From c3f42feb0c3d20dc7007336e7de949408b93afef Mon Sep 17 00:00:00 2001 From: Jeff Skirvin Date: Fri, 4 Mar 2011 14:06:56 -0800 Subject: [PATCH] isci: Fix TMF build for SAS/SATA LUN reset cases. In the case where a SAS or SATA LUN reset TMF is built a NULL pointer dereference occurred because of the (unused) callback data pointer. Signed-off-by: Jeff Skirvin Signed-off-by: Dan Williams Signed-off-by: Jacek Danecki --- drivers/scsi/isci/task.c | 24 +++++++++++++++++++----- drivers/scsi/isci/task.h | 9 +++++++++ 2 files changed, 28 insertions(+), 5 deletions(-) diff --git a/drivers/scsi/isci/task.c b/drivers/scsi/isci/task.c index c781a4ab4a50..c2d74c3929fb 100644 --- a/drivers/scsi/isci/task.c +++ b/drivers/scsi/isci/task.c @@ -545,7 +545,7 @@ void isci_task_build_tmf( void (*tmf_sent_cb)(enum isci_tmf_cb_state, struct isci_tmf *, void *), - struct isci_request *old_request) + void *cb_data) { dev_dbg(&isci_device->isci_port->isci_host->pdev->dev, "%s: isci_device = %p\n", __func__, isci_device); @@ -556,9 +556,21 @@ void isci_task_build_tmf( tmf->tmf_code = code; tmf->timeout_timer = NULL; tmf->cb_state_func = tmf_sent_cb; - tmf->cb_data = old_request; - tmf->io_tag = old_request->io_tag; + tmf->cb_data = cb_data; +} +void isci_task_build_abort_task_tmf( + struct isci_tmf *tmf, + struct isci_remote_device *isci_device, + enum isci_tmf_function_codes code, + void (*tmf_sent_cb)(enum isci_tmf_cb_state, + struct isci_tmf *, + void *), + struct isci_request *old_request) +{ + isci_task_build_tmf(tmf, isci_device, code, tmf_sent_cb, + (void *)old_request); + tmf->io_tag = old_request->io_tag; } static struct isci_request *isci_task_get_request_from_task( @@ -1300,8 +1312,10 @@ int isci_task_abort_task(struct sas_task *task) */ } else { /* Fill in the tmf stucture */ - isci_task_build_tmf(&tmf, isci_device, isci_tmf_ssp_task_abort, - isci_abort_task_process_cb, old_request); + isci_task_build_abort_task_tmf(&tmf, isci_device, + isci_tmf_ssp_task_abort, + isci_abort_task_process_cb, + old_request); spin_unlock_irqrestore(&isci_host->scic_lock, flags); diff --git a/drivers/scsi/isci/task.h b/drivers/scsi/isci/task.h index 5a5a4ec2dc90..4c2a27eede49 100644 --- a/drivers/scsi/isci/task.h +++ b/drivers/scsi/isci/task.h @@ -218,6 +218,15 @@ int isci_queuecommand( int isci_bus_reset_handler(struct scsi_cmnd *cmd); void isci_task_build_tmf( + struct isci_tmf *tmf, + struct isci_remote_device *isci_device, + enum isci_tmf_function_codes code, + void (*tmf_sent_cb)(enum isci_tmf_cb_state, + struct isci_tmf *, + void *), + void *cb_data); + +void isci_task_build_abort_task_tmf( struct isci_tmf *tmf, struct isci_remote_device *isci_device, enum isci_tmf_function_codes code, -- 2.20.1