Commit c3f42feb authored by Jeff Skirvin's avatar Jeff Skirvin Committed by Dan Williams
Browse files

isci: Fix TMF build for SAS/SATA LUN reset cases. 



In the case where a SAS or SATA LUN reset TMF is built a NULL pointer
dereference occurred because of the (unused) callback data pointer.

Signed-off-by: default avatarJeff Skirvin <jeffrey.d.skirvin@intel.com>
Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
Signed-off-by: default avatarJacek Danecki <Jacek.Danecki@intel.com>
parent 4dc043c4

drivers/scsi/isci/task.c

+19 −5
Original line number Diff line number Diff line
@@ -545,7 +545,7 @@ void isci_task_build_tmf( 
	void (*tmf_sent_cb)(enum isci_tmf_cb_state,

			    struct isci_tmf *,

			    void *),

	struct isci_request *old_request)

	void *cb_data)

{

	dev_dbg(&isci_device->isci_port->isci_host->pdev->dev,

		"%s: isci_device = %p\n", __func__, isci_device);
@@ -556,9 +556,21 @@ void isci_task_build_tmf( 
	tmf->tmf_code      = code;

	tmf->timeout_timer = NULL;

	tmf->cb_state_func = tmf_sent_cb;

	tmf->cb_data       = old_request;

	tmf->io_tag        = old_request->io_tag;

	tmf->cb_data       = cb_data;

}



void isci_task_build_abort_task_tmf(

	struct isci_tmf *tmf,

	struct isci_remote_device *isci_device,

	enum isci_tmf_function_codes code,

	void (*tmf_sent_cb)(enum isci_tmf_cb_state,

			    struct isci_tmf *,

			    void *),

	struct isci_request *old_request)

{

	isci_task_build_tmf(tmf, isci_device, code, tmf_sent_cb,

			    (void *)old_request);

	tmf->io_tag = old_request->io_tag;

}



static struct isci_request *isci_task_get_request_from_task(
@@ -1300,8 +1312,10 @@ int isci_task_abort_task(struct sas_task *task) 
		 */

	} else {

		/* Fill in the tmf stucture */

		isci_task_build_tmf(&tmf, isci_device, isci_tmf_ssp_task_abort,

				    isci_abort_task_process_cb, old_request);

		isci_task_build_abort_task_tmf(&tmf, isci_device,

					       isci_tmf_ssp_task_abort,

					       isci_abort_task_process_cb,

					       old_request);



		spin_unlock_irqrestore(&isci_host->scic_lock, flags);

drivers/scsi/isci/task.h

+9 −0
Original line number Diff line number Diff line
@@ -218,6 +218,15 @@ int isci_queuecommand( 
int isci_bus_reset_handler(struct scsi_cmnd *cmd);



void isci_task_build_tmf(

	struct isci_tmf *tmf,

	struct isci_remote_device *isci_device,

	enum isci_tmf_function_codes code,

	void (*tmf_sent_cb)(enum isci_tmf_cb_state,

			    struct isci_tmf *,

			    void *),

	void *cb_data);



void isci_task_build_abort_task_tmf(

	struct isci_tmf *tmf,

	struct isci_remote_device *isci_device,

	enum isci_tmf_function_codes code,