Skip to content

Commit 8d5dbec

Browse files
Finn Thainmartinkpetersen
Finn Thain
authored and
martinkpetersen
committed
ncr5380: Call scsi_eh_prep_cmnd() and scsi_eh_restore_cmnd() as and when appropriate
This bug causes the wrong command to have its sense pointer overwritten, which sometimes leads to a NULL pointer deref. Fix this by checking which command is being requeued before restoring the scsi_eh_save data. It turns out that some targets will disconnect a REQUEST SENSE command. The autosense algorithm doesn't anticipate this. Hence multiple commands can end up undergoing autosense simultaneously, and they will all try to use the same scsi_eh_save struct, which won't work. Defer autosense when the scsi_eh_save storage is in use by another command. Fixes: f27db8e ("ncr5380: Fix autosense bugs") Reported-and-tested-by: Michael Schmitz <schmitzmic@gmail.com> Cc: <stable@vger.kernel.org> # 4.5 Signed-off-by: Finn Thain <fthain@telegraphics.com.au> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
1 parent ccf6efd commit 8d5dbec

File tree

2 files changed

+4
-4
lines changed

2 files changed

+4
-4
lines changed

drivers/scsi/NCR5380.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -760,7 +760,7 @@ static struct scsi_cmnd *dequeue_next_cmd(struct Scsi_Host *instance)
760760
struct NCR5380_cmd *ncmd;
761761
struct scsi_cmnd *cmd;
762762

763-
if (list_empty(&hostdata->autosense)) {
763+
if (hostdata->sensing || list_empty(&hostdata->autosense)) {
764764
list_for_each_entry(ncmd, &hostdata->unissued, list) {
765765
cmd = NCR5380_to_scmd(ncmd);
766766
dsprintk(NDEBUG_QUEUES, instance, "dequeue: cmd=%p target=%d busy=0x%02x lun=%llu\n",
@@ -793,7 +793,7 @@ static void requeue_cmd(struct Scsi_Host *instance, struct scsi_cmnd *cmd)
793793
struct NCR5380_hostdata *hostdata = shost_priv(instance);
794794
struct NCR5380_cmd *ncmd = scsi_cmd_priv(cmd);
795795

796-
if (hostdata->sensing) {
796+
if (hostdata->sensing == cmd) {
797797
scsi_eh_restore_cmnd(cmd, &hostdata->ses);
798798
list_add(&ncmd->list, &hostdata->autosense);
799799
hostdata->sensing = NULL;

drivers/scsi/atari_NCR5380.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -862,7 +862,7 @@ static struct scsi_cmnd *dequeue_next_cmd(struct Scsi_Host *instance)
862862
struct NCR5380_cmd *ncmd;
863863
struct scsi_cmnd *cmd;
864864

865-
if (list_empty(&hostdata->autosense)) {
865+
if (hostdata->sensing || list_empty(&hostdata->autosense)) {
866866
list_for_each_entry(ncmd, &hostdata->unissued, list) {
867867
cmd = NCR5380_to_scmd(ncmd);
868868
dsprintk(NDEBUG_QUEUES, instance, "dequeue: cmd=%p target=%d busy=0x%02x lun=%llu\n",
@@ -901,7 +901,7 @@ static void requeue_cmd(struct Scsi_Host *instance, struct scsi_cmnd *cmd)
901901
struct NCR5380_hostdata *hostdata = shost_priv(instance);
902902
struct NCR5380_cmd *ncmd = scsi_cmd_priv(cmd);
903903

904-
if (hostdata->sensing) {
904+
if (hostdata->sensing == cmd) {
905905
scsi_eh_restore_cmnd(cmd, &hostdata->ses);
906906
list_add(&ncmd->list, &hostdata->autosense);
907907
hostdata->sensing = NULL;

0 commit comments

Comments
 (0)