* size of malloc'd scatter-gather list */
79 unsigned bufflen; /* Size of data buffer */
80 void *buffer; /* Data buffer */
81 74
82 unsigned underflow; /* Return error if less than 75 unsigned underflow; /* Return error if less than
83 this amount is transferred */ 76 this amount is transferred */
84 unsigned old_underflow; /* save underflow here when reusing the
85 * command for error handling */
86 77
87 unsigned transfersize; /* How much we are guaranteed to 78 unsigned transfersize; /* How much we are guaranteed to
88 transfer with each SCSI transfer 79 transfer with each SCSI transfer