CC: stable
James/linux-scsi,
The following patch for scsi-misc-2.6 for megaraid_sas will fix a
potential bad pointer access in megasas_reset_timer(), when a MegaRAID
9265/9285 or 9360/9380 gets a timeout. megasas_build_io_fusion() sets
SCp.ptr to be a struct megasas_cmd_fusion *, but then
megasas_reset_timer() was casting SCp.ptr to be a struct megasas_cmd
*, then trying to access cmd->instance, which is invalid.
Just loading instance from scmd->device->host->hostdata in
megasas_reset_timer() fixes the issue.
Signed-off-by: Adam Radford <aradford@xxxxxxxxx>
diff -Naur scsi-misc-2.6/drivers/scsi/megaraid/megaraid_sas_base.c
scsi-misc-2.6.new/drivers/scsi/megaraid/megaraid_sas_base.c
--- scsi-misc-2.6/drivers/scsi/megaraid/megaraid_sas_base.c 2011-10-13
15:35:39.563245479 -0700
+++ scsi-misc-2.6.new/drivers/scsi/megaraid/megaraid_sas_base.c 2011-10-13
15:38:15.711245124 -0700
@@ -1914,7 +1914,6 @@
static enum
blk_eh_timer_return megasas_reset_timer(struct scsi_cmnd *scmd)
{
- struct megasas_cmd *cmd = (struct megasas_cmd *)scmd->SCp.ptr;
struct megasas_instance *instance;
unsigned long flags;
@@ -1923,7 +1922,7 @@
return BLK_EH_NOT_HANDLED;
}
- instance = cmd->instance;
+ instance = (struct megasas_instance *)scmd->device->host->hostdata;
if (!(instance->flag & MEGASAS_FW_BUSY)) {
/* FW is busy, throttle IO */
spin_lock_irqsave(instance->host->host_lock, flags);
Attachment:
megaraid_sas.patch11
Description: Binary data
