diff options
| author | David S. Miller <davem@davemloft.net> | 2013-08-02 03:08:34 +0200 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2013-08-02 03:08:34 +0200 |
| commit | 21af8107f27878813d0364733c0b08813c2c192a (patch) | |
| tree | 5a5f4867228e9e394ef9dc75f59878eba268eaf7 /drivers/scsi/bvme6000_scsi.c | |
| parent | sparc64: Fix not SRA'ed %o5 in 32-bit traced syscall (diff) | |
| download | linux-21af8107f27878813d0364733c0b08813c2c192a.tar.xz linux-21af8107f27878813d0364733c0b08813c2c192a.zip | |
esp_scsi: Fix tag state corruption when autosensing.
Meelis Roos reports a crash in esp_free_lun_tag() in the presense
of a disk which has died.
The issue is that when we issue an autosense command, we do so by
hijacking the original command that caused the check-condition.
When we do so we clear out the ent->tag[] array when we issue it via
find_and_prep_issuable_command(). This is so that the autosense
command is forced to be issued non-tagged.
That is problematic, because it is the value of ent->tag[] which
determines whether we issued the original scsi command as tagged
vs. non-tagged (see esp_alloc_lun_tag()).
And that, in turn, is what trips up the sanity checks in
esp_free_lun_tag(). That function needs the original ->tag[] values
in order to free up the tag slot properly.
Fix this by remembering the original command's tag values, and
having esp_alloc_lun_tag() and esp_free_lun_tag() use them.
Reported-by: Meelis Roos <mroos@linux.ee>
Tested-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/scsi/bvme6000_scsi.c')
0 files changed, 0 insertions, 0 deletions