review.tizen.org Git - platform/kernel/linux-stable.git/commit

author	David S. Miller <davem@davemloft.net>
	Fri, 2 Aug 2013 01:08:34 +0000 (18:08 -0700)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sun, 13 Oct 2013 22:42:49 +0000 (15:42 -0700)
commit	99363a2aa104ddb42ee45c520a73a0163e4910e2
tree	737e9c98a56de9b80014d19023f9a4fead2024ef	tree \| snapshot
parent	aa33f22e3679f2dfc352a77089c11daa33db1e5b	commit \| diff

esp_scsi: Fix tag state corruption when autosensing.

[ Upstream commit 21af8107f27878813d0364733c0b08813c2c192a ]

Meelis Roos reports a crash in esp_free_lun_tag() in the presense
of a disk which has died.

The issue is that when we issue an autosense command, we do so by
hijacking the original command that caused the check-condition.

When we do so we clear out the ent->tag[] array when we issue it via
find_and_prep_issuable_command(). This is so that the autosense
command is forced to be issued non-tagged.

That is problematic, because it is the value of ent->tag[] which
determines whether we issued the original scsi command as tagged
vs. non-tagged (see esp_alloc_lun_tag()).

And that, in turn, is what trips up the sanity checks in
esp_free_lun_tag(). That function needs the original ->tag[] values
in order to free up the tag slot properly.

Fix this by remembering the original command's tag values, and
having esp_alloc_lun_tag() and esp_free_lun_tag() use them.

Reported-by: Meelis Roos <mroos@linux.ee>
Tested-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/scsi/esp_scsi.c		diff \| blob \| history
drivers/scsi/esp_scsi.h		diff \| blob \| history