diff options
author | Douglas Gilbert <dgilbert@interlog.com> | 2014-11-26 18:33:48 +0100 |
---|---|---|
committer | Christoph Hellwig <hch@lst.de> | 2014-12-15 13:34:24 +0100 |
commit | d467d31f700f807ff939cab6d622867ee48c80b6 (patch) | |
tree | 7ad00d81c046ef7818b3c219799cd2b941bbd852 /drivers/scsi/scsi_debug.c | |
parent | qla2xxx: fix race in handling rport deletion during recovery causes panic (diff) | |
download | linux-d467d31f700f807ff939cab6d622867ee48c80b6.tar.xz linux-d467d31f700f807ff939cab6d622867ee48c80b6.zip |
scsi_debug: fix compare and write errors
Kernel build tools pointed out a memory leak so that has been
fixed and its error paths strengthened with a goto. Testing
showed compare and write was only working for lba=0; correcting
the length of the LBA field fixed that.
Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Diffstat (limited to 'drivers/scsi/scsi_debug.c')
-rw-r--r-- | drivers/scsi/scsi_debug.c | 31 |
1 files changed, 16 insertions, 15 deletions
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c index d81158b71326..2e32a4c09fbc 100644 --- a/drivers/scsi/scsi_debug.c +++ b/drivers/scsi/scsi_debug.c @@ -3044,18 +3044,12 @@ resp_comp_write(struct scsi_cmnd *scp, struct sdebug_dev_info *devip) u8 num; unsigned long iflags; int ret; + int retval = 0; - lba = get_unaligned_be32(cmd + 2); + lba = get_unaligned_be64(cmd + 2); num = cmd[13]; /* 1 to a maximum of 255 logical blocks */ if (0 == num) return 0; /* degenerate case, not an error */ - dnum = 2 * num; - arr = kzalloc(dnum * lb_size, GFP_ATOMIC); - if (NULL == arr) { - mk_sense_buffer(scp, ILLEGAL_REQUEST, INSUFF_RES_ASC, - INSUFF_RES_ASCQ); - return check_condition_result; - } if (scsi_debug_dif == SD_DIF_TYPE2_PROTECTION && (cmd[1] & 0xe0)) { mk_sense_invalid_opcode(scp); @@ -3078,6 +3072,13 @@ resp_comp_write(struct scsi_cmnd *scp, struct sdebug_dev_info *devip) mk_sense_buffer(scp, ILLEGAL_REQUEST, INVALID_FIELD_IN_CDB, 0); return check_condition_result; } + dnum = 2 * num; + arr = kzalloc(dnum * lb_size, GFP_ATOMIC); + if (NULL == arr) { + mk_sense_buffer(scp, ILLEGAL_REQUEST, INSUFF_RES_ASC, + INSUFF_RES_ASCQ); + return check_condition_result; + } write_lock_irqsave(&atomic_rw, iflags); @@ -3088,24 +3089,24 @@ resp_comp_write(struct scsi_cmnd *scp, struct sdebug_dev_info *devip) ret = do_device_access(scp, 0, dnum, true); fake_storep = fake_storep_hold; if (ret == -1) { - write_unlock_irqrestore(&atomic_rw, iflags); - kfree(arr); - return DID_ERROR << 16; + retval = DID_ERROR << 16; + goto cleanup; } else if ((ret < (dnum * lb_size)) && (SCSI_DEBUG_OPT_NOISE & scsi_debug_opts)) sdev_printk(KERN_INFO, scp->device, "%s: compare_write: cdb " "indicated=%u, IO sent=%d bytes\n", my_name, dnum * lb_size, ret); if (!comp_write_worker(lba, num, arr)) { - write_unlock_irqrestore(&atomic_rw, iflags); - kfree(arr); mk_sense_buffer(scp, MISCOMPARE, MISCOMPARE_VERIFY_ASC, 0); - return check_condition_result; + retval = check_condition_result; + goto cleanup; } if (scsi_debug_lbp()) map_region(lba, num); +cleanup: write_unlock_irqrestore(&atomic_rw, iflags); - return 0; + kfree(arr); + return retval; } struct unmap_block_desc { |