* [PATCH] [SCSI] sd: fix crash when UA received on DIF enabled device
@ 2012-11-02 13:38 Ewan D. Milne
2012-11-06 22:48 ` Martin K. Petersen
0 siblings, 1 reply; 3+ messages in thread
From: Ewan D. Milne @ 2012-11-02 13:38 UTC (permalink / raw)
To: linux-scsi
From: "Ewan D. Milne" <emilne@redhat.com>
sd_prep_fn will allocate a larger CDB for the command via mempool_alloc
for devices using DIF type 2 protection. This CDB was being freed
in sd_done, which results in a kernel crash if the command is retried
due to a UNIT ATTENTION. This change moves the code to free the larger
CDB into sd_unprep_fn instead, which is invoked after the request is
complete.
It is no longer necessary to call scsi_print_command separately for
this case as the ->cmnd will no longer be NULL in the normal code path.
Also removed conditional test for DIF type 2 when freeing the larger
CDB because the protection_type could have been changed via sysfs while
the command was executing.
Signed-off-by: Ewan D. Milne <emilne@redhat.com>
---
drivers/scsi/sd.c | 22 +++++++---------------
1 file changed, 7 insertions(+), 15 deletions(-)
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index 6f0a4c6..00a366a 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -658,10 +658,17 @@ static int scsi_setup_flush_cmnd(struct scsi_device *sdp, struct request *rq)
static void sd_unprep_fn(struct request_queue *q, struct request *rq)
{
+ struct scsi_cmnd *SCpnt = rq->special;
+
if (rq->cmd_flags & REQ_DISCARD) {
free_page((unsigned long)rq->buffer);
rq->buffer = NULL;
}
+ if (SCpnt->cmnd != rq->cmd) {
+ mempool_free(SCpnt->cmnd, sd_cdb_pool);
+ SCpnt->cmnd = NULL;
+ SCpnt->cmd_len = 0;
+ }
}
/**
@@ -1525,21 +1532,6 @@ static int sd_done(struct scsi_cmnd *SCpnt)
if (rq_data_dir(SCpnt->request) == READ && scsi_prot_sg_count(SCpnt))
sd_dif_complete(SCpnt, good_bytes);
- if (scsi_host_dif_capable(sdkp->device->host, sdkp->protection_type)
- == SD_DIF_TYPE2_PROTECTION && SCpnt->cmnd != SCpnt->request->cmd) {
-
- /* We have to print a failed command here as the
- * extended CDB gets freed before scsi_io_completion()
- * is called.
- */
- if (result)
- scsi_print_command(SCpnt);
-
- mempool_free(SCpnt->cmnd, sd_cdb_pool);
- SCpnt->cmnd = NULL;
- SCpnt->cmd_len = 0;
- }
-
return good_bytes;
}
--
1.7.11.7
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] [SCSI] sd: fix crash when UA received on DIF enabled device
2012-11-02 13:38 [PATCH] [SCSI] sd: fix crash when UA received on DIF enabled device Ewan D. Milne
@ 2012-11-06 22:48 ` Martin K. Petersen
2013-07-10 19:52 ` Ewan Milne
0 siblings, 1 reply; 3+ messages in thread
From: Martin K. Petersen @ 2012-11-06 22:48 UTC (permalink / raw)
To: Ewan D. Milne; +Cc: linux-scsi
>>>>> "Ewan" == Ewan D Milne <emilne@redhat.com> writes:
Ewan> sd_prep_fn will allocate a larger CDB for the command via
Ewan> mempool_alloc for devices using DIF type 2 protection. This CDB
Ewan> was being freed in sd_done, which results in a kernel crash if the
Ewan> command is retried due to a UNIT ATTENTION. This change moves the
Ewan> code to free the larger CDB into sd_unprep_fn instead, which is
Ewan> invoked after the request is complete.
The 32-byte CDB support predates unprep. This fix is obviously the
correct approach.
Acked-by: Martin K. Petersen <martin.petersen@oracle.com>
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] [SCSI] sd: fix crash when UA received on DIF enabled device
2012-11-06 22:48 ` Martin K. Petersen
@ 2013-07-10 19:52 ` Ewan Milne
0 siblings, 0 replies; 3+ messages in thread
From: Ewan Milne @ 2013-07-10 19:52 UTC (permalink / raw)
To: linux-scsi; +Cc: James Bottomley
On Tue, 2012-11-06 at 17:48 -0500, Martin K. Petersen wrote:
> >>>>> "Ewan" == Ewan D Milne <emilne@redhat.com> writes:
>
> Ewan> sd_prep_fn will allocate a larger CDB for the command via
> Ewan> mempool_alloc for devices using DIF type 2 protection. This CDB
> Ewan> was being freed in sd_done, which results in a kernel crash if the
> Ewan> command is retried due to a UNIT ATTENTION. This change moves the
> Ewan> code to free the larger CDB into sd_unprep_fn instead, which is
> Ewan> invoked after the request is complete.
>
> The 32-byte CDB support predates unprep. This fix is obviously the
> correct approach.
>
> Acked-by: Martin K. Petersen <martin.petersen@oracle.com>
>
I don't see that this change ever made it in. Can this go in for
the 3.12 merge window?
http://marc.info/?l=linux-scsi&m=135186352200668&w=2
-Ewan
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-07-10 19:52 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-11-02 13:38 [PATCH] [SCSI] sd: fix crash when UA received on DIF enabled device Ewan D. Milne
2012-11-06 22:48 ` Martin K. Petersen
2013-07-10 19:52 ` Ewan Milne
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.