releases/3.0.89/scsi-sd-fix-crash-when-ua-received-on-dif-enabled-device.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 085b513f97d8d799d28491239be4b451bcd8c2c5 Mon Sep 17 00:00:00 2001
 From: "Ewan D. Milne" <emilne@redhat.com>
 Date: Fri, 2 Nov 2012 09:38:34 -0400
 Subject: SCSI: sd: fix crash when UA received on DIF enabled device

 From: "Ewan D. Milne" <emilne@redhat.com>

 commit 085b513f97d8d799d28491239be4b451bcd8c2c5 upstream.

 sd_prep_fn will allocate a larger CDB for the command via mempool_alloc
 for devices using DIF type 2 protection.  This CDB was being freed
 in sd_done, which results in a kernel crash if the command is retried
 due to a UNIT ATTENTION.  This change moves the code to free the larger
 CDB into sd_unprep_fn instead, which is invoked after the request is
 complete.

 It is no longer necessary to call scsi_print_command separately for
 this case as the ->cmnd will no longer be NULL in the normal code path.

 Also removed conditional test for DIF type 2 when freeing the larger
 CDB because the protection_type could have been changed via sysfs while
 the command was executing.

 Signed-off-by: Ewan D. Milne <emilne@redhat.com>
 Acked-by: Martin K. Petersen <martin.petersen@oracle.com>
 Signed-off-by: James Bottomley <JBottomley@Parallels.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  drivers/scsi/sd.c |   22 +++++++---------------
  1 file changed, 7 insertions(+), 15 deletions(-)

 --- a/drivers/scsi/sd.c
 +++ b/drivers/scsi/sd.c
 @@ -641,10 +641,17 @@ static int scsi_setup_flush_cmnd(struct

  static void sd_unprep_fn(struct request_queue *q, struct request *rq)
  {
 +	struct scsi_cmnd *SCpnt = rq->special;
 +
  	if (rq->cmd_flags & REQ_DISCARD) {
  		free_page((unsigned long)rq->buffer);
  		rq->buffer = NULL;
  	}
 +	if (SCpnt->cmnd != rq->cmd) {
 +		mempool_free(SCpnt->cmnd, sd_cdb_pool);
 +		SCpnt->cmnd = NULL;
 +		SCpnt->cmd_len = 0;
 +	}
  }

  /**
 @@ -1451,21 +1458,6 @@ static int sd_done(struct scsi_cmnd *SCp
  	if (rq_data_dir(SCpnt->request) == READ && scsi_prot_sg_count(SCpnt))
  		sd_dif_complete(SCpnt, good_bytes);

 -	if (scsi_host_dif_capable(sdkp->device->host, sdkp->protection_type)
 -	    == SD_DIF_TYPE2_PROTECTION && SCpnt->cmnd != SCpnt->request->cmd) {
 -
 -		/* We have to print a failed command here as the
 -		 * extended CDB gets freed before scsi_io_completion()
 -		 * is called.
 -		 */
 -		if (result)
 -			scsi_print_command(SCpnt);
 -
 -		mempool_free(SCpnt->cmnd, sd_cdb_pool);
 -		SCpnt->cmnd = NULL;
 -		SCpnt->cmd_len = 0;
 -	}
 -
  	return good_bytes;
  }
	From 085b513f97d8d799d28491239be4b451bcd8c2c5 Mon Sep 17 00:00:00 2001
	From: "Ewan D. Milne" <emilne@redhat.com>
	Date: Fri, 2 Nov 2012 09:38:34 -0400
	Subject: SCSI: sd: fix crash when UA received on DIF enabled device

	From: "Ewan D. Milne" <emilne@redhat.com>

	commit 085b513f97d8d799d28491239be4b451bcd8c2c5 upstream.

	sd_prep_fn will allocate a larger CDB for the command via mempool_alloc
	for devices using DIF type 2 protection. This CDB was being freed
	in sd_done, which results in a kernel crash if the command is retried
	due to a UNIT ATTENTION. This change moves the code to free the larger
	CDB into sd_unprep_fn instead, which is invoked after the request is
	complete.

	It is no longer necessary to call scsi_print_command separately for
	this case as the ->cmnd will no longer be NULL in the normal code path.

	Also removed conditional test for DIF type 2 when freeing the larger
	CDB because the protection_type could have been changed via sysfs while
	the command was executing.

	Signed-off-by: Ewan D. Milne <emilne@redhat.com>
	Acked-by: Martin K. Petersen <martin.petersen@oracle.com>
	Signed-off-by: James Bottomley <JBottomley@Parallels.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	drivers/scsi/sd.c \| 22 +++++++---------------
	1 file changed, 7 insertions(+), 15 deletions(-)

	--- a/drivers/scsi/sd.c
	+++ b/drivers/scsi/sd.c
	@@ -641,10 +641,17 @@ static int scsi_setup_flush_cmnd(struct

	static void sd_unprep_fn(struct request_queue q, struct request rq)
	{
	+ struct scsi_cmnd *SCpnt = rq->special;
	+
	if (rq->cmd_flags & REQ_DISCARD) {
	free_page((unsigned long)rq->buffer);
	rq->buffer = NULL;
	}
	+ if (SCpnt->cmnd != rq->cmd) {
	+ mempool_free(SCpnt->cmnd, sd_cdb_pool);
	+ SCpnt->cmnd = NULL;
	+ SCpnt->cmd_len = 0;
	+ }
	}

	/**
	@@ -1451,21 +1458,6 @@ static int sd_done(struct scsi_cmnd *SCp
	if (rq_data_dir(SCpnt->request) == READ && scsi_prot_sg_count(SCpnt))
	sd_dif_complete(SCpnt, good_bytes);

	- if (scsi_host_dif_capable(sdkp->device->host, sdkp->protection_type)
	- == SD_DIF_TYPE2_PROTECTION && SCpnt->cmnd != SCpnt->request->cmd) {
	-
	- /* We have to print a failed command here as the
	- * extended CDB gets freed before scsi_io_completion()
	- * is called.
	- */
	- if (result)
	- scsi_print_command(SCpnt);
	-
	- mempool_free(SCpnt->cmnd, sd_cdb_pool);
	- SCpnt->cmnd = NULL;
	- SCpnt->cmd_len = 0;
	- }
	-
	return good_bytes;
	}