| From f575c5d3ebdca3b0482847d8fcba971767754a9e Mon Sep 17 00:00:00 2001 |
| From: adam radford <aradford@gmail.com> |
| Date: Thu, 13 Oct 2011 16:01:12 -0700 |
| Subject: [SCSI] megaraid_sas: Fix instance access in megasas_reset_timer |
| |
| From: adam radford <aradford@gmail.com> |
| |
| commit f575c5d3ebdca3b0482847d8fcba971767754a9e upstream. |
| |
| The following patch for megaraid_sas will fix a potential bad pointer access |
| in megasas_reset_timer(), when a MegaRAID 9265/9285 or 9360/9380 gets a |
| timeout. megasas_build_io_fusion() sets SCp.ptr to be a struct |
| megasas_cmd_fusion *, but then megasas_reset_timer() was casting SCp.ptr to be |
| a struct megasas_cmd *, then trying to access cmd->instance, which is invalid. |
| |
| Just loading instance from scmd->device->host->hostdata in |
| megasas_reset_timer() fixes the issue. |
| |
| Signed-off-by: Adam Radford <aradford@gmail.com> |
| Signed-off-by: James Bottomley <JBottomley@Parallels.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| drivers/scsi/megaraid/megaraid_sas_base.c | 3 +-- |
| 1 file changed, 1 insertion(+), 2 deletions(-) |
| |
| --- a/drivers/scsi/megaraid/megaraid_sas_base.c |
| +++ b/drivers/scsi/megaraid/megaraid_sas_base.c |
| @@ -1907,7 +1907,6 @@ static int megasas_generic_reset(struct |
| static enum |
| blk_eh_timer_return megasas_reset_timer(struct scsi_cmnd *scmd) |
| { |
| - struct megasas_cmd *cmd = (struct megasas_cmd *)scmd->SCp.ptr; |
| struct megasas_instance *instance; |
| unsigned long flags; |
| |
| @@ -1916,7 +1915,7 @@ blk_eh_timer_return megasas_reset_timer( |
| return BLK_EH_NOT_HANDLED; |
| } |
| |
| - instance = cmd->instance; |
| + instance = (struct megasas_instance *)scmd->device->host->hostdata; |
| if (!(instance->flag & MEGASAS_FW_BUSY)) { |
| /* FW is busy, throttle IO */ |
| spin_lock_irqsave(instance->host->host_lock, flags); |
