| From 110712828365ccafcc61a7f4db44c31ed4cf8793 Mon Sep 17 00:00:00 2001 |
| From: Borislav Petkov <bp@alien8.de> |
| Date: Mon, 5 Jul 2010 21:23:52 -0700 |
| Subject: ide-cd: Do not access completed requests in the irq handler |
| |
| From: Borislav Petkov <bp@alien8.de> |
| |
| commit 110712828365ccafcc61a7f4db44c31ed4cf8793 upstream. |
| |
| ide_cd_error_cmd() can complete an erroneous request with leftover |
| buffers. Signal this with its return value so that the request is not |
| accessed after its completion in the irq handler and we oops. |
| |
| Signed-off-by: Borislav Petkov <bp@alien8.de> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| drivers/ide/ide-cd.c | 14 +++++++++++--- |
| 1 file changed, 11 insertions(+), 3 deletions(-) |
| |
| --- a/drivers/ide/ide-cd.c |
| +++ b/drivers/ide/ide-cd.c |
| @@ -506,15 +506,22 @@ int ide_cd_queue_pc(ide_drive_t *drive, |
| return (flags & REQ_FAILED) ? -EIO : 0; |
| } |
| |
| -static void ide_cd_error_cmd(ide_drive_t *drive, struct ide_cmd *cmd) |
| +/* |
| + * returns true if rq has been completed |
| + */ |
| +static bool ide_cd_error_cmd(ide_drive_t *drive, struct ide_cmd *cmd) |
| { |
| unsigned int nr_bytes = cmd->nbytes - cmd->nleft; |
| |
| if (cmd->tf_flags & IDE_TFLAG_WRITE) |
| nr_bytes -= cmd->last_xfer_len; |
| |
| - if (nr_bytes > 0) |
| + if (nr_bytes > 0) { |
| ide_complete_rq(drive, 0, nr_bytes); |
| + return true; |
| + } |
| + |
| + return false; |
| } |
| |
| static ide_startstop_t cdrom_newpc_intr(ide_drive_t *drive) |
| @@ -679,7 +686,8 @@ out_end: |
| } |
| |
| if (uptodate == 0 && rq->bio) |
| - ide_cd_error_cmd(drive, cmd); |
| + if (ide_cd_error_cmd(drive, cmd)) |
| + return ide_stopped; |
| |
| /* make sure it's fully ended */ |
| if (blk_fs_request(rq) == 0) { |