tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

[SCSI] fix up request buffer reference in various scsi drivers

Various scsi drivers use scsi_cmnd.buffer and scsi_cmnd.bufflen in their
queuecommand functions. Those fields are internal storage for the
midlayer only and are used to restore the original payload after
request_buffer and request_bufflen have been overwritten for EH. Using
the buffer and bufflen fields means they do very broken things in error
handling.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>

authored by

Christoph Hellwig and committed by
James Bottomley 5d5ff44f e4a082c7

+30 -30
+3 -3
drivers/block/cciss_scsi.c
··· 578 578 579 579 if (cmd->use_sg) { 580 580 pci_unmap_sg(ctlr->pdev, 581 - cmd->buffer, cmd->use_sg, 581 + cmd->request_buffer, cmd->use_sg, 582 582 cmd->sc_data_direction); 583 583 } 584 584 else if (cmd->request_bufflen) { ··· 1210 1210 struct scsi_cmnd *cmd) 1211 1211 { 1212 1212 unsigned int use_sg, nsegs=0, len; 1213 - struct scatterlist *scatter = (struct scatterlist *) cmd->buffer; 1213 + struct scatterlist *scatter = (struct scatterlist *) cmd->request_buffer; 1214 1214 __u64 addr64; 1215 1215 1216 1216 /* is it just one virtual address? */ ··· 1232 1232 } /* else, must be a list of virtual addresses.... */ 1233 1233 else if (cmd->use_sg <= MAXSGENTRIES) { /* not too many addrs? */ 1234 1234 1235 - use_sg = pci_map_sg(pdev, cmd->buffer, cmd->use_sg, 1235 + use_sg = pci_map_sg(pdev, cmd->request_buffer, cmd->use_sg, 1236 1236 cmd->sc_data_direction); 1237 1237 1238 1238 for (nsegs=0; nsegs < use_sg; nsegs++) {
+1 -1
drivers/scsi/3w-9xxx.c
··· 1388 1388 if (cmd->use_sg == 0) 1389 1389 goto out; 1390 1390 1391 - use_sg = pci_map_sg(pdev, cmd->buffer, cmd->use_sg, DMA_BIDIRECTIONAL); 1391 + use_sg = pci_map_sg(pdev, cmd->request_buffer, cmd->use_sg, DMA_BIDIRECTIONAL); 1392 1392 1393 1393 if (use_sg == 0) { 1394 1394 TW_PRINTK(tw_dev->host, TW_DRIVER, 0x1c, "Failed to map scatter gather list");
+1 -1
drivers/scsi/3w-xxxx.c
··· 1286 1286 if (cmd->use_sg == 0) 1287 1287 return 0; 1288 1288 1289 - use_sg = pci_map_sg(pdev, cmd->buffer, cmd->use_sg, DMA_BIDIRECTIONAL); 1289 + use_sg = pci_map_sg(pdev, cmd->request_buffer, cmd->use_sg, DMA_BIDIRECTIONAL); 1290 1290 1291 1291 if (use_sg == 0) { 1292 1292 printk(KERN_WARNING "3w-xxxx: tw_map_scsi_sg_data(): pci_map_sg() failed.\n");
+1 -1
drivers/scsi/NCR5380.c
··· 296 296 */ 297 297 298 298 if (cmd->use_sg) { 299 - cmd->SCp.buffer = (struct scatterlist *) cmd->buffer; 299 + cmd->SCp.buffer = (struct scatterlist *) cmd->request_buffer; 300 300 cmd->SCp.buffers_residual = cmd->use_sg - 1; 301 301 cmd->SCp.ptr = page_address(cmd->SCp.buffer->page)+ 302 302 cmd->SCp.buffer->offset;
+2 -2
drivers/scsi/aacraid/aachba.c
··· 961 961 962 962 if(scsicmd->use_sg) 963 963 pci_unmap_sg(dev->pdev, 964 - (struct scatterlist *)scsicmd->buffer, 964 + (struct scatterlist *)scsicmd->request_buffer, 965 965 scsicmd->use_sg, 966 966 scsicmd->sc_data_direction); 967 967 else if(scsicmd->request_bufflen) ··· 1919 1919 1920 1920 if(scsicmd->use_sg) 1921 1921 pci_unmap_sg(dev->pdev, 1922 - (struct scatterlist *)scsicmd->buffer, 1922 + (struct scatterlist *)scsicmd->request_buffer, 1923 1923 scsicmd->use_sg, 1924 1924 scsicmd->sc_data_direction); 1925 1925 else if(scsicmd->request_bufflen)
