> > In StorVSC, payload->range.len is used to indicate if this SCSI > > command carries payload. This data is allocated as part of the private > > driver data by the upper layer and may get passed to lower driver > uninitialized. > > I had always thought the private driver data *is* initialized to zero by the > upper layer. Indeed, scsi_queue_rq() calls scsi_prepare_cmd(), which zeros the > private driver data as long as the driver does not specify a custom function to > do the initialization (and storvsc does not). So I'm curious -- what's the > execution path where this initialization doesn't happen? > > Michael SCSI mid layer may send commands to lower driver without initializing private data. For example, scsi_send_eh_cmnd() may send TEST_UNIT_READY and REQUEST_SENSE to lower layer driver without initializing private data. I don't know if there are other places doing similar things outside scsi_error.c, but storvsc is already calling memset() on its private data: (in storvsc_queuecommand) memset(&cmd_request->vstor_packet, 0, sizeof(struct vstor_packet)); The assumption is that private data is not guaranteed to be 0. Long
