From 5daa49ef05c44ce94bed0bab0f9ba4a9e952863b Mon Sep 17 00:00:00 2001 From: Linas Vepstas Date: Thu, 8 Mar 2007 16:19:11 -0600 Subject: [SCSI] lpfc: avoid double-free during PCI error failure If a PCI error is detected that cannot be recovered from, there will be a double call of lpfc_pci_remove_one(), with the second call resulting in a null-pointer dereference. The first call occurs in lpfc_io_error_detected(), and the second call during pci device remove. This patch eliminates the first call; its un-needed. Signed-off-by: Linas Vepstas Acked-by: James Smart Signed-off-by: James Bottomley --- drivers/scsi/lpfc/lpfc_init.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'drivers/scsi') diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c index 9d014e5a81c4..057fd7e0e379 100644 --- a/drivers/scsi/lpfc/lpfc_init.c +++ b/drivers/scsi/lpfc/lpfc_init.c @@ -1817,10 +1817,9 @@ static pci_ers_result_t lpfc_io_error_detected(struct pci_dev *pdev, struct lpfc_sli *psli = &phba->sli; struct lpfc_sli_ring *pring; - if (state == pci_channel_io_perm_failure) { - lpfc_pci_remove_one(pdev); + if (state == pci_channel_io_perm_failure) return PCI_ERS_RESULT_DISCONNECT; - } + pci_disable_device(pdev); /* * There may be I/Os dropped by the firmware. -- cgit v1.2.1 From bb9ba31ca3b88fd396e38950d1caedf2f83521c6 Mon Sep 17 00:00:00 2001 From: Joerg Dorchain Date: Tue, 6 Mar 2007 02:46:54 -0800 Subject: [SCSI] gdth: fix oops in gdth_copy_cmd() Recent alterations to the gdth_fill_raw_cmd() path no longer set the sg_ranz field for zero transfer commands. However, this field is used lower down in the function to initialise ha->cmd_len to the size of the firmware packet. If this uninitialised field contains a bogus value, ha->cmd_len can become much larger than the actual firmware packet and end up oopsing in gdth_copy_cmd() as it tries to copy this huge packet to the device (usually because it runs into an unallocated page). The fix is to initialise the sg_ranz field to zero at the start of gdth_fill_raw_cmd(). Signed-off-by: Joerg Dorchain Acked-by: "Leubner, Achim" Signed-off-by: Andrew Morton Signed-off-by: James Bottomley --- drivers/scsi/gdth.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'drivers/scsi') diff --git a/drivers/scsi/gdth.c b/drivers/scsi/gdth.c index 8c81cec85298..60446b88f721 100644 --- a/drivers/scsi/gdth.c +++ b/drivers/scsi/gdth.c @@ -3091,6 +3091,7 @@ static int gdth_fill_raw_cmd(int hanum,Scsi_Cmnd *scp,unchar b) cmdp->u.raw64.direction = gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN; memcpy(cmdp->u.raw64.cmd,scp->cmnd,16); + cmdp->u.raw64.sg_ranz = 0; } else { cmdp->u.raw.reserved = 0; cmdp->u.raw.mdisc_time = 0; @@ -3107,6 +3108,7 @@ static int gdth_fill_raw_cmd(int hanum,Scsi_Cmnd *scp,unchar b) cmdp->u.raw.direction = gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN; memcpy(cmdp->u.raw.cmd,scp->cmnd,12); + cmdp->u.raw.sg_ranz = 0; } if (scp->use_sg) { -- cgit v1.2.1