+1 -1
drivers/scsi/atp870u.c
··· 473 473 */ 474 474 if (workreq->use_sg) { 475 475 pci_unmap_sg(dev->pdev, 476 - (struct scatterlist *)workreq->buffer, 476 + (struct scatterlist *)workreq->request_buffer, 477 477 workreq->use_sg, 478 478 workreq->sc_data_direction); 479 479 } else if (workreq->request_bufflen &&
+1 -1
drivers/scsi/gdth.c
··· 2542 2542 gdth_ha_str *ha; 2543 2543 char *address; 2544 2544 2545 - cpcount = count<=(ushort)scp->bufflen ? count:(ushort)scp->bufflen; 2545 + cpcount = count<=(ushort)scp->request_bufflen ? count:(ushort)scp->request_bufflen; 2546 2546 ha = HADATA(gdth_ctr_tab[hanum]); 2547 2547 2548 2548 if (scp->use_sg) {
+1 -1
drivers/scsi/in2000.c
··· 370 370 */ 371 371 372 372 if (cmd->use_sg) { 373 - cmd->SCp.buffer = (struct scatterlist *) cmd->buffer; 373 + cmd->SCp.buffer = (struct scatterlist *) cmd->request_buffer; 374 374 cmd->SCp.buffers_residual = cmd->use_sg - 1; 375 375 cmd->SCp.ptr = (char *) page_address(cmd->SCp.buffer->page) + cmd->SCp.buffer->offset; 376 376 cmd->SCp.this_residual = cmd->SCp.buffer->length;
+1 -1
drivers/scsi/ips.c
··· 4364 4364 4365 4365 METHOD_TRACE("ips_rdcap", 1); 4366 4366 4367 - if (scb->scsi_cmd->bufflen < 8) 4367 + if (scb->scsi_cmd->request_bufflen < 8) 4368 4368 return (0); 4369 4369 4370 4370 cap.lba =
+2 -2
drivers/scsi/libata-scsi.c
··· 2310 2310 #endif 2311 2311 } 2312 2312 2313 - qc->nbytes = cmd->bufflen; 2313 + qc->nbytes = cmd->request_bufflen; 2314 2314 2315 2315 return 0; 2316 2316 } ··· 2500 2500 * TODO: find out if we need to do more here to 2501 2501 * cover scatter/gather case. 2502 2502 */ 2503 - qc->nsect = cmd->bufflen / ATA_SECT_SIZE; 2503 + qc->nsect = cmd->request_bufflen / ATA_SECT_SIZE; 2504 2504 2505 2505 return 0; 2506 2506
+2 -2
drivers/scsi/megaraid.c
··· 524 524 * filter the internal and ioctl commands 525 525 */ 526 526 if((cmd->cmnd[0] == MEGA_INTERNAL_CMD)) { 527 - return cmd->buffer; 527 + return cmd->request_buffer; 528 528 } 529 529 530 530 ··· 4493 4493 scmd->device = sdev; 4494 4494 4495 4495 scmd->device->host = adapter->host; 4496 - scmd->buffer = (void *)scb; 4496 + scmd->request_buffer = (void *)scb; 4497 4497 scmd->cmnd[0] = MEGA_INTERNAL_CMD; 4498 4498 4499 4499 scb->state |= SCB_ACTIVE;
+3 -3
drivers/scsi/ncr53c8xx.c
··· 529 529 { 530 530 switch(cmd->__data_mapped) { 531 531 case 2: 532 - dma_unmap_sg(dev, cmd->buffer, cmd->use_sg, 532 + dma_unmap_sg(dev, cmd->request_buffer, cmd->use_sg, 533 533 cmd->sc_data_direction); 534 534 break; 535 535 case 1: ··· 564 564 if (cmd->use_sg == 0) 565 565 return 0; 566 566 567 - use_sg = dma_map_sg(dev, cmd->buffer, cmd->use_sg, 567 + use_sg = dma_map_sg(dev, cmd->request_buffer, cmd->use_sg, 568 568 cmd->sc_data_direction); 569 569 cmd->__data_mapped = 2; 570 570 cmd->__data_mapping = use_sg; ··· 7697 7697 if (!use_sg) 7698 7698 segment = ncr_scatter_no_sglist(np, cp, cmd); 7699 7699 else if ((use_sg = map_scsi_sg_data(np, cmd)) > 0) { 7700 - struct scatterlist *scatter = (struct scatterlist *)cmd->buffer; 7700 + struct scatterlist *scatter = (struct scatterlist *)cmd->request_buffer; 7701 7701 struct scr_tblmove *data; 7702 7702 7703 7703 if (use_sg > MAX_SCATTER) {
