[libata ahci, qstor] fix miscount of scatter/gather entries

Don't directly reference qc->n_elem, as that might cause an off-by-one
error for misaligned (padded) ATAPI transfers.

2 files changed, 17 insertions, 6 deletions

diff --git a/drivers/scsi/ahci.c b/drivers/scsi/ahci.c
index 57ef7ae387d9..7b0640bc0079 100644
--- a/drivers/scsi/ahci.c
+++ b/drivers/scsi/ahci.c
@@ -474,11 +474,12 @@ static void ahci_tf_read(struct ata_port *ap, struct ata_taskfile *tf)
         ata_tf_from_fis(d2h_fis, tf);
 }
 
-static void ahci_fill_sg(struct ata_queued_cmd *qc)
+static unsigned int ahci_fill_sg(struct ata_queued_cmd *qc)
 {
         struct ahci_port_priv *pp = qc->ap->private_data;
         struct scatterlist *sg;
         struct ahci_sg *ahci_sg;
+        unsigned int n_sg = 0;
 
         VPRINTK("ENTER\n");
 
@@ -493,8 +494,12 @@ static void ahci_fill_sg(struct ata_queued_cmd *qc)
                 ahci_sg->addr = cpu_to_le32(addr & 0xffffffff);
                 ahci_sg->addr_hi = cpu_to_le32((addr >> 16) >> 16);
                 ahci_sg->flags_size = cpu_to_le32(sg_len - 1);
+
                 ahci_sg++;
+                n_sg++;
         }
+
+        return n_sg;
 }
 
 static void ahci_qc_prep(struct ata_queued_cmd *qc)
@@ -503,13 +508,14 @@ static void ahci_qc_prep(struct ata_queued_cmd *qc)
         struct ahci_port_priv *pp = ap->private_data;
         u32 opts;
         const u32 cmd_fis_len = 5; /* five dwords */
+        unsigned int n_elem;
 
         /*
          * Fill in command slot information (currently only one slot,
          * slot 0, is currently since we don't do queueing)
          */
 
-        opts = (qc->n_elem << 16) | cmd_fis_len;
+        opts = cmd_fis_len;
         if (qc->tf.flags & ATA_TFLAG_WRITE)
                 opts |= AHCI_CMD_WRITE;
         if (is_atapi_taskfile(&qc->tf))
@@ -533,7 +539,9 @@ static void ahci_qc_prep(struct ata_queued_cmd *qc)
         if (!(qc->flags & ATA_QCFLAG_DMAMAP))
                 return;
 
-        ahci_fill_sg(qc);
+        n_elem = ahci_fill_sg(qc);
+
+        pp->cmd_slot[0].opts |= cpu_to_le32(n_elem << 16);
 }
 
 static void ahci_intr_error(struct ata_port *ap, u32 irq_stat)
diff --git a/drivers/scsi/sata_qstor.c b/drivers/scsi/sata_qstor.c
index b2f6324a2eb2..4a6d3067d23c 100644
--- a/drivers/scsi/sata_qstor.c
+++ b/drivers/scsi/sata_qstor.c
@@ -268,7 +268,7 @@ static void qs_scr_write (struct ata_port *ap, unsigned int sc_reg, u32 val)
         writel(val, (void __iomem *)(ap->ioaddr.scr_addr + (sc_reg * 8)));
 }
 
-static void qs_fill_sg(struct ata_queued_cmd *qc)
+static unsigned int qs_fill_sg(struct ata_queued_cmd *qc)
 {
         struct scatterlist *sg;
         struct ata_port *ap = qc->ap;
@@ -296,6 +296,8 @@ static void qs_fill_sg(struct ata_queued_cmd *qc)
                                         (unsigned long long)addr, len);
                 nelem++;
         }
+
+        return nelem;
 }
 
 static void qs_qc_prep(struct ata_queued_cmd *qc)
@@ -304,6 +306,7 @@ static void qs_qc_prep(struct ata_queued_cmd *qc)
         u8 dflags = QS_DF_PORD, *buf = pp->pkt;
         u8 hflags = QS_HF_DAT | QS_HF_IEN | QS_HF_VLD;
         u64 addr;
+        unsigned int nelem;
 
         VPRINTK("ENTER\n");
 
@@ -313,7 +316,7 @@ static void qs_qc_prep(struct ata_queued_cmd *qc)
                 return;
         }
 
-        qs_fill_sg(qc);
+        nelem = qs_fill_sg(qc);
 
         if ((qc->tf.flags & ATA_TFLAG_WRITE))
                 hflags |= QS_HF_DIRO;
@@ -324,7 +327,7 @@ static void qs_qc_prep(struct ata_queued_cmd *qc)
         buf[ 0] = QS_HCB_HDR;
         buf[ 1] = hflags;
         *(__le32 *)(&buf[ 4]) = cpu_to_le32(qc->nsect * ATA_SECT_SIZE);
-        *(__le32 *)(&buf[ 8]) = cpu_to_le32(qc->n_elem);
+        *(__le32 *)(&buf[ 8]) = cpu_to_le32(nelem);
         addr = ((u64)pp->pkt_dma) + QS_CPB_BYTES;
         *(__le64 *)(&buf[16]) = cpu_to_le64(addr);