[PATCH] SCSI: fix transfer direction in sd (kernel panic when ejecting iPod)

SCSI: fix transfer direction in sd (kernel panic when ejecting iPod) sd_init_command could issue WRITE requests with zero buffer length. This may lead to kernel panic or oops with some SCSI low-level drivers. Seen with the command "eject /dev/sdX" when disconnecting an iPod: http://marc.theaimsgroup.com/?l=linux1394-devel&m=113399994920181 http://marc.theaimsgroup.com/?l=linux1394-user&m=112152701817435 Derived from -rc patches from Jens Axboe and James Bottomley. Patch is reassembled for -stable from patches: [SCSI] fix panic when ejecting ieee1394 ipod [SCSI] Consolidate REQ_BLOCK_PC handling path (fix ipod panic) Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

[PATCH] SCSI: fix transfer direction in sd (kernel panic when ejecting iPod)
SCSI: fix transfer direction in sd (kernel panic when ejecting iPod) sd_init_command could issue WRITE requests with zero buffer length. This may lead to kernel panic or oops with some SCSI low-level drivers. Seen with the command "eject /dev/sdX" when disconnecting an iPod: http://marc.theaimsgroup.com/?l=linux1394-devel&m=113399994920181 http://marc.theaimsgroup.com/?l=linux1394-user&m=112152701817435 Derived from -rc patches from Jens Axboe and James Bottomley. Patch is reassembled for -stable from patches: [SCSI] fix panic when ejecting ieee1394 ipod [SCSI] Consolidate REQ_BLOCK_PC handling path (fix ipod panic) Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
8e58cb47 · Stefan Richter · Greg Kroah-Hartman · eec59235 · 8e58cb47 · 8e58cb47
Commit 8e58cb47 authored Dec 14, 2005 by Stefan Richter Committed by Greg Kroah-Hartman Dec 26, 2005
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 15 deletions

drivers/scsi/scsi_lib.c drivers/scsi/scsi_lib.c +20 -0

drivers/scsi/sd.c drivers/scsi/sd.c +1 -15

include/scsi/scsi_cmnd.h include/scsi/scsi_cmnd.h +1 -0

No files found.
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1129,6 +1129,26 @@ static void scsi_generic_done(struct scsi_cmnd *cmd)
 	scsi_io_completion(cmd, cmd->result == 0 ? cmd->bufflen : 0, 0);
 }

+void scsi_setup_blk_pc_cmnd(struct scsi_cmnd *cmd, int retries)
+{
+	struct request *req = cmd->request;
+
+	BUG_ON(sizeof(req->cmd) > sizeof(cmd->cmnd));
+	memcpy(cmd->cmnd, req->cmd, sizeof(cmd->cmnd));
+	cmd->cmd_len = req->cmd_len;
+	if (!req->data_len)
+		cmd->sc_data_direction = DMA_NONE;
+	else if (rq_data_dir(req) == WRITE)
+		cmd->sc_data_direction = DMA_TO_DEVICE;
+	else
+		cmd->sc_data_direction = DMA_FROM_DEVICE;
+
+	cmd->transfersize = req->data_len;
+	cmd->allowed = retries;
+	cmd->timeout_per_command = req->timeout;
+}
+EXPORT_SYMBOL_GPL(scsi_setup_blk_pc_cmnd);
+
 static int scsi_prep_fn(struct request_queue *q, struct request *req)
 {
 	struct scsi_device *sdev = q->queuedata;

--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -231,24 +231,10 @@ static int sd_init_command(struct scsi_cmnd * SCpnt)
 	 * SG_IO from block layer already setup, just copy cdb basically
 	 */
 	if (blk_pc_request(rq)) {
-		if (sizeof(rq->cmd) > sizeof(SCpnt->cmnd))
-			return 0;
-
-		memcpy(SCpnt->cmnd, rq->cmd, sizeof(SCpnt->cmnd));
-		SCpnt->cmd_len = rq->cmd_len;
-		if (rq_data_dir(rq) == WRITE)
-			SCpnt->sc_data_direction = DMA_TO_DEVICE;
-		else if (rq->data_len)
-			SCpnt->sc_data_direction = DMA_FROM_DEVICE;
-		else
-			SCpnt->sc_data_direction = DMA_NONE;
-
-		this_count = rq->data_len;
+		scsi_setup_blk_pc_cmnd(SCpnt, SD_PASSTHROUGH_RETRIES);
 		if (rq->timeout)
 			timeout = rq->timeout;

-		SCpnt->transfersize = rq->data_len;
-		SCpnt->allowed = SD_PASSTHROUGH_RETRIES;
 		goto queue;
 	}


--- a/include/scsi/scsi_cmnd.h
+++ b/include/scsi/scsi_cmnd.h
@@ -150,5 +150,6 @@ extern struct scsi_cmnd *scsi_get_command(struct scsi_device *, int);
 extern void scsi_put_command(struct scsi_cmnd *);
 extern void scsi_io_completion(struct scsi_cmnd *, unsigned int, unsigned int);
 extern void scsi_finish_command(struct scsi_cmnd *cmd);
+extern void scsi_setup_blk_pc_cmnd(struct scsi_cmnd *cmd, int retries);

 #endif /* _SCSI_SCSI_CMND_H */