scsi: sg: Re-fix off by one in sg_fill_request_table()

[sfrench/cifs-2.6.git] / drivers / scsi / sg.c

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 84e782d8e7c3f0cb8dd4c3bdedb46b7060b18f1e..aa28874e8fb92f5090d64c9ceb9523fce224eabe 100644 (file)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -828,6 +828,39 @@ static int max_sectors_bytes(struct request_queue *q)
        return max_sectors << 9;
 }
 
+static void
+sg_fill_request_table(Sg_fd *sfp, sg_req_info_t *rinfo)
+{
+       Sg_request *srp;
+       int val;
+       unsigned int ms;
+
+       val = 0;
+       list_for_each_entry(srp, &sfp->rq_list, entry) {
+               if (val >= SG_MAX_QUEUE)
+                       break;
+               rinfo[val].req_state = srp->done + 1;
+               rinfo[val].problem =
+                       srp->header.masked_status &
+                       srp->header.host_status &
+                       srp->header.driver_status;
+               if (srp->done)
+                       rinfo[val].duration =
+                               srp->header.duration;
+               else {
+                       ms = jiffies_to_msecs(jiffies);
+                       rinfo[val].duration =
+                               (ms > srp->header.duration) ?
+                               (ms - srp->header.duration) : 0;
+               }
+               rinfo[val].orphan = srp->orphan;
+               rinfo[val].sg_io_owned = srp->sg_io_owned;
+               rinfo[val].pack_id = srp->header.pack_id;
+               rinfo[val].usr_ptr = srp->header.usr_ptr;
+               val++;
+       }
+}
+
 static long
 sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
 {
@@ -1012,38 +1045,13 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
                        return -EFAULT;
                else {
                        sg_req_info_t *rinfo;
-                       unsigned int ms;
 
-                       rinfo = kmalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
-                                                               GFP_KERNEL);
+                       rinfo = kzalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
+                                       GFP_KERNEL);
                        if (!rinfo)
                                return -ENOMEM;
                        read_lock_irqsave(&sfp->rq_list_lock, iflags);
-                       val = 0;
-                       list_for_each_entry(srp, &sfp->rq_list, entry) {
-                               if (val >= SG_MAX_QUEUE)
-                                       break;
-                               memset(&rinfo[val], 0, SZ_SG_REQ_INFO);
-                               rinfo[val].req_state = srp->done + 1;
-                               rinfo[val].problem =
-                                       srp->header.masked_status &
-                                       srp->header.host_status &
-                                       srp->header.driver_status;
-                               if (srp->done)
-                                       rinfo[val].duration =
-                                               srp->header.duration;
-                               else {
-                                       ms = jiffies_to_msecs(jiffies);
-                                       rinfo[val].duration =
-                                               (ms > srp->header.duration) ?
-                                               (ms - srp->header.duration) : 0;
-                               }
-                               rinfo[val].orphan = srp->orphan;
-                               rinfo[val].sg_io_owned = srp->sg_io_owned;
-                               rinfo[val].pack_id = srp->header.pack_id;
-                               rinfo[val].usr_ptr = srp->header.usr_ptr;
-                               val++;
-                       }
+                       sg_fill_request_table(sfp, rinfo);
                        read_unlock_irqrestore(&sfp->rq_list_lock, iflags);
                        result = __copy_to_user(p, rinfo,
                                                SZ_SG_REQ_INFO * SG_MAX_QUEUE);
@@ -1081,8 +1089,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
                return blk_trace_setup(sdp->device->request_queue,
                                       sdp->disk->disk_name,
                                       MKDEV(SCSI_GENERIC_MAJOR, sdp->index),
-                                      NULL,
-                                      (char *)arg);
+                                      NULL, p);
        case BLKTRACESTART:
                return blk_trace_startstop(sdp->device->request_queue, 1);
        case BLKTRACESTOP:
@@ -1233,6 +1240,7 @@ sg_mmap(struct file *filp, struct vm_area_struct *vma)
        unsigned long req_sz, len, sa;
        Sg_scatter_hold *rsv_schp;
        int k, length;
+       int ret = 0;
 
        if ((!filp) || (!vma) || (!(sfp = (Sg_fd *) filp->private_data)))
                return -ENXIO;
@@ -1243,8 +1251,11 @@ sg_mmap(struct file *filp, struct vm_area_struct *vma)
        if (vma->vm_pgoff)
                return -EINVAL; /* want no offset */
        rsv_schp = &sfp->reserve;
-       if (req_sz > rsv_schp->bufflen)
-               return -ENOMEM; /* cannot map more than reserved buffer */
+       mutex_lock(&sfp->f_mutex);
+       if (req_sz > rsv_schp->bufflen) {
+               ret = -ENOMEM;  /* cannot map more than reserved buffer */
+               goto out;
+       }
 
        sa = vma->vm_start;
        length = 1 << (PAGE_SHIFT + rsv_schp->page_order);
@@ -1258,7 +1269,9 @@ sg_mmap(struct file *filp, struct vm_area_struct *vma)
        vma->vm_flags |= VM_IO | VM_DONTEXPAND | VM_DONTDUMP;
        vma->vm_private_data = sfp;
        vma->vm_ops = &sg_mmap_vm_ops;
-       return 0;
+out:
+       mutex_unlock(&sfp->f_mutex);
+       return ret;
 }
 
 static void
@@ -1735,9 +1748,12 @@ sg_start_req(Sg_request *srp, unsigned char *cmd)
                    !sfp->res_in_use) {
                        sfp->res_in_use = 1;
                        sg_link_reserve(sfp, srp, dxfer_len);
-               } else if ((hp->flags & SG_FLAG_MMAP_IO) && sfp->res_in_use) {
+               } else if (hp->flags & SG_FLAG_MMAP_IO) {
+                       res = -EBUSY; /* sfp->res_in_use == 1 */
+                       if (dxfer_len > rsv_schp->bufflen)
+                               res = -ENOMEM;
                        mutex_unlock(&sfp->f_mutex);
-                       return -EBUSY;
+                       return res;
                } else {
                        res = sg_build_indirect(req_schp, sfp, dxfer_len);
                        if (res) {