[PATCH] IB: fix use-after-free in user verbs cleanup

[linux-2.6-omap-h63xx.git] / drivers / scsi / scsi.c
diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c

index 2e7ab3ab09932c9a2d74b0f28938c65ef0df5580..d14523d7e44940689c5c7fb93567f4d865c24cf8 100644 (file)
--- a/drivers/scsi/scsi.c
+++ b/drivers/scsi/scsi.c
@@ -68,6 +68,8 @@
  #include "scsi_priv.h"
  #include "scsi_logging.h"
  
+static void scsi_done(struct scsi_cmnd *cmd);
+static int scsi_retry_command(struct scsi_cmnd *cmd);
  
  /*
   * Definitions and constants.
@@ -111,6 +113,7 @@ const char *const scsi_device_types[MAX_SCSI_DEVICE_CODE] = {
         "Unknown          ",
         "RAID             ",
         "Enclosure        ",
+       "Direct-Access-RBC",
  };
  EXPORT_SYMBOL(scsi_device_types);
  
@@ -257,8 +260,6 @@ struct scsi_cmnd *scsi_get_command(struct scsi_device *dev, int gfp_mask)
  
                 memset(cmd, 0, sizeof(*cmd));
                 cmd->device = dev;
-               cmd->state = SCSI_STATE_UNUSED;
-               cmd->owner = SCSI_OWNER_NOBODY;
                 init_timer(&cmd->eh_timeout);
                 INIT_LIST_HEAD(&cmd->list);
                 spin_lock_irqsave(&dev->list_lock, flags);
@@ -489,7 +490,7 @@ void scsi_log_completion(struct scsi_cmnd *cmd, int disposition)
                         scsi_print_command(cmd);
                         if (status_byte(cmd->result) & CHECK_CONDITION) {
                                 /*
-                                * XXX The print_sense formatting/prefix
+                                * XXX The scsi_print_sense formatting/prefix
                                  * doesn't match this function.
                                  */
                                 scsi_print_sense("", cmd);
@@ -542,7 +543,7 @@ int scsi_dispatch_cmd(struct scsi_cmnd *cmd)
                  * that the device is no longer present */
                 cmd->result = DID_NO_CONNECT << 16;
                 atomic_inc(&cmd->device->iorequest_cnt);
-               scsi_done(cmd);
+               __scsi_done(cmd);
                 /* return 0 (because the command has been processed) */
                 goto out;
         }
@@ -608,10 +609,6 @@ int scsi_dispatch_cmd(struct scsi_cmnd *cmd)
          * We will use a queued command if possible, otherwise we will
          * emulate the queuing and calling of completion function ourselves.
          */
-
-       cmd->state = SCSI_STATE_QUEUED;
-       cmd->owner = SCSI_OWNER_LOWLEVEL;
-
         atomic_inc(&cmd->device->iorequest_cnt);
  
         /*
@@ -638,10 +635,12 @@ int scsi_dispatch_cmd(struct scsi_cmnd *cmd)
         }
         spin_unlock_irqrestore(host->host_lock, flags);
         if (rtn) {
-               atomic_inc(&cmd->device->iodone_cnt);
-               scsi_queue_insert(cmd,
-                               (rtn == SCSI_MLQUEUE_DEVICE_BUSY) ?
-                                rtn : SCSI_MLQUEUE_HOST_BUSY);
+               if (scsi_delete_timer(cmd)) {
+                       atomic_inc(&cmd->device->iodone_cnt);
+                       scsi_queue_insert(cmd,
+                                         (rtn == SCSI_MLQUEUE_DEVICE_BUSY) ?
+                                         rtn : SCSI_MLQUEUE_HOST_BUSY);
+               }
                 SCSI_LOG_MLQUEUE(3,
                     printk("queuecommand : request rejected\n"));
         }
@@ -679,14 +678,12 @@ void scsi_init_cmd_from_req(struct scsi_cmnd *cmd, struct scsi_request *sreq)
  {
         sreq->sr_command = cmd;
  
-       cmd->owner = SCSI_OWNER_MIDLEVEL;
         cmd->cmd_len = sreq->sr_cmd_len;
         cmd->use_sg = sreq->sr_use_sg;
  
         cmd->request = sreq->sr_request;
         memcpy(cmd->data_cmnd, sreq->sr_cmnd, sizeof(cmd->data_cmnd));
         cmd->serial_number = 0;
-       cmd->serial_number_at_timeout = 0;
         cmd->bufflen = sreq->sr_bufflen;
         cmd->buffer = sreq->sr_buffer;
         cmd->retries = 0;
@@ -716,8 +713,6 @@ void scsi_init_cmd_from_req(struct scsi_cmnd *cmd, struct scsi_request *sreq)
         /*
          * Start the timer ticking.
          */
-       cmd->internal_timeout = NORMAL_TIMEOUT;
-       cmd->abort_reason = 0;
         cmd->result = 0;
  
         SCSI_LOG_MLQUEUE(3, printk("Leaving scsi_init_cmd_from_req()\n"));
@@ -741,7 +736,7 @@ static DEFINE_PER_CPU(struct list_head, scsi_done_q);
   *
   * This function is interrupt context safe.
   */
-void scsi_done(struct scsi_cmnd *cmd)
+static void scsi_done(struct scsi_cmnd *cmd)
  {
         /*
          * We don't have to worry about this one timing out any more.
@@ -766,9 +761,6 @@ void __scsi_done(struct scsi_cmnd *cmd)
          * Set the serial numbers back to zero
          */
         cmd->serial_number = 0;
-       cmd->serial_number_at_timeout = 0;
-       cmd->state = SCSI_STATE_BHQUEUE;
-       cmd->owner = SCSI_OWNER_BH_HANDLER;
  
         atomic_inc(&cmd->device->iodone_cnt);
         if (cmd->result)
@@ -837,7 +829,7 @@ static void scsi_softirq(struct softirq_action *h)
   *              level drivers should not become re-entrant as a result of
   *              this.
   */
-int scsi_retry_command(struct scsi_cmnd *cmd)
+static int scsi_retry_command(struct scsi_cmnd *cmd)
  {
         /*
          * Restore the SCSI command state.
@@ -889,9 +881,6 @@ void scsi_finish_command(struct scsi_cmnd *cmd)
         SCSI_LOG_MLCOMPLETE(4, printk("Notifying upper driver of completion "
                                 "for device %d %x\n", sdev->id, cmd->result));
  
-       cmd->owner = SCSI_OWNER_HIGHLEVEL;
-       cmd->state = SCSI_STATE_FINISHED;
-
         /*
          * We can get here with use_sg=0, causing a panic in the upper level
          */