+1 -1
drivers/scsi/nsp32.c
··· 1636 1636 1637 1637 if (SCpnt->use_sg) { 1638 1638 pci_unmap_sg(data->Pci, 1639 - (struct scatterlist *)SCpnt->buffer, 1639 + (struct scatterlist *)SCpnt->request_buffer, 1640 1640 SCpnt->use_sg, SCpnt->sc_data_direction); 1641 1641 } else { 1642 1642 pci_unmap_single(data->Pci,
+1 -1
drivers/scsi/sd.c
··· 891 891 static void sd_rw_intr(struct scsi_cmnd * SCpnt) 892 892 { 893 893 int result = SCpnt->result; 894 - int this_count = SCpnt->bufflen; 894 + int this_count = SCpnt->request_bufflen; 895 895 int good_bytes = (result == 0 ? this_count : 0); 896 896 sector_t block_sectors = 1; 897 897 u64 first_err_block;
+1 -1
drivers/scsi/sr.c
··· 217 217 static void rw_intr(struct scsi_cmnd * SCpnt) 218 218 { 219 219 int result = SCpnt->result; 220 - int this_count = SCpnt->bufflen; 220 + int this_count = SCpnt->request_bufflen; 221 221 int good_bytes = (result == 0 ? this_count : 0); 222 222 int block_sectors = 0; 223 223 long error_sector;
+3 -3
drivers/scsi/sym53c8xx_2/sym_glue.c
··· 156 156 157 157 switch(SYM_UCMD_PTR(cmd)->data_mapped) { 158 158 case 2: 159 - pci_unmap_sg(pdev, cmd->buffer, cmd->use_sg, dma_dir); 159 + pci_unmap_sg(pdev, cmd->request_buffer, cmd->use_sg, dma_dir); 160 160 break; 161 161 case 1: 162 162 pci_unmap_single(pdev, SYM_UCMD_PTR(cmd)->data_mapping, ··· 186 186 int use_sg; 187 187 int dma_dir = cmd->sc_data_direction; 188 188 189 - use_sg = pci_map_sg(pdev, cmd->buffer, cmd->use_sg, dma_dir); 189 + use_sg = pci_map_sg(pdev, cmd->request_buffer, cmd->use_sg, dma_dir); 190 190 if (use_sg > 0) { 191 191 SYM_UCMD_PTR(cmd)->data_mapped = 2; 192 192 SYM_UCMD_PTR(cmd)->data_mapping = use_sg; ··· 376 376 if (!use_sg) 377 377 segment = sym_scatter_no_sglist(np, cp, cmd); 378 378 else if ((use_sg = map_scsi_sg_data(np, cmd)) > 0) { 379 - struct scatterlist *scatter = (struct scatterlist *)cmd->buffer; 379 + struct scatterlist *scatter = (struct scatterlist *)cmd->request_buffer; 380 380 struct sym_tcb *tp = &np->target[cp->target]; 381 381 struct sym_tblmove *data; 382 382
+5 -5
drivers/usb/image/microtek.c
··· 513 513 mts_transfer_cleanup(transfer); 514 514 } 515 515 516 - sg = context->srb->buffer; 516 + sg = context->srb->request_buffer; 517 517 context->fragment++; 518 518 mts_int_submit_urb(transfer, 519 519 context->data_pipe, ··· 549 549 desc->context.fragment = 0; 550 550 551 551 if (!srb->use_sg) { 552 - if ( !srb->bufflen ){ 552 + if ( !srb->request_bufflen ){ 553 553 desc->context.data = NULL; 554 554 desc->context.data_length = 0; 555 555 return; 556 556 } else { 557 - desc->context.data = srb->buffer; 558 - desc->context.data_length = srb->bufflen; 557 + desc->context.data = srb->request_buffer; 558 + desc->context.data_length = srb->request_bufflen; 559 559 MTS_DEBUG("length = %d or %d\n", 560 560 srb->request_bufflen, srb->bufflen); 561 561 } 562 562 } else { 563 563 MTS_DEBUG("Using scatter/gather\n"); 564 - sg = srb->buffer; 564 + sg = srb->request_buffer; 565 565 desc->context.data = page_address(sg[0].page) + sg[0].offset; 566 566 desc->context.data_length = sg[0].length; 567 567 }