tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
"This is a set of three fixes.

One represents a nasty shared tag map regression (another inverted
condition) caused by recent SCSI MQ patches, one is a longstanding
potential buffer overrun in the iscsi data buffer and the final one is
a use after free for the rare bidirectional commands"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
[SCSI] fix for bidi use after free
[SCSI] fix regression that accidentally disabled block-based tcq
[SCSI] libiscsi: fix potential buffer overrun in __iscsi_conn_send_pdu

Linus Torvalds 73030efa 598a0c7d

options
unified split
Changed files
+14 -3
drivers
scsi
libiscsi.c
scsi_lib.c
include
scsi
scsi_tcq.h
+10
drivers/scsi/libiscsi.c
··· 717 return NULL; 718 } 719 720 task = conn->login_task; 721 } else { 722 if (session->state != ISCSI_STATE_LOGGED_IN) 723 return NULL; 724 725 BUG_ON(conn->c_stage == ISCSI_CONN_INITIAL_STAGE); 726 BUG_ON(conn->c_stage == ISCSI_CONN_STOPPED);
··· 717 return NULL; 718 } 719 720 + if (data_size > ISCSI_DEF_MAX_RECV_SEG_LEN) { 721 + iscsi_conn_printk(KERN_ERR, conn, "Invalid buffer len of %u for login task. Max len is %u\n", data_size, ISCSI_DEF_MAX_RECV_SEG_LEN); 722 + return NULL; 723 + } 724 + 725 task = conn->login_task; 726 } else { 727 if (session->state != ISCSI_STATE_LOGGED_IN) 728 return NULL; 729 + 730 + if (data_size != 0) { 731 + iscsi_conn_printk(KERN_ERR, conn, "Can not send data buffer of len %u for op 0x%x\n", data_size, opcode); 732 + return NULL; 733 + } 734 735 BUG_ON(conn->c_stage == ISCSI_CONN_INITIAL_STAGE); 736 BUG_ON(conn->c_stage == ISCSI_CONN_STOPPED);
+3 -2
drivers/scsi/scsi_lib.c
··· 733 } else { 734 unsigned long flags; 735 736 spin_lock_irqsave(q->queue_lock, flags); 737 blk_finish_request(req, error); 738 spin_unlock_irqrestore(q->queue_lock, flags); 739 740 - if (bidi_bytes) 741 - scsi_release_bidi_buffers(cmd); 742 scsi_release_buffers(cmd); 743 scsi_next_command(cmd); 744 }
··· 733 } else { 734 unsigned long flags; 735 736 + if (bidi_bytes) 737 + scsi_release_bidi_buffers(cmd); 738 + 739 spin_lock_irqsave(q->queue_lock, flags); 740 blk_finish_request(req, error); 741 spin_unlock_irqrestore(q->queue_lock, flags); 742 743 scsi_release_buffers(cmd); 744 scsi_next_command(cmd); 745 }
+1 -1
include/scsi/scsi_tcq.h
··· 68 return; 69 70 if (!shost_use_blk_mq(sdev->host) && 71 - blk_queue_tagged(sdev->request_queue)) 72 blk_queue_init_tags(sdev->request_queue, depth, 73 sdev->host->bqt); 74
··· 68 return; 69 70 if (!shost_use_blk_mq(sdev->host) && 71 + !blk_queue_tagged(sdev->request_queue)) 72 blk_queue_init_tags(sdev->request_queue, depth, 73 sdev->host->bqt); 74