Sākums Izpētīt Palīdzība
Pierakstīties
PUBLIC_REPOS
/
ti-processor-sdk-linux
2
0
Atdalīts 0
Faili Problēmas 0 Izmaiņu pieprasījumi 0 Vikivietne
Pārlūkot izejas kodu

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
 "This is a set of five small fixes: one is a null deref fix which is
  pretty critical for the fc transport class and one fixes a potential
  security issue of sg leaking kernel information"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE
  scsi: sg: factor out sg_fill_request_table()
  scsi: sd: Remove unnecessary condition in sd_read_block_limits()
  scsi: acornscsi: fix build error
  scsi: scsi_transport_fc: fix NULL pointer dereference in fc_bsg_job_timeout
Linus Torvalds 8 gadi atpakaļ
vecāks
b8350cd004 3e00974998
revīzija
820bf5c419
4 mainītis faili ar 40 papildinājumiem un 34 dzēšanām
Dalītais skats Rādīt salīdzināšanas statistiku
  1. 3 3
      drivers/scsi/arm/acornscsi.c
  2. 1 1
      drivers/scsi/scsi_transport_fc.c
  3. 0 2
      drivers/scsi/sd.c
  4. 36 28
      drivers/scsi/sg.c

+ 3 - 3
drivers/scsi/arm/acornscsi.c
Parādīt failu 

@@ -2725,9 +2725,9 @@ int acornscsi_abort(struct scsi_cmnd *SCpnt)
 
  * Params   : SCpnt  - command causing reset
 
  * Returns  : one of SCSI_RESET_ macros
 
  */
 
-int acornscsi_host_reset(struct Scsi_Host *shpnt)
 
+int acornscsi_host_reset(struct scsi_cmnd *SCpnt)
 
 {
 
-	AS_Host *host = (AS_Host *)shpnt->hostdata;
 
+	AS_Host *host = (AS_Host *)SCpnt->device->host->hostdata;
 
 	struct scsi_cmnd *SCptr;
 
     
     host->stats.resets += 1;
 
@@ -2741,7 +2741,7 @@ int acornscsi_host_reset(struct Scsi_Host *shpnt)
 
 
 	printk(KERN_WARNING "acornscsi_reset: ");
 
 	print_sbic_status(asr, ssr, host->scsi.phase);
 
-	for (devidx = 0; devidx < 9; devidx ++) {
 
+	for (devidx = 0; devidx < 9; devidx++)
 
 	    acornscsi_dumplog(host, devidx);
 
     }
 
 #endif

+ 1 - 1
drivers/scsi/scsi_transport_fc.c
Parādīt failu 

@@ -3571,7 +3571,7 @@ fc_vport_sched_delete(struct work_struct *work)
 
 static enum blk_eh_timer_return
 
 fc_bsg_job_timeout(struct request *req)
 
 {
 
-	struct bsg_job *job = (void *) req->special;
 
+	struct bsg_job *job = blk_mq_rq_to_pdu(req);
 
 	struct Scsi_Host *shost = fc_bsg_to_shost(job);
 
 	struct fc_rport *rport = fc_bsg_to_rport(job);
 
 	struct fc_internal *i = to_fc_internal(shost->transportt);

+ 0 - 2
drivers/scsi/sd.c
Parādīt failu 

@@ -2915,8 +2915,6 @@ static void sd_read_block_limits(struct scsi_disk *sdkp)
 
 				sd_config_discard(sdkp, SD_LBP_WS16);
 
 			else if (sdkp->lbpws10)
 
 				sd_config_discard(sdkp, SD_LBP_WS10);
 
-			else if (sdkp->lbpu && sdkp->max_unmap_blocks)
 
-				sd_config_discard(sdkp, SD_LBP_UNMAP);
 
 			else
 
 				sd_config_discard(sdkp, SD_LBP_DISABLE);
 
 		}

+ 36 - 28
drivers/scsi/sg.c
Parādīt failu 

@@ -828,6 +828,39 @@ static int max_sectors_bytes(struct request_queue *q)
 
 	return max_sectors << 9;
 
 }
 
 
+static void
 
+sg_fill_request_table(Sg_fd *sfp, sg_req_info_t *rinfo)
 
+{
 
+	Sg_request *srp;
 
+	int val;
 
+	unsigned int ms;
 
+
 
+	val = 0;
 
+	list_for_each_entry(srp, &sfp->rq_list, entry) {
 
+		if (val > SG_MAX_QUEUE)
 
+			break;
 
+		rinfo[val].req_state = srp->done + 1;
 
+		rinfo[val].problem =
 
+			srp->header.masked_status &
 
+			srp->header.host_status &
 
+			srp->header.driver_status;
 
+		if (srp->done)
 
+			rinfo[val].duration =
 
+				srp->header.duration;
 
+		else {
 
+			ms = jiffies_to_msecs(jiffies);
 
+			rinfo[val].duration =
 
+				(ms > srp->header.duration) ?
 
+				(ms - srp->header.duration) : 0;
 
+		}
 
+		rinfo[val].orphan = srp->orphan;
 
+		rinfo[val].sg_io_owned = srp->sg_io_owned;
 
+		rinfo[val].pack_id = srp->header.pack_id;
 
+		rinfo[val].usr_ptr = srp->header.usr_ptr;
 
+		val++;
 
+	}
 
+}
 
+
 
 static long
 
 sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
 
 {
 
@@ -1012,38 +1045,13 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
 
 			return -EFAULT;
 
 		else {
 
 			sg_req_info_t *rinfo;
 
-			unsigned int ms;
 
 
-			rinfo = kmalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
 
-								GFP_KERNEL);
 
+			rinfo = kzalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
 
+					GFP_KERNEL);
 
 			if (!rinfo)
 
 				return -ENOMEM;
 
 			read_lock_irqsave(&sfp->rq_list_lock, iflags);
 
-			val = 0;
 
-			list_for_each_entry(srp, &sfp->rq_list, entry) {
 
-				if (val >= SG_MAX_QUEUE)
 
-					break;
 
-				memset(&rinfo[val], 0, SZ_SG_REQ_INFO);
 
-				rinfo[val].req_state = srp->done + 1;
 
-				rinfo[val].problem =
 
-					srp->header.masked_status &
 
-					srp->header.host_status &
 
-					srp->header.driver_status;
 
-				if (srp->done)
 
-					rinfo[val].duration =
 
-						srp->header.duration;
 
-				else {
 
-					ms = jiffies_to_msecs(jiffies);
 
-					rinfo[val].duration =
 
-						(ms > srp->header.duration) ?
 
-						(ms - srp->header.duration) : 0;
 
-				}
 
-				rinfo[val].orphan = srp->orphan;
 
-				rinfo[val].sg_io_owned = srp->sg_io_owned;
 
-				rinfo[val].pack_id = srp->header.pack_id;
 
-				rinfo[val].usr_ptr = srp->header.usr_ptr;
 
-				val++;
 
-			}
 
+			sg_fill_request_table(sfp, rinfo);
 
 			read_unlock_irqrestore(&sfp->rq_list_lock, iflags);
 
 			result = __copy_to_user(p, rinfo,
 
 						SZ_SG_REQ_INFO * SG_MAX_QUEUE);