[PATCH] SCSI: fix transfer direction in scsi_lib and st

SCSI: fix transfer direction in scsi_lib and st scsi_prep_fn and st_init_command could issue WRITE requests with zero buffer length. This may lead to kernel panic or oops with some SCSI low-level drivers. Derived from -rc patches from Jens Axboe and James Bottomley. Patch is reassembled for -stable from patches: [SCSI] fix panic when ejecting ieee1394 ipod [SCSI] Consolidate REQ_BLOCK_PC handling path (fix ipod panic) Depends on patch "SCSI: fix transfer direction in sd (kernel panic when ejecting iPod)". Also modifies the already correct sr_init_command to fully match the corresponding -rc patch. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

[PATCH] SCSI: fix transfer direction in scsi_lib and st
SCSI: fix transfer direction in scsi_lib and st scsi_prep_fn and st_init_command could issue WRITE requests with zero buffer length. This may lead to kernel panic or oops with some SCSI low-level drivers. Derived from -rc patches from Jens Axboe and James Bottomley. Patch is reassembled for -stable from patches: [SCSI] fix panic when ejecting ieee1394 ipod [SCSI] Consolidate REQ_BLOCK_PC handling path (fix ipod panic) Depends on patch "SCSI: fix transfer direction in sd (kernel panic when ejecting iPod)". Also modifies the already correct sr_init_command to fully match the corresponding -rc patch. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
841f7067 · Stefan Richter · Greg Kroah-Hartman · 8e58cb47 · 841f7067 · 841f7067
Commit 841f7067 authored Dec 14, 2005 by Stefan Richter Committed by Greg Kroah-Hartman Dec 26, 2005
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 47 deletions

drivers/scsi/scsi_lib.c drivers/scsi/scsi_lib.c +1 -12

drivers/scsi/sr.c drivers/scsi/sr.c +3 -17

drivers/scsi/st.c drivers/scsi/st.c +1 -18

No files found.
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1284,18 +1284,7 @@ static int scsi_prep_fn(struct request_queue *q, struct request *req)
 				goto kill;
 			}
 		} else {
-			memcpy(cmd->cmnd, req->cmd, sizeof(cmd->cmnd));
-			cmd->cmd_len = req->cmd_len;
-			if (rq_data_dir(req) == WRITE)
-				cmd->sc_data_direction = DMA_TO_DEVICE;
-			else if (req->data_len)
-				cmd->sc_data_direction = DMA_FROM_DEVICE;
-			else
-				cmd->sc_data_direction = DMA_NONE;
-			
-			cmd->transfersize = req->data_len;
-			cmd->allowed = 3;
-			cmd->timeout_per_command = req->timeout;
+			scsi_setup_blk_pc_cmnd(cmd, 3);
 			cmd->done = scsi_generic_done;
 		}
 	}

--- a/drivers/scsi/sr.c
+++ b/drivers/scsi/sr.c
@@ -320,25 +320,11 @@ static int sr_init_command(struct scsi_cmnd * SCpnt)
 	 * these are already setup, just copy cdb basically
 	 */
 	if (SCpnt->request->flags & REQ_BLOCK_PC) {
-		struct request *rq = SCpnt->request;
+		scsi_setup_blk_pc_cmnd(SCpnt, MAX_RETRIES);

-		if (sizeof(rq->cmd) > sizeof(SCpnt->cmnd))
-			return 0;
-
-		memcpy(SCpnt->cmnd, rq->cmd, sizeof(SCpnt->cmnd));
-		SCpnt->cmd_len = rq->cmd_len;
-		if (!rq->data_len)
-			SCpnt->sc_data_direction = DMA_NONE;
-		else if (rq_data_dir(rq) == WRITE)
-			SCpnt->sc_data_direction = DMA_TO_DEVICE;
-		else
-			SCpnt->sc_data_direction = DMA_FROM_DEVICE;
-
-		this_count = rq->data_len;
-		if (rq->timeout)
-			timeout = rq->timeout;
+		if (SCpnt->timeout_per_command)
+			timeout = SCpnt->timeout_per_command;

-		SCpnt->transfersize = rq->data_len;
 		goto queue;
 	}


--- a/drivers/scsi/st.c
+++ b/drivers/scsi/st.c
@@ -4196,27 +4196,10 @@ static void st_intr(struct scsi_cmnd *SCpnt)
 */
 static int st_init_command(struct scsi_cmnd *SCpnt)
 {
-	struct request *rq;
-
 	if (!(SCpnt->request->flags & REQ_BLOCK_PC))
 		return 0;

-	rq = SCpnt->request;
-	if (sizeof(rq->cmd) > sizeof(SCpnt->cmnd))
-		return 0;
-
-	memcpy(SCpnt->cmnd, rq->cmd, sizeof(SCpnt->cmnd));
-	SCpnt->cmd_len = rq->cmd_len;
-
-	if (rq_data_dir(rq) == WRITE)
-		SCpnt->sc_data_direction = DMA_TO_DEVICE;
-	else if (rq->data_len)
-		SCpnt->sc_data_direction = DMA_FROM_DEVICE;
-	else
-		SCpnt->sc_data_direction = DMA_NONE;
-
-	SCpnt->timeout_per_command = rq->timeout;
-	SCpnt->transfersize = rq->data_len;
+	scsi_setup_blk_pc_cmnd(SCpnt, 0);
 	SCpnt->done = st_intr;
 	return 1;
 }