From: Jeff Skirvin <jeffrey.d.skirvin@intel.com>
Date: Fri, 4 Mar 2011 22:06:56 +0000 (-0800)
Subject: isci: Fix TMF build for SAS/SATA LUN reset cases.
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=c3f42feb0c3d20dc7007336e7de949408b93afef;p=GitHub%2Fexynos8895%2Fandroid_kernel_samsung_universal8895.git

isci: Fix TMF build for SAS/SATA LUN reset cases.

In the case where a SAS or SATA LUN reset TMF is built a NULL pointer
dereference occurred because of the (unused) callback data pointer.

Signed-off-by: Jeff Skirvin <jeffrey.d.skirvin@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Jacek Danecki <Jacek.Danecki@intel.com>
---

diff --git a/drivers/scsi/isci/task.c b/drivers/scsi/isci/task.c
index c781a4ab4a50..c2d74c3929fb 100644
--- a/drivers/scsi/isci/task.c
+++ b/drivers/scsi/isci/task.c
@@ -545,7 +545,7 @@ void isci_task_build_tmf(
 	void (*tmf_sent_cb)(enum isci_tmf_cb_state,
 			    struct isci_tmf *,
 			    void *),
-	struct isci_request *old_request)
+	void *cb_data)
 {
 	dev_dbg(&isci_device->isci_port->isci_host->pdev->dev,
 		"%s: isci_device = %p\n", __func__, isci_device);
@@ -556,9 +556,21 @@ void isci_task_build_tmf(
 	tmf->tmf_code      = code;
 	tmf->timeout_timer = NULL;
 	tmf->cb_state_func = tmf_sent_cb;
-	tmf->cb_data       = old_request;
-	tmf->io_tag        = old_request->io_tag;
+	tmf->cb_data       = cb_data;
+}
 
+void isci_task_build_abort_task_tmf(
+	struct isci_tmf *tmf,
+	struct isci_remote_device *isci_device,
+	enum isci_tmf_function_codes code,
+	void (*tmf_sent_cb)(enum isci_tmf_cb_state,
+			    struct isci_tmf *,
+			    void *),
+	struct isci_request *old_request)
+{
+	isci_task_build_tmf(tmf, isci_device, code, tmf_sent_cb,
+			    (void *)old_request);
+	tmf->io_tag = old_request->io_tag;
 }
 
 static struct isci_request *isci_task_get_request_from_task(
@@ -1300,8 +1312,10 @@ int isci_task_abort_task(struct sas_task *task)
 		 */
 	} else {
 		/* Fill in the tmf stucture */
-		isci_task_build_tmf(&tmf, isci_device, isci_tmf_ssp_task_abort,
-				    isci_abort_task_process_cb, old_request);
+		isci_task_build_abort_task_tmf(&tmf, isci_device,
+					       isci_tmf_ssp_task_abort,
+					       isci_abort_task_process_cb,
+					       old_request);
 
 		spin_unlock_irqrestore(&isci_host->scic_lock, flags);
 
diff --git a/drivers/scsi/isci/task.h b/drivers/scsi/isci/task.h
index 5a5a4ec2dc90..4c2a27eede49 100644
--- a/drivers/scsi/isci/task.h
+++ b/drivers/scsi/isci/task.h
@@ -218,6 +218,15 @@ int isci_queuecommand(
 int isci_bus_reset_handler(struct scsi_cmnd *cmd);
 
 void isci_task_build_tmf(
+	struct isci_tmf *tmf,
+	struct isci_remote_device *isci_device,
+	enum isci_tmf_function_codes code,
+	void (*tmf_sent_cb)(enum isci_tmf_cb_state,
+			    struct isci_tmf *,
+			    void *),
+	void *cb_data);
+
+void isci_task_build_abort_task_tmf(
 	struct isci_tmf *tmf,
 	struct isci_remote_device *isci_device,
 	enum isci_tmf_function_codes code,