From 5daa49ef05c44ce94bed0bab0f9ba4a9e952863b Mon Sep 17 00:00:00 2001 From: Linas Vepstas Date: Thu, 8 Mar 2007 16:19:11 -0600 Subject: [SCSI] lpfc: avoid double-free during PCI error failure If a PCI error is detected that cannot be recovered from, there will be a double call of lpfc_pci_remove_one(), with the second call resulting in a null-pointer dereference. The first call occurs in lpfc_io_error_detected(), and the second call during pci device remove. This patch eliminates the first call; its un-needed. Signed-off-by: Linas Vepstas Acked-by: James Smart Signed-off-by: James Bottomley diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c index 9d014e5..057fd7e0 100644 --- a/drivers/scsi/lpfc/lpfc_init.c +++ b/drivers/scsi/lpfc/lpfc_init.c @@ -1817,10 +1817,9 @@ static pci_ers_result_t lpfc_io_error_detected(struct pci_dev *pdev, struct lpfc_sli *psli = &phba->sli; struct lpfc_sli_ring *pring; - if (state == pci_channel_io_perm_failure) { - lpfc_pci_remove_one(pdev); + if (state == pci_channel_io_perm_failure) return PCI_ERS_RESULT_DISCONNECT; - } + pci_disable_device(pdev); /* * There may be I/Os dropped by the firmware. -- cgit v0.10.2 From ba76ef246090601b783c1e6190e22b8b149a105f Mon Sep 17 00:00:00 2001 From: Judith Lebzelter Date: Fri, 9 Mar 2007 13:07:44 -0800 Subject: [SCSI] mptsas: Fix oops for insmod during kexec This fix's an oops during driver load time. mptsas_probe calls mpt_attach(over in mptbase.c). Inside that call, we read some manufacturing config pages to setup some defaults. While reading the config pages, the firmware doesn't complete the reply in time, and we have a timeout. The timeout results in hardreset handler being called. The hardreset handler calls all the fusion upper layer driver reset callback handlers. The mptsas_ioc_reset function is the callback handler in mptsas.c. So where I'm getting to, is mptsas_ioc_reset is getting called before scsi_host_alloc is called, and the pointer ioc->sh is NULL as well as the hostdata. Signed-off-by: Judith Lebzelter Acked-by: "Moore, Eric" Signed-off-by: James Bottomley diff --git a/drivers/message/fusion/mptsas.c b/drivers/message/fusion/mptsas.c index 404c014..1d2d03f 100644 --- a/drivers/message/fusion/mptsas.c +++ b/drivers/message/fusion/mptsas.c @@ -815,7 +815,7 @@ mptsas_taskmgmt_complete(MPT_ADAPTER *ioc, MPT_FRAME_HDR *mf, MPT_FRAME_HDR *mr) static int mptsas_ioc_reset(MPT_ADAPTER *ioc, int reset_phase) { - MPT_SCSI_HOST *hd = (MPT_SCSI_HOST *)ioc->sh->hostdata; + MPT_SCSI_HOST *hd; struct mptsas_target_reset_event *target_reset_list, *n; int rc; @@ -827,7 +827,10 @@ mptsas_ioc_reset(MPT_ADAPTER *ioc, int reset_phase) if (reset_phase != MPT_IOC_POST_RESET) goto out; - if (!hd || !hd->ioc) + if (!ioc->sh || !ioc->sh->hostdata) + goto out; + hd = (MPT_SCSI_HOST *)ioc->sh->hostdata; + if (!hd->ioc) goto out; if (list_empty(&hd->target_reset_list)) -- cgit v0.10.2 From bb9ba31ca3b88fd396e38950d1caedf2f83521c6 Mon Sep 17 00:00:00 2001 From: Joerg Dorchain Date: Tue, 6 Mar 2007 02:46:54 -0800 Subject: [SCSI] gdth: fix oops in gdth_copy_cmd() Recent alterations to the gdth_fill_raw_cmd() path no longer set the sg_ranz field for zero transfer commands. However, this field is used lower down in the function to initialise ha->cmd_len to the size of the firmware packet. If this uninitialised field contains a bogus value, ha->cmd_len can become much larger than the actual firmware packet and end up oopsing in gdth_copy_cmd() as it tries to copy this huge packet to the device (usually because it runs into an unallocated page). The fix is to initialise the sg_ranz field to zero at the start of gdth_fill_raw_cmd(). Signed-off-by: Joerg Dorchain Acked-by: "Leubner, Achim" Signed-off-by: Andrew Morton Signed-off-by: James Bottomley diff --git a/drivers/scsi/gdth.c b/drivers/scsi/gdth.c index 8c81cec..60446b8 100644 --- a/drivers/scsi/gdth.c +++ b/drivers/scsi/gdth.c @@ -3091,6 +3091,7 @@ static int gdth_fill_raw_cmd(int hanum,Scsi_Cmnd *scp,unchar b) cmdp->u.raw64.direction = gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN; memcpy(cmdp->u.raw64.cmd,scp->cmnd,16); + cmdp->u.raw64.sg_ranz = 0; } else { cmdp->u.raw.reserved = 0; cmdp->u.raw.mdisc_time = 0; @@ -3107,6 +3108,7 @@ static int gdth_fill_raw_cmd(int hanum,Scsi_Cmnd *scp,unchar b) cmdp->u.raw.direction = gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN; memcpy(cmdp->u.raw.cmd,scp->cmnd,12); + cmdp->u.raw.sg_ranz = 0; } if (scp->use_sg) { -- cgit v0.10.2