diff options
| author | Ewan D. Milne <emilne@redhat.com> | 2012-11-02 09:38:34 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-08-04 04:50:41 -0400 |
| commit | 8cf7b0b08a0bccbf3a72487b3b85ac233e83947f (patch) | |
| tree | 4285ce55611dfc58a99791079015bc1ae0579917 | |
| parent | b01c4c2c2e5b7ecf14e10efabf65183d9565ff2f (diff) | |
SCSI: sd: fix crash when UA received on DIF enabled device
commit 085b513f97d8d799d28491239be4b451bcd8c2c5 upstream.
sd_prep_fn will allocate a larger CDB for the command via mempool_alloc
for devices using DIF type 2 protection. This CDB was being freed
in sd_done, which results in a kernel crash if the command is retried
due to a UNIT ATTENTION. This change moves the code to free the larger
CDB into sd_unprep_fn instead, which is invoked after the request is
complete.
It is no longer necessary to call scsi_print_command separately for
this case as the ->cmnd will no longer be NULL in the normal code path.
Also removed conditional test for DIF type 2 when freeing the larger
CDB because the protection_type could have been changed via sysfs while
the command was executing.
Signed-off-by: Ewan D. Milne <emilne@redhat.com>
Acked-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/scsi/sd.c | 22 |
1 files changed, 7 insertions, 15 deletions
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 1b1125e67f1e..610417ec45af 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c | |||
| @@ -828,10 +828,17 @@ static int scsi_setup_flush_cmnd(struct scsi_device *sdp, struct request *rq) | |||
| 828 | 828 | ||
| 829 | static void sd_unprep_fn(struct request_queue *q, struct request *rq) | 829 | static void sd_unprep_fn(struct request_queue *q, struct request *rq) |
| 830 | { | 830 | { |
| 831 | struct scsi_cmnd *SCpnt = rq->special; | ||
| 832 | |||
| 831 | if (rq->cmd_flags & REQ_DISCARD) { | 833 | if (rq->cmd_flags & REQ_DISCARD) { |
| 832 | free_page((unsigned long)rq->buffer); | 834 | free_page((unsigned long)rq->buffer); |
| 833 | rq->buffer = NULL; | 835 | rq->buffer = NULL; |
| 834 | } | 836 | } |
| 837 | if (SCpnt->cmnd != rq->cmd) { | ||
| 838 | mempool_free(SCpnt->cmnd, sd_cdb_pool); | ||
| 839 | SCpnt->cmnd = NULL; | ||
| 840 | SCpnt->cmd_len = 0; | ||
| 841 | } | ||
| 835 | } | 842 | } |
| 836 | 843 | ||
| 837 | /** | 844 | /** |
| @@ -1710,21 +1717,6 @@ static int sd_done(struct scsi_cmnd *SCpnt) | |||
| 1710 | if (rq_data_dir(SCpnt->request) == READ && scsi_prot_sg_count(SCpnt)) | 1717 | if (rq_data_dir(SCpnt->request) == READ && scsi_prot_sg_count(SCpnt)) |
| 1711 | sd_dif_complete(SCpnt, good_bytes); | 1718 | sd_dif_complete(SCpnt, good_bytes); |
| 1712 | 1719 | ||
| 1713 | if (scsi_host_dif_capable(sdkp->device->host, sdkp->protection_type) | ||
| 1714 | == SD_DIF_TYPE2_PROTECTION && SCpnt->cmnd != SCpnt->request->cmd) { | ||
| 1715 | |||
| 1716 | /* We have to print a failed command here as the | ||
| 1717 | * extended CDB gets freed before scsi_io_completion() | ||
| 1718 | * is called. | ||
| 1719 | */ | ||
| 1720 | if (result) | ||
| 1721 | scsi_print_command(SCpnt); | ||
| 1722 | |||
| 1723 | mempool_free(SCpnt->cmnd, sd_cdb_pool); | ||
| 1724 | SCpnt->cmnd = NULL; | ||
| 1725 | SCpnt->cmd_len = 0; | ||
| 1726 | } | ||
| 1727 | |||
| 1728 | return good_bytes; | 1720 | return good_bytes; |
| 1729 | } | 1721 | } |
| 1730 | 1722 | ||